# # /etc/security/capability.conf # # this is a sample capability file (to be used in conjunction with # the pam_cap.so module) # # In order to use this module, it must have been linked with libcap # and thus you'll know about Linux's capability support. # [If you don't know about libcap, read more about it here: # # https://sites.google.com/site/fullycapable/ # # There is a page devoted to pam_cap.so here: # # https://sites.google.com/site/fullycapable/pam_cap-so # # .] # # Here are some sample lines (remove the preceding '#' if you want to # use them. # # The pam_cap.so module accepts the following arguments: # # debug - be more verbose logging things (unused by pam_cap for now) # config= - override the default config for the module with file # keepcaps - workaround for applications that setuid without this # autoauth - if you want pam_cap.so to always succeed for the auth phase # default= - provide a fallback IAB value if there is no '*' rule ## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!) #cap_setfcap morgan ## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!) #cap_dac_override luser ## 'everyone else' gets no inheritable capabilities (restrictive config) none * ## if there is no '*' entry, and no "default=" pam_cap.so module ## argument to fallback on, all users not explicitly mentioned will ## get all currently available inheritable capabilities. This is a ## permissive default, and possibly not what you want... On first ## reading, you might think this is a security problem waiting to ## happen, but it defaults to not being so in this sample file! ## Further, by 'get', we mean 'get in their IAB sets'. That is, if you ## look at a random process, even one run by root, you will see it has ## no IAB capabilities (by default): ## ## $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}') ## 0000000000000000= ## ## The pam_cap module simply alters the value of the inheritable ## capability vactors (IAB). Including the 'none *' forces use of this ## module with an unspecified user to have their inheritable set ## forced to zero. ## ## Omitting the line will cause the inheritable set to be unmodified ## from what the parent process had (which is generally 0 unless the ## invoking user was bestowed with some inheritable capabilities by a ## previous invocation).