How to preserve ACLs and extended attributes with rsync

Copying a Linux file tree with only rsync -a can leave out POSIX ACL entries and extended attributes that applications, backup restores, or security tooling expect. Add -A and -X when the destination needs the same metadata beyond owner, group, mode, and timestamps.

The -a archive option preserves the usual file attributes but does not include –acls or –xattrs. Using -aAX tells rsync to preserve archive metadata, ACL entries, and extended attributes in one transfer without hiding the ACL and xattr flags in a longer option list.

Both sides need rsync support for ACLs and xattrs, and the destination filesystem must support the metadata being copied. A normal user preserves only user.* extended attributes on Linux, while root can copy more namespaces except system.*, so run the receiving side with the privileges required for the attributes you need. For backup archives written by an unprivileged receiving account, –fake-super stores privileged metadata in rsync-specific xattrs for later restore instead of writing the live ACLs and xattrs onto the destination files.

Steps to preserve ACLs and extended attributes with rsync:

Confirm that the installed rsync build supports ACLs and xattrs.

$ rsync --version
rsync  version 3.4.1  protocol version 32
##### snipped #####
Capabilities:
    64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints,
    socketpairs, symlinks, symtimes, hardlinks, hardlink-specials,
    hardlink-symlinks, IPv6, atimes, batchfiles, inplace, append, ACLs,
    xattrs, optional secluded-args, iconv, prealloc, stop-at, no crtimes
##### snipped #####

On Debian and Ubuntu, install rsync, acl, and attr when rsync, getfacl, or getfattr is missing.

Inspect a representative source ACL before copying.

$ getfacl -p /srv/source/app.conf
# file: /srv/source/app.conf
# owner: root
# group: root
user::rw-
user:backup:r--
group::r--
mask::r--
other::r--

Inspect the source extended attributes before copying.
```
$ getfattr -d --absolute-names /srv/source/app.conf
# file: /srv/source/app.conf
user.backup-tier="gold"
```
Use getfattr -d -m - --absolute-names <path> when you need to audit non-user xattr namespaces as root.
Copy the source tree with archive, ACL, and xattr preservation enabled.
```
$ sudo rsync -aAX --itemize-changes /srv/source/ /srv/destination/
>f+++++++++ app.conf
```
-a does not imply -A or -X. Keep both extra flags in scripts that must preserve ACLs or extended attributes.

Verify that the destination ACL matches the source.

$ getfacl -p /srv/destination/app.conf
# file: /srv/destination/app.conf
# owner: root
# group: root
user::rw-
user:backup:r--
group::r--
mask::r--
other::r--

Verify that the destination extended attribute matches the source.

$ getfattr -d --absolute-names /srv/destination/app.conf
# file: /srv/destination/app.conf
user.backup-tier="gold"

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.