I'd tend to always copy xattrs – it seems that's what the user would expect to happen. A new parameter to _forbid_ it might make sense. However, I feel that there are already enough parameters in place. :-/
- user: can be set by anyone
- trusted: root only
- security: root only
- system: even root can’t do that, at least not in my vm
I’m writing a shutil.copyxattr() first which could simple get another argument for the namespaces that should be copied.
However what to do inside copy2()?
I’m tending to either:
1. copy only user.*
2. ignore errors in any namespace != user
Personally, I find the second approach rather non-deterministic.
So I’d suggest:
- copyxattr has an extra argument called namespaces with default being ['user'], so that in theory someone who wants to do something more sophisticated can do it.
- copy2 copies only user.* though because that’s what you usually want.
> I’m writing a shutil.copyxattr() first which could simple get another
> argument for the namespaces that should be copied.
Sounds good to me :-)
> However what to do inside copy2()?
> I’m tending to either:
> 1. copy only user.*
> 2. ignore errors in any namespace != user
> Personally, I find the second approach rather non-deterministic.
But it's also more practical, e.g. when running as root you would
probably be surprised if only a subset of xattrs get copied, wouldn't
you? “Practicality beats purity.”
For reference, here is part of the documentation for GNU cp's "-a"
Preserve as much as possible of the structure and attributes of the
original files in the copy (but do not attempt to preserve internal
directory structure; i.e., `ls -U' may list the entries in a copied
directory in a different order). Try to preserve SELinux security
context and extended attributes (xattr), but ignore any failure to
do that and print no corresponding diagnostic. Equivalent to `-dR
--preserve=all' with the reduced diagnostics.
Meaning that "cp -a" tries to copy all xattrs and silences errors when
it's not possible to do so.
"cp --preserve=all" seems to have a similar error-silencing behaviour:
Preserve all file attributes. Equivalent to specifying all
of the above, but with the difference that failure to
preserve SELinux security context or extended attributes does
not change `cp''s exit status. In contrast to `-a', all but
`Operation not supported' warnings are output.
I have answered to the (two weeks old :-/) review. There are three open questions in there we'll have to figure out before I fix the patch:
- should copyxattr() remove xattrs in dst that aren't present in src? Make it an option like `remove_missing_xattr`?
- use "None" for `namespaces` in copyxattrs() to indicate we want to copy all of them?
- add a ignore_errors option?
ISTM, that "all namespaces" don't make much sense without ignore_errors as there seem to be some internal xattr etc.
Suggestion: copyxattrs() has ignore_errors as default and returns a list of xattr it couldn't copy as (xattr, exception) tuples? Or an "on error" handler like in rmtree? I'd prefer the first one as ISTM that failures happen more often than not.