Hi Tom, Bit confused as mariabackup isn't a service, but I suppose you could run it as such on a timer. Mariadb itself writes to log files, so maybe the file defined in `log_error` as well if you're applying these concept to the server. (And aria_log_dir_path if you're using Aria) But mariabackup - I think it should only write to --target-dir, but I encourage you to test to be certain that works for you. Simon -----Original Message----- From: Tom Worster via discuss <discuss@lists.mariadb.org> Sent: Tuesday, July 4, 2023 2:47 PM To: discuss@lists.mariadb.org Subject: [MariaDB discuss] Sandboxing mariabackup I prefer to sandbox systemd services with ProtectSystem=strict. Especially so when User=root. So when ProtectSystem=strict, which dirs need to be ReadWritePaths to run `mariabackup --backup` and `mariabackup --prepare`? So far I got the --target-dir and the --tmpdir. Is that sufficient? tia Tom _______________________________________________ discuss mailing list -- discuss@lists.mariadb.org To unsubscribe send an email to discuss-leave@lists.mariadb.org