I've written a Windows service that runs within the security context of a gMSA who is a member of the BUILTIN\Backup Operators group. The service enables the SeBackupPrivilege and then executes Rclone according to predefined parameters (contained within the service's config), which then backs up whatever data is specified. Since the service does not run as a privileged user (e.g., local admin or otherwise), it can read files it hasn't explicitly been granted access to only if the following conditions have been met:
- The user running the service must be granted the token privilege:
SeBackupPrivilege-- which can be accomplished by adding the user to theBUILTIN\Backup Operatorsgroup. - The token privilege:
SeBackupPrivilegemust also be enabled within the security context that callsrclone.exe. rclone.exemust include theFILE_FLAG_BACKUP_SEMANTICSsyscall when it opens files for reading. (Simply having and enabling the token privilege is not sufficient).
The aforementioned service handles the first two items in the list, but for the third, the following change must be made to rclone:
Confession: I have only the most surface-level knowledge of Go. Learning it has been on my todo list for a while, so this is a perfect opportunity I suppose, but I digress ... I would like to discuss potentially implementing this syscall in Rclone. While the change above works perfectly for my use case, I'm almost certain it's wrong for just about any other scenario.
Rclone also doesn't handle enabling any token privileges, but as a data backup tool, it might be a worthwhile to explore the pros/cons of adding a feature that:
- Checks for / enables the
SeBackupPrivilegeandSeRestorePrivilegetoken privileges. - Includes the
FILE_FLAG_BACKUP_SEMANTICSsyscall when opening files for reading - Falls back to it's present functionality if any of the above fail.
As previously stated, these features are extremely valuable to me, and I would be more than happy to work on contributing them to the main Rclone project if others found them valuable as well.
If Rclone had these features, then it would be able to leverage the BUILTIN\Backup Operators group to securely execute backups -- i.e., your "backup user" would not have to be a member of the local admins group and/or have other admin rights to the machine where it is responsible for running backups.
What are your thoughts on this?