Bug#843597: More robust capability handling

[Sam Hartman]

Hi.
Looking at ftar in current fai,
it looks like it already is fairly aggressive about using tar --xattrs
for extraction.
If my reading of the code is correct, this bug should probably be closed
as never having been an issue.

--Sam

Bug#843597: More robust capability handling

[Sam Hartman]

> "Thomas" == Thomas Lange  writes:

> On Mon, 07 Nov 2016 17:36:41 -0500, Sam Hartman
>> Currently, the sample configuration namespace has a shell script
>> to restore the common capabilities found in base files; see
>> scripts/DEBIAN/20-capabilities.
Thomas> In this script, I'm doing the same things that are done in
Thomas> the postinst script of the package.

No, you're doing what the postinst script did on the day you wrote that
config script.
First, there's no guarantee that you'll notice when the packages in
question change.
Secondly, even if you do update the examples, each FAI user has to
update every one of their configuration spaces.
That tends to produce unexpected behavior over time.

Thomas> Also there was a bug in tar which added some xattr or
Thomas> capabilities even no were defined when creating the tar
Thomas> file. Have a look at #819978. IIRC this was one reason to no
Thomas> use xattrs with tar by default.  -- regards Thomas

That seems to be dealing with --acls not --xattrs
--xattrs-include=security.capability.

At least with the stretch tar, I do not get default ACLs when I use
--xattrs --xattrs-include=security.capability.

Bug#843597: More robust capability handling

[Thomas Lange]

> On Mon, 07 Nov 2016 17:36:41 -0500, Sam Hartman  
> said:

> Currently, the sample configuration namespace has a shell script to
> restore the common capabilities found in base files; see
> scripts/DEBIAN/20-capabilities.
In this script, I'm doing the same things that are done in the
postinst script of the package.

Also there was a bug in tar which added some xattr or capabilities
even no were defined when creating the tar file. Have a look at
#819978. IIRC this was one reason to no use xattrs with tar by
default.
-- 
regards Thomas

Bug#843597: More robust capability handling

[Sam Hartman]

package: fai
version: 5.2

Currently, the sample configuration namespace has a shell script to
restore the common capabilities found in base files; see
scripts/DEBIAN/20-capabilities.

This approach is brittle because as new packages in the base system gain
capabilities, everyone's configuration space needs to be updated.

tar does support saving and restoring capabilities.
If base file tars are created using
tar --xattrs --xattrs-include=security.capability -cf blah blah

and restored with
tar -xf filename --xattrs --xattrs-include=security.capability

Then capabilities are directly preserved.

I understand that you may want to preserve the script in the
configuration space because you cannot guarantee how people create base
files.
However for restore of base files, please include the xattrs options.