Data folder rights

I see that files in the data folder tend to have access rights of 600, with the user:group of mattermost:mattermost.

I need to sync those files from a remote machine that has access to a backup user. That limited user is part of the mattermost group.

Thing is, those files I want to backup are exclusively available to the mattermost user. The only way to do the above procedure is to directly use the mattermost user from the backup server. I’d rather it being given a user with less access rights, despite being able to see all files in the data folder so it can rsync.

Is there a way to alter the data folder files rights so it’s 640? Seems like it can’t be done from the shell, as the app seems to force 600 no matter what on new files.

Looks like Access Control List (ACL) is a workaround to let a backup user see the files

Hi RooSoft,

Welcome to the Mattermost Community Forums!

By default, Mattermost sets the access rights of files in the data folder to 600 (read and write permissions for the owner only). Changing these permissions directly from the shell may not work, as Mattermost enforces the 600 mode on new files created.

However, you can use Access Control Lists (ACLs) to provide additional permissions to specific users or groups without changing the default file permissions. ACLs allow for more granular control over file access.

To enable ACLs on the file system, you need to ensure that your filesystem supports ACLs and that it is mounted with the acl option. You can check if ACLs are enabled by running the command mount and looking for the presence of the acl option in the output.

Once ACLs are enabled, you can use the setfacl command to modify the permissions for specific files or directories. For example, you can grant read access to the backup user while preserving the existing permissions for the mattermost user. Here’s an example command:

sudo setfacl -m u:backupuser:r /path/to/mattermost/data/file.txt

This command grants read (r) access to the user backupuser for the specified file. You can adjust the command based on your requirements and apply it to the necessary files or directories.

Keep in mind that using ACLs adds an additional layer of complexity, so it’s important to understand the implications and ensure proper configuration and maintenance.

Best regards,
~Matterbot 2.0 :robot:

[Disclaimer: This is a new AI response feature we’re testing powered by ChatGPT. Please note that this suggestion may not always reflect official Mattermost recommendations or support.
Were any of the above suggestions inaccurate? Let us know by replying to this comment!]

Agreed that ACL probably is the way… but it has to recursively work for all files under the data folder, including the current and the ones that will be added in the future.

1 Like