Re: Fedora 11: moving to posix file capabilities?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Once upon a time, Les Mikesell <lesmikesell@xxxxxxxxx> said:
> What about cp -a and rsync -a?  I expect either of these to give me a 
> working system.

cp -a copies SELinux context and ACLs currently.  It does not appear to
copy arbitrary extended attributes though, so I doubt it will pick up
capabilities.

rsync -a doesn't copy SELinux context or ACLs, so you've already lost
there.  Adding -A copies ACLs and -X copies extended attributes (but not
security or system attributes, so still no SELinux and probably no
capabilities).

Of course, tar requires --xattrs to pick up extended attributes, so
requiring an extra option already appears to be "standard" (although I
don't see an option for cp to pick up arbitrary extended attributes).

If my suggestion of having capabilities supersede and disable setuid and
setgid bits (so the bits are still set as well) is workable and
implemented (I have no idea of the code for that, so it may not be
something the kernel guys want), you wouldn't break anything if you
copied and didn't get the extended attributes.  You'd lose the added
security of capabilities, but setuid/setgid would still take effect and
programs would still work.

-- 
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux