Having multiple users with directories set with non-readable files and directories is a problem when backing up data via ssh to or from a remote server. This is because the remote backup user cannot read all files and directories in the local system and the local root user cannot write to the sshfs mount or scp to the remote backup server – because I configure my servers to reject root login.
Therefore, it is necessary to use access control lists (ACL) to allow a remote backup user to have full read-only permission on SSH/NFS mounted filesystems that need to be backed up.
To accomplish this, after creating a local backup user, set read-only permissions on the desired directory:
sudo setfacl -m u:backup:r-X -R /data
-R applies the r-X attribute recursively to user “backup” in the local system.
To check the ACL, use:
In the remote backup system, create a backup user who can ssh into the system to be backed up.
Use sshfs to mount /data/ in the remote system. The ACL will allow the backup user to read all files and directories.
One caveat is that it is necessary to issue the setfacl command every time before backing up. If a user sets chmod 700 or chmod 600 in a file or directory, that directory or file will become unreadable by the backup user. So it’s important to set the read permission to the backup user every time to make sure everything is readable during backup.