diff --git a/borg/archiver.py b/borg/archiver.py index ce7655fc5..ab465e4f6 100644 --- a/borg/archiver.py +++ b/borg/archiver.py @@ -1011,7 +1011,9 @@ class Archiver: help='start repository server process') subparser.set_defaults(func=self.do_serve) subparser.add_argument('--restrict-to-path', dest='restrict_to_paths', action='append', - metavar='PATH', help='restrict repository access to PATH') + metavar='PATH', help='restrict repository access to PATH. ' + 'Can be specified multiple times to allow the client access to several directories. ' + 'Access to all sub-directories is granted implicitly; PATH doesn\'t need to directly point to a repository.') subparser.add_argument('--append-only', dest='append_only', action='store_true', help='only allow appending to repository segment files') init_epilog = textwrap.dedent(""" diff --git a/docs/deployment.rst b/docs/deployment.rst index 3c76500fe..c73c6ddb2 100644 --- a/docs/deployment.rst +++ b/docs/deployment.rst @@ -54,6 +54,12 @@ Restrictions Borg is instructed to restrict clients into their own paths: ``borg serve --restrict-to-path /home/backup/repos/`` +The client will be able to access any file or subdirectory inside of ``/home/backup/repos/`` +but no other directories. You can allow a client to access several separate directories by passing multiple +`--restrict-to-path` flags, for instance: ``borg serve --restrict-to-path /home/backup/repos/ --restrict-to-path /home/backup/repos/``, +which could make sense if multiple machines belong to one person which should then have access to all the +backups of their machines. + There is only one ssh key per client allowed. Keys are added for ``johndoe.clnt.local``, ``web01.srv.local`` and ``app01.srv.local``. But they will access the backup under only one UNIX user account as: ``backup@backup01.srv.local``. Every key in ``$HOME/.ssh/authorized_keys`` has a