On Thu, Mar 29, 2018 at 09:17:38PM +0200, Adam Borowski wrote: > On Thu, Mar 29, 2018 at 09:00:59AM -1000, Joel Roth wrote: > > I've been backing up my system with rsync years without > > the --xattrs option. I'm curious if important parts of > > Debian/Devuan rely on extended attributes. > > Type: 「getcap -r /bin /sbin /usr /lib」. If anything pops up, you'd lose the > functionality of that program after a restore. Note that these caps are set > in postinst conditionally, requiring capability support in the kernel and > filesystem, plus userspace tool (libcap2-bin). This is installed by > default, but if you started with a minimal install, you won't have it. In > such cases, the fallback is to set the relevant programs setuid root, which > is far less secure.
Thanks. This is very interesting! Fortunately, it looks like not a whole lot (in my current system) relies on xattrs. Seems like the usage is, as you say, a safer alternative to setuid. $ getcap -r /bin /sbin /usr /lib /bin/ping6 = cap_net_raw+ep /bin/ping = cap_net_raw+ep /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip /usr/bin/fping6 = cap_net_raw+ep /usr/bin/i3status = cap_net_admin+ep /usr/bin/fping = cap_net_raw+ep /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep > The other good use I know of is selinux, which I have never played with. > > Then there's Chromium and wget's tracking. > > There are also ACLs but I haven't used those either. > > > Thus: capabilities, selinux labels, ACLs, user namespace; that's all I'm > aware of. > Meow! -- Joel Roth _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
