blob: 08c01e1dfe0bb6116f398a785c4eeb5e7c97dcfa (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
#
# /etc/security/capability.conf
#
# this is a sample capability file (to be used in conjunction with
# the pam_cap.so module)
#
# In order to use this module, it must have been linked with libcap
# and thus you'll know about Linux's capability support.
# [If you don't know about libcap, read more about it here:
#
# https://sites.google.com/site/fullycapable/
#
# There is a page devoted to pam_cap.so here:
#
# https://sites.google.com/site/fullycapable/pam_cap-so
#
# .]
#
# Here are some sample lines (remove the preceding '#' if you want to
# use them.
#
# The pam_cap.so module accepts the following arguments:
#
# debug - be more verbose logging things (unused by pam_cap for now)
# config=<file> - override the default config for the module with file
# keepcaps - workaround for applications that setuid without this
# autoauth - if you want pam_cap.so to always succeed for the auth phase
# default=<iab> - provide a fallback IAB value if there is no '*' rule
## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!)
#cap_setfcap morgan
## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!)
#cap_dac_override luser
## 'everyone else' gets no inheritable capabilities (restrictive config)
none *
## if there is no '*' entry, and no "default=<iab>" pam_cap.so module
## argument to fallback on, all users not explicitly mentioned will
## get all currently available inheritable capabilities. This is a
## permissive default, and possibly not what you want... On first
## reading, you might think this is a security problem waiting to
## happen, but it defaults to not being so in this sample file!
## Further, by 'get', we mean 'get in their IAB sets'. That is, if you
## look at a random process, even one run by root, you will see it has
## no IAB capabilities (by default):
##
## $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}')
## 0000000000000000=
##
## The pam_cap module simply alters the value of the inheritable
## capability vactors (IAB). Including the 'none *' forces use of this
## module with an unspecified user to have their inheritable set
## forced to zero.
##
## Omitting the line will cause the inheritable set to be unmodified
## from what the parent process had (which is generally 0 unless the
## invoking user was bestowed with some inheritable capabilities by a
## previous invocation).
|
