Call through to cp -p for copying

Dockerfile

@@ -13,7 +13,7 @@ FROM alpine:3.14
 
 WORKDIR /root
 
-RUN apk add --update ca-certificates
+RUN apk add --update ca-certificates sudo
 
 COPY --from=builder /app/backup /usr/bin/backup
 

cmd/backup/main.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path"
 	"path/filepath"
 	"strings"
@@ -105,6 +106,8 @@ type config struct {
 	BackupPruningPrefix        string        `split_words:"true"`
 	BackupStopContainerLabel   string        `split_words:"true" default:"true"`
 	BackupFromSnapshot         bool          `split_words:"true"`
+	BackupUID                  int           `split_words:"true" default:"-1"`
+	BackupGID                  int           `split_words:"true" default:"-1"`
 	AwsS3BucketName            string        `split_words:"true"`
 	AwsEndpoint                string        `split_words:"true" default:"s3.amazonaws.com"`
 	AwsEndpointProto           string        `split_words:"true" default:"https"`
@@ -442,10 +445,14 @@ func (s *script) copyBackup() error {
 	}
 
 	if _, err := os.Stat(s.c.BackupArchive); !os.IsNotExist(err) {
+		if err := os.Chown(s.file, s.c.BackupUID, s.c.BackupGID); err != nil {
+			return fmt.Errorf("copyBackup: error changing owner on temp file: %w", err)
+		}
 		if err := copyFile(s.file, path.Join(s.c.BackupArchive, name)); err != nil {
 			return fmt.Errorf("copyBackup: error copying file to local archive: %w", err)
 		}
 		s.logger.Infof("Stored copy of backup `%s` in local archive `%s`.", s.file, s.c.BackupArchive)
+
 		if s.c.BackupLatestSymlink != "" {
 			symlink := path.Join(s.c.BackupArchive, s.c.BackupLatestSymlink)
 			if _, err := os.Lstat(symlink); err == nil {
@@ -681,23 +688,8 @@ func lock(lockfile string) func() error {
 
 // copy creates a copy of the file located at `dst` at `src`.
 func copyFile(src, dst string) error {
-	in, err := os.Open(src)
-	if err != nil {
-		return err
-	}
-	defer in.Close()
-
-	out, err := os.Create(dst)
-	if err != nil {
-		return err
-	}
-
-	_, err = io.Copy(out, in)
-	if err != nil {
-		out.Close()
-		return err
-	}
-	return out.Close()
+	cmd := exec.Command("cp", "-p", src, dst)
+	return cmd.Run()
 }
 
 // join takes a list of errors and joins them into a single error

test/compose/docker-compose.yml

@@ -30,6 +30,8 @@ services:
       BACKUP_PRUNING_LEEWAY: 5s
       BACKUP_PRUNING_PREFIX: test
       GPG_PASSPHRASE: 1234secret
+      BACKUP_UID: ${BACKUP_UID:-1000}
+      BACKUP_GID: ${BACKUP_GID:-1000}
     volumes:
       - ./local:/archive
       - app_data:/backup/app_data:ro

test/compose/run.sh

@@ -6,11 +6,11 @@ cd $(dirname $0)
 
 mkdir -p local
 
-docker-compose up -d
+BACKUP_UID=$(id -u) BACKUP_GID=$(id -g) docker-compose up -d
 sleep 5
 
-docker-compose exec offen ln -s /var/opt/offen/offen.db /var/opt/offen/db.link
-docker-compose exec backup backup
+BACKUP_UID=$(id -u) BACKUP_GID=$(id -g) docker-compose exec offen ln -s /var/opt/offen/offen.db /var/opt/offen/db.link
+BACKUP_UID=$(id -u) BACKUP_GID=$(id -g) docker-compose exec backup backup
 
 docker run --rm -it \
   -v compose_backup_data:/data alpine \
@@ -19,6 +19,13 @@ docker run --rm -it \
 echo "[TEST:PASS] Found relevant files in untared remote backup."
 
 test -L ./local/test.latest.tar.gz.gpg
+
+owner=$(stat -c '%U:%G' ./local/test.tar.gz.gpg)
+if [ "$owner" != "$(id -un):$(id -gn)" ]; then
+  echo "[TEST:FAIL] Expected backup file to have correct owners, expected "$(id -un):$(id -gn)", got $owner"
+  exit 1
+fi
+
 echo 1234secret | gpg -d --yes --passphrase-fd 0 ./local/test.tar.gz.gpg > ./local/decrypted.tar.gz
 tar -xf ./local/decrypted.tar.gz -C /tmp && test -f /tmp/backup/app_data/offen.db
 rm ./local/decrypted.tar.gz