1 files changed, 45 insertions, 0 deletions

diff --git a/pam_cap/capability.conf b/pam_cap/capability.conf
new file mode 100644
index 0000000..dd93ea7
--- /dev/null
+++ b/pam_cap/capability.conf
@@ -0,0 +1,45 @@
+#
+# /etc/security/capability.conf
+#
+# this is a sample capability file (to be used in conjunction with
+# the pam_cap.so module)
+#
+# In order to use this module, it must have been linked with libcap
+# and thus you'll know about Linux's capability support.
+# [If you don't know about libcap, the sources for it are here:
+#
+#   http://linux.kernel.org/pub/linux/libs/security/linux-privs/
+#
+# .]
+#
+# Here are some sample lines (remove the preceding '#' if you want to
+# use them
+
+## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!)
+#cap_setfcap		morgan
+
+## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!)
+#cap_dac_override	luser
+
+## 'everyone else' gets no inheritable capabilities (restrictive config)
+none  *
+
+## if there is no '*' entry, all users not explicitly mentioned will
+## get all available capabilities. This is a permissive default, and
+## possibly not what you want... On first reading, you might think this
+## is a security problem waiting to happen, but it defaults to not being
+## so in this sample file! Further, by 'get', we mean 'get in their inheritable
+## set'. That is, if you look at a random process, even one run by root,
+## you will see it has no inheritable capabilities (by default):
+##
+##   $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}')
+##   0000000000000000=
+##
+## The pam_cap module simply alters the value of this capability
+## set. Including the 'none *' forces use of this module with an
+## unspecified user to have their inheritable set forced to zero.
+##
+## Omitting the line will cause the inheritable set to be unmodified
+## from what the parent process had (which is generally 0 unless the
+## invoking user was bestowed with some inheritable capabilities by a
+## previous invocation).