Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Linux: backup and restore of file capabilities ?

2012-01-02 13:23:46
Subject: Re: [Bacula-users] Linux: backup and restore of file capabilities ?
From: Marco van Wieringen <mvw AT planets.elm DOT net>
To: bacula-users AT lists.sourceforge DOT net
Date: Mon, 2 Jan 2012 16:06:15 +0000 (UTC) 
Wolfgang Denk <wd <at> denx.de> writes:

> 
> A number of tools in recent Linux distributions (say, Fedora 16) rely
> on file capabilities for correct operation.  For example, "rlogin"
> will only work for regular uses when the "cap_net_bind_service"
> capability is set:
> 
>       -> getcap -v /usr/bin/rlogin
>       /usr/bin/rlogin = cap_net_bind_service+ep
> 
> Without this capability, non-root users will only get:
> 
>       -> rlogin <name>
>       rcmd: socket: Permission denied
> 
> It appears that bacula does not save, and thus cannot restore, such
> file capabilities.
> 
Thats not really true. I did some searching on google to find out
how these so called POSIX file capabilities are implemented.
Its also quite new code it went into Linux 2.6.24 in may last year or so.

There is quite some info on the new option at

http://www.friedhoff.org/posixfilecaps.html

As it seems there is a new interface which mimics the acl subsytem.
But the low level implementation is based on extended attributes.
So probably if you enable xattr = yes and save the extended
attributes you are set and things backup fine and restore fine.

> The result is that any restore of a root file system will have a
> (usually unknown) number of files that don't work correctly any more.
> 
> I searched the mailing list archives and the documentation, but could
> not find any reference to dealing with file capabilities.  Am I
> missing something?
> 
Nope they are so new and no mainstream distro seems to have
implemented them already. (Fedora is probably one of the first
to do so.)

> Is there a way to perform "correct" backups under Linux, i. e. to
> backup and be able to restore things like ACLs and especially file
> capabilities?
> 
Yup add acl = yes and xattr = yes to your fileset and you should
be set to backup most of the future options. Bacula is one of
the few Open Source backup products (probably the only)
which has very broad support for all these kind of exotic
acl's, extended attributes and extensible attributes. I had to
write everything from scratch as no other projects address all
know interfaces. So we are quite good in doing the exotic stuff.
You want to do xattrs anyhow as selinux also uses it a lot.

> If not, are there any plans to add such a feature?
> 
I don't plan on adding the additional interface for capabilities
as the generic xattr interface should be sufficient. If its not
we may look at cloning the acl code and interface to the 
posix file capabilities API. Its quite the same as acl, but
as acl's on Linux are also stored as extended attributes we
already have enough overhead in supporting both the ACL and XATTR
interfaces on Linux so I would prefer not to add an other interface
if the generic extended attribute code works.

We already found out that Novell uses extended attributes for
storing additional access control lists on there NSS filesystem.
And those also backup and restore fine with the generic xattr code.

See
http://www.bacula-konferenz.de/historie/2011/sicherung-von-nss-filesystemen-mit-bacula/at_download/file

> Note that this is probably a bigger problem - it appears that
> neither cpio nor tar nor rsync etc. can deal with file capabilities.
> At the moment I don't know how to create a 100% correct backup of a
> plain vanilla Linux root filesystem...  
> 
If you look at the linked webpage you will see that rsync and cpio
have support for extended attributes and that is used to copy these
posix file capabilities.

So I would say give the xattr=yes a go on your install and see
if it works for these attributes. You could create a test fileset
with a known file with a posix file capability and run the bacula-fd
with a debug level of 100 and watch for xattr save messages.

Marco


------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] Fedora 16 - RHEL 5/6 Bacula RPM repository, Simone Caronni
Next by Date:  Re: [Bacula-users] Linux: backup and restore of file capabilities ?, Wolfgang Denk
Previous by Thread:  Re: [Bacula-users] file capabilities ? Happy New Year, Geert Stappers
Next by Thread:  Re: [Bacula-users] Linux: backup and restore of file capabilities ?, Wolfgang Denk
Indexes:  [Date] [Thread] [Top] [All Lists]