summaryrefslogtreecommitdiff
path: root/pam_cap/capability.conf
blob: 09517f8e182b5b864c2c110a58b0cae683899fe9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#
# /etc/security/capability.conf
#
# this is a sample capability file (to be used in conjunction with
# the pam_cap.so module)
#
# In order to use this module, it must have been linked with libcap
# and thus you'll know about Linux's capability support.
# [If you don't know about libcap, the sources for it are here:
#
#   http://www.kernel.org/pub/linux/libs/security/linux-privs/
#
# .]
#
# Here are some sample lines (remove the preceding '#' if you want to
# use them

## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!)
#cap_setfcap		morgan

## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!)
#cap_dac_override	luser

## 'everyone else' gets no inheritable capabilities (restrictive config)
none  *

## if there is no '*' entry, all users not explicitly mentioned will
## get all available capabilities. This is a permissive default, and
## possibly not what you want... On first reading, you might think this
## is a security problem waiting to happen, but it defaults to not being
## so in this sample file! Further, by 'get', we mean 'get in their inheritable
## set'. That is, if you look at a random process, even one run by root,
## you will see it has no inheritable capabilities (by default):
##
##   $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}')
##   0000000000000000=
##
## The pam_cap module simply alters the value of this capability
## set. Including the 'none *' forces use of this module with an
## unspecified user to have their inheritable set forced to zero.
##
## Omitting the line will cause the inheritable set to be unmodified
## from what the parent process had (which is generally 0 unless the
## invoking user was bestowed with some inheritable capabilities by a
## previous invocation).