CentOS7 restoring file capabilities


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users CentOS7 restoring file capabilities
# 1  
Old 11-09-2018
CentOS7 restoring file capabilities

Quite an obscure question I think.

We have a rebuild process for remote sites that allows us to PXE rebuild a till (actually a PC with a touch screen and various fancy bits) running CentOS. The current CentOS5 tills work just fine with a tar image restore and some personalisation. Sadly, CentOS7 introduces file capabilities on some critical stuff, such as ping so on the original source till, getcap /usr/bin/ping gives us this:-
Code:
# getcap /usr/bin/ping
/usr/bin/ping = cap_net_admin,cap_net_raw+p

After a tar and restore, these are lost, so ordinary users cannot use ping, which is a shame because the the till believes it cannot post the sales information to the central servers. The actual till software is proprietary, so we can't get into that to change it.

Does anyone know how to take a file and all it's file capabilities so that it can be restored?

An alternate would be to use yum or rpm to either list before or re-apply the required capabilities after the recovery, but I can't find a way to do that either of these. At worst, I might have to use getcap in a massive loop to collect them all then apply them manually after recovery, but I'd rather use the appropriate tools to do it properly.


Does anyone have any suggestions?



Many thanks, in advance,
Robin
# 2  
Old 11-10-2018
I would suggest using extra switch while using tar --xattrs

Perhaps even add the selinux and ACL options as well to avoid additional problems.

Regards
Peasant.
# 3  
Old 11-10-2018
Yes, we'd tried that without success. I hadn't considered the other file attributes options though. Sadly, it seems no better. A simple test just on CentOS7 gives me this:-
Code:
# tar -cvpzf - --xattrs --acl --selinux /usr/bin/ping | (cd /tmp;tar -xzvp --xattrs --acl --selinux  -f -)
tar: Removing leading `/' from member names
/usr/bin/ping
usr/bin/ping
# getcap -v /usr/bin/ping /tmp/usr/bin/ping
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/tmp/usr/bin/ping

Am I doing something daft? At worst I've scanned all local files and collected the capabilities into a file that then is part of the tarball. On recovery I can apply them within my kickstart file. It's just more steps to wory about.

I have found that simply copying a file loses the capabilities, one has to cp --preserve=xattr source target Maybe I don't understand where these are stored. Maybe I don't need to know, just understand the rules I need to follow Smilie

I know I can achieve it with rsync but I can't neatly use that when doing a PXE recovery and I'd have to get the files out to all the remote locations individually too, which would be a nightmare.

I will keep digging. Any other suggestions to explore very welcome.



Kind regards,
Robin
# 4  
Old 11-11-2018
Give this a shot, i've tried it in KVM box with success.
Code:
[root@proxygw ~]# uname -a
Linux proxygw 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@proxygw ~]# cat /etc/redhat-release 
CentOS Linux release 7.5.1804 (Core) 
[root@proxygw ~]# getcap /usr/bin/ping
/usr/bin/ping = cap_net_admin,cap_net_raw+p
[root@proxygw ~]# cat rb.sh
tar --acl --selinux --anchored --xattrs --xattrs-include='security.capability' -cvpzf - /usr/bin/ping | ( cd /tmp && tar -xzvp --acl --selinux --anchored --xattrs --xattrs-include='security.capability' -f - )
[root@proxygw ~]# ./rb.sh
tar: Removing leading `/' from member names
/usr/bin/ping
usr/bin/ping
[root@proxygw ~]# getcap /usr/bin/ping /tmp/usr/bin/ping 
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/tmp/usr/bin/ping = cap_net_admin,cap_net_raw+p

Hope that helps
Regards
Peasant.
These 2 Users Gave Thanks to Peasant For This Post:
# 5  
Old 11-23-2018
Hello Peasant,

Sorry for the delay, I've been in court for two weeks Smilie . Don't worry, it was only jury service Smilie

Yes! This works wonderfully. I've trimmed it down so finding that the necessary part was just --xattrs-include='security.capability' so I can now prove it with:-
Code:
# tar -cvpzf - --xattrs-include='security.capability' /usr/bin/ping | ( cd /tmp && tar -xzvp --xattrs-include='security.capability' -f - )
tar: Removing leading `/' from member names
/usr/bin/ping
usr/bin/ping

# getcap /tmp/usr/bin/ping
/tmp/usr/bin/ping = cap_net_admin,cap_net_raw+p

This command now works perfectly and I can incorporate it into our kickstart called recovery process with a minor adjustment to the procedure to build the image.

Fantastic.

One wonders why they create so many additional attributes for files and then the default doesn't recover them. I presume it is so that it you try to extract to a server that tar is not expecting them, you don't get horrible errors, but it is frustrating. Oh well Smilie


Thank you very much once again,
Robin
This User Gave Thanks to rbatte1 For This Post:
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Restoring deleted file with rm -rf

Is there a way I could recover a deleted text file with "rm -rf" command. Running CentOS 6.5. Thank you. (5 Replies)
Discussion started by: galford
5 Replies

2. Shell Programming and Scripting

Restoring a file to its original location

Hello everyone, I am attempting to make a recycling bin type application in shell script (tcsh). I have the whole part of the application done where someone can recycle files from one location to the recycling bin (the lower half of the program), this is not a problem. However I wanted to make... (7 Replies)
Discussion started by: tastybrownies
7 Replies

3. Red Hat

Issues restoring a large dump file

Post deleted. (0 Replies)
Discussion started by: Nobody_knows_me
0 Replies

4. Solaris

Restoring a Root File System that was on a metadevice

Hello I use Solaris 10. I need to restore the root file system, but I don't know how . i can only boot the server in safe mode or with the cd (ok boot cdrom -s) Do you guys know a good procedure, I don't want to break the mirrors. ( the server is not a cluster). Its an emergency, i would... (4 Replies)
Discussion started by: feg
4 Replies

5. Shell Programming and Scripting

restoring file to its default location...

Hello everyone, I am new to unix shell. I have a file called Path.txt....and i have data in that as 1 abhi 2 avi 3 ash so on..... 1 ,2 ,3 is the... (2 Replies)
Discussion started by: AbhijitIT
2 Replies

6. UNIX for Dummies Questions & Answers

Restoring back a deleted file in unix.

Hi, Can any one tell me how to restore back the deleted file in unix? I know the file name. If i know the inode number of the file does help more to restore back the file? (1 Reply)
Discussion started by: siba.s.nayak
1 Replies

7. Shell Programming and Scripting

Restoring a file

I'm new to Unix and have just wrote a little program to move files to a recycle bin (a Directory i created) and restore them. The problem is that i need to keep track of all the full filenames so that i can restore them to the right place. I did this by creating a file called delreg and putting the... (4 Replies)
Discussion started by: zoolz
4 Replies

8. Solaris

Restoring TAR'd file to different location

Is it possible to restore a TAR'ed file off of a tape to a location other than the original location? If so, how? (The MAN pages give examples of how to restore only to the originating location.) Thanks!! (1 Reply)
Discussion started by: FredSmith
1 Replies

9. UNIX for Dummies Questions & Answers

Restoring a single file...???

Can anyone please help...? Managed to do a ufsdump of files to tape. Having trouble using ufsrestore to pull a single file back by filename?? I have dumped a single file to tape also because looking through the other threads, I noticed that you have to tell it to skip files before you get to... (1 Reply)
Discussion started by: Jonathan
1 Replies

10. UNIX for Dummies Questions & Answers

Restoring a file from Tape

help please i have "inherited" a Sco Server (the administrator departed in a hurry...yes we are chasing him..) and haven't used Unix for 8 years. i have a file that i need to retrieve from a tape. i have been able to find the file on tape using the cpio -ivt command. however... the problem I... (3 Replies)
Discussion started by: mfischer
3 Replies
Login or Register to Ask a Question