Hi everyone. I had a quick question:
swupdupdates a binary, does the binary retain its old permissions and xattrs? Or are they reset to their usual defaults?
Additional context to this question, for those who like to read:
restic via swupd to perform backups. To be a little more secure, I made a separate user and group for restic to run as, especially for automated backups.
I then set the permission of
/usr/bin/restic to 4774 and updated its xattrs to DAC override read and search. i.e.:
sudo useradd --system -m -s /usr/bin/nologin restic sudo groupadd backupusers sudo usermod -a -G backupusers restic sudo chown root:backupusers sudo chmod 4774 /usr/bin/restic sudo setcap cap_dac_read_search=+ep # plus chowning/chmodding other restic related files
It occurred to me though that the ACLs and xattrs would probably be reset the next time swupd updates the restic binary. Can anyone confirm if this is true or not?
I like that swupd keeps restic up-to-date for me, but I might have to maintain the binary myself and write a little automation that updates it and keeps its permissions in tact.
Thanks in advance!