[Solved] Backup with "read only" right from source ?

Discuss new features and functions
Posts: 3
Joined: 9 Jul 2020

L.D.38

Greetings

I'm new on this board so i don't know if its the good place for my question but here my story
I have a home server for test that run on Windows server 2019 as hyper-v and some virtual server include
- DCsrv (Domain controller)
- FILEsrv (File server)

on my FILEsrv i have 2 local hard-drive for data-storage (the vhd is physically stored in 2 independent raid array)

on first hard drive I have a folder "Data" with this right
Read only : Backup-bot
Read/Write : User(my personal account)
Full Control : nobody (but admins can be added from DC server if i need to change right, trough security group)

on second hard-drive i have another folder "BKP-Data"
Read only : User(me)
Read/Write : Backup-bot
Full Control : nobody (but admins can be added from DC server if i need to change right, trough security group)

note : all right is granted by security group

I want to use freefilesync to make a planned task that copy the change from "Data" to "BKP-Data"
so here the steep i done

- I make an special account on my domain named "Backup-bot"
- I given right to backup-bot as above on each folder
- I given right to backup-bot to login "as planed task" on FILEsrv trough local group policy (gpedit)
- I make a batch file with my settings "copy as mirror"
- I make a planned task who launch by my "bot" account and repeat "every day" as i want

but now my issue : the task start correctly (I can see the start on windows log, and the process in task manager) but its stay stuck and nothing is done (just a lock file on the target-folder) i'm forced to stop manually the process and the FFS log say "ended by user" and no detail (blank)

I do an other try : i given to my bot account a write access on the first drive (source) and retry the task, now its work properly

My goal is :
if I delete by mistake a file, I can recover it just by mapping a network drive to my BKP-folder where I have just a read access.

If a ransomware appear on data folder, the bot account will be disabled (and password changed)
before a backup is done. So if the bot try to backup the locked files he cannot do because account is down and will make a error

So I don't want account who has read/write right from both of hard drive (source and target). My question now is : can we complete this scenario with read only right from the source ? if yes, how do ?

thanks in advance for your answer. :)
User avatar
Posts: 2451
Joined: 22 Aug 2012

Plerry

When not having write access to the "Data" folder, FFS can not write a lock-file (*.ffs_lock) there.
Because you run a mirror sync from "Data" to "BKP-Data" there is no (other) need to give the user "Backup-bot" write access to "Data".
You can set the LockDirectoriesDuringSync flag to False, which prevents the creation of *.ffs_lock files, and avoids the need of the "Backup-bot" account to have write access to "Data".
See here, and check if you meet the conditions to safely do so.

Note:
Even more important than giving the "Backup-bot" account just read access to "Data", is to use Versioning and make sure that "Backup-bot" is the only account having write access to "BKP-Data" and the versioning location.
Posts: 3
Joined: 9 Jul 2020

L.D.38

Hello and thanks for your reply :

I tried to modify the xml file
LockDirectoriesDuringSync Enabled="false"
I have to put it in the backup-bot profile (C:\Users\backup-bot\Appdata\roaming\FreeFileSync\globalsettings.xml) to take effect

The other issue I noticed : don't forget to change this value on the ffs_batch file with notepad
ProgressDialog Minimized="true" AutoClose="true"

Else after the task is done, an invisible windows on "bot" session for summary is displayed and wait to click on "close" so the task is not ended properly. with this value at true all work fine.


now the task work but do an error on the log (and a exit code 0x2 on planed task)
Unable to write file "E:\Data\sync.ffs_db.e1cb.ffs_tmp".
ERROR_ACCESS_DENIED: Access Denied. [CreateFile]

the E:\ is my "source folder"

I not set the versioning yet, but of course only my "bot" have a write access on the target folder

my user account have only a read access to see the backup and eventually copy from backup to regular data folder as "recovery"


thanks again for your help :)
User avatar
Posts: 2451
Joined: 22 Aug 2012

Plerry

The other issue I noticed : don't forget to change this value on the ffs_batch file with notepad
ProgressDialog Minimized="true" AutoClose="true"
This is also adviced in the manual section on batch jobs.
... now the task work but do an error on the log (and a exit code 0x2 on planed task)
Unable to write file "E:\Data\sync.ffs_db.e1cb.ffs_tmp".
ERROR_ACCESS_DENIED: Access Denied. [CreateFile]
the E:\ is my "source folder"
It seems that, although you run a mirror-sync, you have checkmarked "Detect Moved files". For detection of moved files FFS creates (*.ffs_db) database files at both sides involved in the sync, and hence would require write access also on E:\Data.
Therefore you have to make a choice:
If you must or want to use "Detect Moved files", you must still provide your bot-user write access to E:\Data.
If that is not acceptable, you should uncheck "Detect Moved files" to prevent the error.
In the latter case you will obviously not be able to use the "Detect Moved files" feature.
As you do a mirror-sync, the sync outcome will be the same. However, your syncs may last a bit longer in case files or folders have been moved or renamed (within E:\Data).
Posts: 3
Joined: 9 Jul 2020

L.D.38

Hello,

Thanks again for your answer. Indeed I checkmarked the detection of moved file. I disabled it and now all works perfectly without error.

The time long of Sync is not a problem for me, normally I don't have to make heavy change every day on my data folder so the impact will be minor.

Thanks again.