Syncoid permissions on remote

pgesting · March 7, 2026, 2:09pm

I am sure that I am doing something simple wrong.

I set up a new backup server and moved two HDDs which were in a zfs mirror on another computer to the new one. Then i imported them and upgraded the pool (since the version of ubuntu is different). Everything looks fine. So far no errors on the scrub.

I am trying to use syncoid to send the latest snapshots from my main server to the backup but am getting a permissions error:

Here is the command I am using on my production server:

/usr/sbin/syncoid --no-sync-snap --no-privilege-elevation --create-bookmark -r rpool user@192.168.1.20:backup/encrypt/rpool

Here is the error:

Sending incremental rpool/data/encrypt_lxc/vm-112-disk-0@autosnap_2025-10-07_10:30:00_monthly ... autosnap_2026-03-07_13:00:04_hourly (~ 55.0 GB):
cannot receive incremental stream: permission denied
mbuffer: error: outputThread: error writing to <stdout> at offset 0x250000: Broken pipe
mbuffer: warning: error during output to <stdout>: Broken pipe

I followed the steps from here. That is supposed to be done on the remote host, right?

What am I doing wrong?

Alfra · March 7, 2026, 4:07pm

You’re trying to do a (push) backup from your source machine, to your target backup server. Further, you are pushing it to a common user on the target end with no elevated privileges. This can be problematic on the remote end if that user does not have adequate permissions to run syncoid and write data, where parts of that data on source is owned by root, and must be owned by root on the remote end as well. It would be like you trying to touch a file into a root owned directory without using sudo.

I like to set up a separate single purpose user on the remote end that only has permission to run commands for just this purpose, and nothing else. I normally do mine in reverse, as a (pull) in from source to target - but from a permission standpoint, it’s the same principal.

Now, if you were sending a pool called, for example ‘photospool’ - your command would probably work because it’s doubtful that there are any locations recursively in a pool containing only photos that will need to have any root ownership.

It’s possible to push directly into the remote server as root but your remote host would need to permit root access. Usually not recommended unless you are doing it for just a one-off purpose.

Edit: Worth mentioning that if you cannot SSH into the remote host user to begin with, then that’s the beginning of your problem. Test your access with SSH first. The permission stuff mentioned above is next level once SSH is working.

pgesting · March 7, 2026, 7:43pm

Thanks for the reply.

The error is from zfs receive, so it is after the ssh connection. I am not connecting to the backup as root, as you can see in the syncoid command.

I am pushing with no elevated privileges on purpose, because all it should need to do is run the zfs rcv command. As an aside, syncoid does not run on the backup machine. The syncoid script on production calls zfs send and receive. the no-elevated-permissions option is meant for just this scenario.

pgesting · March 7, 2026, 8:16pm

Okay, figured it out. I was missing one of the commands from here

Alfra · March 7, 2026, 8:46pm

Great glad you got it! Was it the zfs allow command on the remote end?

pgesting · March 8, 2026, 4:05pm

Yeah, either I skipped one line or I missed something when copying and pasting.