diff options
Diffstat (limited to 'pam_cap/capability.conf')
-rw-r--r-- | pam_cap/capability.conf | 41 |
1 files changed, 28 insertions, 13 deletions
diff --git a/pam_cap/capability.conf b/pam_cap/capability.conf index 09517f8..08c01e1 100644 --- a/pam_cap/capability.conf +++ b/pam_cap/capability.conf @@ -6,14 +6,26 @@ # # In order to use this module, it must have been linked with libcap # and thus you'll know about Linux's capability support. -# [If you don't know about libcap, the sources for it are here: +# [If you don't know about libcap, read more about it here: # -# http://www.kernel.org/pub/linux/libs/security/linux-privs/ +# https://sites.google.com/site/fullycapable/ +# +# There is a page devoted to pam_cap.so here: +# +# https://sites.google.com/site/fullycapable/pam_cap-so # # .] # # Here are some sample lines (remove the preceding '#' if you want to -# use them +# use them. +# +# The pam_cap.so module accepts the following arguments: +# +# debug - be more verbose logging things (unused by pam_cap for now) +# config=<file> - override the default config for the module with file +# keepcaps - workaround for applications that setuid without this +# autoauth - if you want pam_cap.so to always succeed for the auth phase +# default=<iab> - provide a fallback IAB value if there is no '*' rule ## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!) #cap_setfcap morgan @@ -24,20 +36,23 @@ ## 'everyone else' gets no inheritable capabilities (restrictive config) none * -## if there is no '*' entry, all users not explicitly mentioned will -## get all available capabilities. This is a permissive default, and -## possibly not what you want... On first reading, you might think this -## is a security problem waiting to happen, but it defaults to not being -## so in this sample file! Further, by 'get', we mean 'get in their inheritable -## set'. That is, if you look at a random process, even one run by root, -## you will see it has no inheritable capabilities (by default): +## if there is no '*' entry, and no "default=<iab>" pam_cap.so module +## argument to fallback on, all users not explicitly mentioned will +## get all currently available inheritable capabilities. This is a +## permissive default, and possibly not what you want... On first +## reading, you might think this is a security problem waiting to +## happen, but it defaults to not being so in this sample file! +## Further, by 'get', we mean 'get in their IAB sets'. That is, if you +## look at a random process, even one run by root, you will see it has +## no IAB capabilities (by default): ## ## $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}') ## 0000000000000000= ## -## The pam_cap module simply alters the value of this capability -## set. Including the 'none *' forces use of this module with an -## unspecified user to have their inheritable set forced to zero. +## The pam_cap module simply alters the value of the inheritable +## capability vactors (IAB). Including the 'none *' forces use of this +## module with an unspecified user to have their inheritable set +## forced to zero. ## ## Omitting the line will cause the inheritable set to be unmodified ## from what the parent process had (which is generally 0 unless the |