#771 PR merged: Added a very simply way to backup up capabilities.

Labels: enhancement

mattihautameki opened issue at 2016-02-12 11:41:

Since capabilities are not backuped with tar I implemented a file based backup using getcap and setcap.This commit was tested on SLES12 and RHEL7. Both use capabilities instead of SUID for ping, arping, etc.

schlomo commented at 2016-02-12 12:13:

Hi @mattihautameki,

thanks a lot for this pull request! This is indeed a missing feature and thanks a lot for providing us with a first implementation.

I went through the code and left some detailed comments. IMHO only the following are real blockers:

  • rename BACKUP_CAP
  • Use quotes for setcap
  • parse the capabilities file in a more robust way, e.g. with this example: while IFS="=" read file cap ; do file="${file% }" cap="${cap# }" ; declare -p file cap ; done <<<'/some file with blanks and " = some_cap,other_cap'

Kind Regards,

jsmeix commented at 2016-02-15 10:00:

Regarding https://github.com/rear/rear/pull/771#discussion_r52848923 "REQUIRED_PROGS is not working correctly":

Also in my opinion REQUIRED_PROGS is not working correctly, see https://github.com/rear/rear/issues/755#issuecomment-171603580 and subsequent comments.

But I still do not know under what exact circumstances rear should fail with an error if something in REQUIRED_PROGS is missing so that I cannot decide if REQUIRED_PROGS currently works as intended or not.

mattihautameki commented at 2016-02-16 21:17:

I implemented the suggested improvments to the best of my belief.

  • Changed BACKUP_CAP to NETFS_RESTORE_CAPABILITIES and moved it to the NETFS Section in default.conf.
  • Use quotes for filename and capabilities.
  • I adapted the MISSING_PROGS check in95_check_missing_programs.sh since the Error function is not called even if all binaries from REQUIRED_PROG are missing.

I also moved the block which is collecting the capabilities 41_save_capabilities.sh to the resuce section of NETFS. This is because /var/lib/rear/recovery/capabilities is not in the ISO from the actual mkbackup-run. When rear mkbackup is run a second the file will be included to the ISO because it is already present on the filesystem.
I am not familiar with the whole code of rear so let me know if there is a better way.

Kind Regards,

gdha commented at 2016-02-17 15:25:

@mattihautameki looks OK to me. Thank you for the new (missing) feature.

[Export of Github issue for rear/rear.]