Fedora 11: moving to posix file capabilities?

[Chris Adams]

Once upon a time, Les Mikesell <lesmikesell at gmail.com> said:
> What about cp -a and rsync -a?  I expect either of these to give me a 
> working system.

cp -a copies SELinux context and ACLs currently.  It does not appear to
copy arbitrary extended attributes though, so I doubt it will pick up
capabilities.

rsync -a doesn't copy SELinux context or ACLs, so you've already lost
there.  Adding -A copies ACLs and -X copies extended attributes (but not
security or system attributes, so still no SELinux and probably no
capabilities).

Of course, tar requires --xattrs to pick up extended attributes, so
requiring an extra option already appears to be "standard" (although I
don't see an option for cp to pick up arbitrary extended attributes).

If my suggestion of having capabilities supersede and disable setuid and
setgid bits (so the bits are still set as well) is workable and
implemented (I have no idea of the code for that, so it may not be
something the kernel guys want), you wouldn't break anything if you
copied and didn't get the extended attributes.  You'd lose the added
security of capabilities, but setuid/setgid would still take effect and
programs would still work.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.