First, Hi to all!

As the title says I wonder if the usual (in my case Ubuntu 14.04 LTS) linux installation root does in fact uses any of the ACLs possible extensions in any of its files/dirs

I ask this because I usually use tar to backup the entire root (in offline) with a command like this (root mode):

# tar -cpS --numeric-owner --anchored --exclude={dev,proc,sys,run,tmp}/\* !(lost+found) | pigz > /mydir/myroot.tar.gz

But lately I have "surfed" the ACL argument and reading the fact that tar doesn't read them I wonder if in fact the regular linux install scenario really uses them or not.
So I would not need any alternative to tar, which I would like to avoid if I can...
Anyway I need to store the FS in a file, so rsync isn't an option.

Thank you

By default file ACLs are not in use - they're usually something you turn on to do more granular permission controls than is allowed by the standard file modes (see chmod).

It appears tar will store ACL information if you use the --acls flag:
--acls this option causes tar to store each file’s ACLs in the archive.


FYI:
The term ACL is used in other contexts (e.g. in BIND and Apache configuration) so may not always refer to the file ACLs which you appear to be questioning.

I can't speak for Ubuntu, but OpenSUSE does use ACLs by default in /var/log/journal.

Nice to hear, now I guess that anyway for safety I should setup a command line with "getfacl" to get those ACLs which aren't redundant to basic user/permission assignments.
I mean not redundant as I see that "getfacl" normally outputs also standard unix ones

getfacl should show pretty much the same as ls -l.

The above post is the firt time I hear about a distro setting acls, but nothing is impossible.

In all honesty, selinux and basic rwx permissions work fine for most. Acls are great for if you wish to have a specific group or user access files or want to deny access by default etc. A good example will be a directory tree where you do not want anyone to write data in the third directory. Your manager complains because he needs to update time schedules but due to other restrictions you cannot have him join the group, say because there is sensitive information put there by his supperiors. In that case you can leave the normal file permissions but give an extra bit of permission to him to complete just that one specific small task.

I would really not bother setting bash to be controlled by acls. That could have undesired effects. Just make sure your basic permisions are good for a start. If you are at home, using the pc at home, acls won't help you much. The main threat comesfrom outside so firewall and selinux are better to spend time on.

If you really want to get users to be cornered, just add load the user as a guest selinux profile. That will pretty much make the account useless.

Apparmor should have something similar, unfortunately I have never touched or looked at apparmor.

When I said "for safety" I was a bit misleading, actually I meant being sure to grab all file-system permissions to avoid screwing something inside system root.
Anyway thanks for your sharing, ericson007.

In linux, given that you readed up the basics of a system storage/boot then grabbing -> templating -> deploying/cloning FS roots is like playing with a toy
Everything is modular, integrated, engineered, standardized... I'm in the free *nix software bandwagon since 2011 and I still get stunned from to time to time in new things (new to me) and possibilities I discover in my path

I truly agree with that. It never takes me long to realize i actually know nothing about linux. There is always something... then the tinkering and broken systems start rolling in. Lol.

I don't have a lot of experience with systemd-journald, but I think it's standard. From here:

1 members found this post helpful.