Hi everyone. I had a quick question:
- When
swupd
updates a binary, does the binary retain its old permissions and xattrs? Or are they reset to their usual defaults?
Additional context to this question, for those who like to read:
I installed restic
via swupd to perform backups. To be a little more secure, I made a separate user and group for restic to run as, especially for automated backups.
I then set the permission of /usr/bin/restic
to 4774 and updated its xattrs to DAC override read and search. i.e.:
sudo useradd --system -m -s /usr/bin/nologin restic
sudo groupadd backupusers
sudo usermod -a -G backupusers restic
sudo chown root:backupusers
sudo chmod 4774 /usr/bin/restic
sudo setcap cap_dac_read_search=+ep
# plus chowning/chmodding other restic related files
It occurred to me though that the ACLs and xattrs would probably be reset the next time swupd updates the restic binary. Can anyone confirm if this is true or not?
I like that swupd keeps restic up-to-date for me, but I might have to maintain the binary myself and write a little automation that updates it and keeps its permissions in tact.
Thanks in advance!