Do binaries retain permissions through swupd updates?

Hi everyone. I had a quick question:

  • When swupd updates a binary, does the binary retain its old permissions and xattrs? Or are they reset to their usual defaults?

Additional context to this question, for those who like to read:

I installed restic via swupd to perform backups. To be a little more secure, I made a separate user and group for restic to run as, especially for automated backups.

I then set the permission of /usr/bin/restic to 4774 and updated its xattrs to DAC override read and search. i.e.:

sudo useradd --system -m -s /usr/bin/nologin restic
sudo groupadd backupusers
sudo usermod -a -G backupusers restic

sudo chown root:backupusers
sudo chmod 4774 /usr/bin/restic
sudo setcap cap_dac_read_search=+ep

# plus chowning/chmodding other restic related files

It occurred to me though that the ACLs and xattrs would probably be reset the next time swupd updates the restic binary. Can anyone confirm if this is true or not?

I like that swupd keeps restic up-to-date for me, but I might have to maintain the binary myself and write a little automation that updates it and keeps its permissions in tact.

Thanks in advance!

When permission changed, the hash changes. So swupd will replace it if it’s found, even when there’s no update.

Understood, thanks for the info. I’ll maintain a separate copy of restic if I continue using a separate user then.