Wolfgang Denk <wd <at> denx.de> writes: > > A number of tools in recent Linux distributions (say, Fedora 16) rely > on file capabilities for correct operation. For example, "rlogin" > will only work for regular uses when the "cap_net_bind_service" > capability is set: > > -> getcap -v /usr/bin/rlogin > /usr/bin/rlogin = cap_net_bind_service+ep > > Without this capability, non-root users will only get: > > -> rlogin <name> > rcmd: socket: Permission denied > > It appears that bacula does not save, and thus cannot restore, such > file capabilities. > Thats not really true. I did some searching on google to find out how these so called POSIX file capabilities are implemented. Its also quite new code it went into Linux 2.6.24 in may last year or so.
There is quite some info on the new option at http://www.friedhoff.org/posixfilecaps.html As it seems there is a new interface which mimics the acl subsytem. But the low level implementation is based on extended attributes. So probably if you enable xattr = yes and save the extended attributes you are set and things backup fine and restore fine. > The result is that any restore of a root file system will have a > (usually unknown) number of files that don't work correctly any more. > > I searched the mailing list archives and the documentation, but could > not find any reference to dealing with file capabilities. Am I > missing something? > Nope they are so new and no mainstream distro seems to have implemented them already. (Fedora is probably one of the first to do so.) > Is there a way to perform "correct" backups under Linux, i. e. to > backup and be able to restore things like ACLs and especially file > capabilities? > Yup add acl = yes and xattr = yes to your fileset and you should be set to backup most of the future options. Bacula is one of the few Open Source backup products (probably the only) which has very broad support for all these kind of exotic acl's, extended attributes and extensible attributes. I had to write everything from scratch as no other projects address all know interfaces. So we are quite good in doing the exotic stuff. You want to do xattrs anyhow as selinux also uses it a lot. > If not, are there any plans to add such a feature? > I don't plan on adding the additional interface for capabilities as the generic xattr interface should be sufficient. If its not we may look at cloning the acl code and interface to the posix file capabilities API. Its quite the same as acl, but as acl's on Linux are also stored as extended attributes we already have enough overhead in supporting both the ACL and XATTR interfaces on Linux so I would prefer not to add an other interface if the generic extended attribute code works. We already found out that Novell uses extended attributes for storing additional access control lists on there NSS filesystem. And those also backup and restore fine with the generic xattr code. See http://www.bacula-konferenz.de/historie/2011/sicherung-von-nss-filesystemen-mit-bacula/at_download/file > Note that this is probably a bigger problem - it appears that > neither cpio nor tar nor rsync etc. can deal with file capabilities. > At the moment I don't know how to create a 100% correct backup of a > plain vanilla Linux root filesystem... > If you look at the linked webpage you will see that rsync and cpio have support for extended attributes and that is used to copy these posix file capabilities. So I would say give the xattr=yes a go on your install and see if it works for these attributes. You could create a test fileset with a known file with a posix file capability and run the bacula-fd with a debug level of 100 and watch for xattr save messages. Marco ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users