As the Restic docs suggest, in the systemd services registered for resticprofile, there should be (at least as an option) the following values set:
# /etc/systemd/system/resticprofile-backup@profile-example.service
[Service]
# ... other directives
DynamicUser=yes
AmbientCapabilities=CAP_DAC_READ_SEARCH
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
This allows readonly access to all files but runs as a nonroot user (dynamic user with that permission only).
Note that this does not require setting up a particular restic user as the resticprofile docs describe.
As the Restic docs suggest, in the systemd services registered for resticprofile, there should be (at least as an option) the following values set:
This allows readonly access to all files but runs as a nonroot user (dynamic user with that permission only).
Note that this does not require setting up a particular restic user as the resticprofile docs describe.