etc-gentoo/security/capability.conf

#
# /etc/security/capability.conf
#
# this is a sample capability file (to be used in conjunction with
# the pam_cap.so module)
#
# In order to use this module, it must have been linked with libcap
# and thus you'll know about Linux's capability support.
# [If you don't know about libcap, the sources for it are here:
#
#   http://linux.kernel.org/pub/linux/libs/security/linux-privs/
#
# .]
#
# Here are some sample lines (remove the preceding '#' if you want to
# use them

## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!)
#cap_setfcap		morgan

## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!)
#cap_dac_override	luser

## 'everyone else' gets no inheritable capabilities (restrictive config)
none  *

## if there is no '*' entry, all users not explicitly mentioned will
## get all available capabilities. This is a permissive default, and
## possibly not what you want... On first reading, you might think this
## is a security problem waiting to happen, but it defaults to not being
## so in this sample file! Further, by 'get', we mean 'get in their inheritable
## set'. That is, if you look at a random process, even one run by root,
## you will see it has no inheritable capabilities (by default):
##
##   $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}')
##   0000000000000000=
##
## The pam_cap module simply alters the value of this capability
## set. Including the 'none *' forces use of this module with an
## unspecified user to have their inheritable set forced to zero.
##
## Omitting the line will cause the inheritable set to be unmodified
## from what the parent process had (which is generally 0 unless the
## invoking user was bestowed with some inheritable capabilities by a
## previous invocation).
saving uncommitted changes in /etc prior to emerge run 2015-02-27 00:58:55 +00:00			`#`
			`# /etc/security/capability.conf`
			`#`
			`# this is a sample capability file (to be used in conjunction with`
			`# the pam_cap.so module)`
			`#`
			`# In order to use this module, it must have been linked with libcap`
			`# and thus you'll know about Linux's capability support.`
			`# [If you don't know about libcap, the sources for it are here:`
			`#`
			`# http://linux.kernel.org/pub/linux/libs/security/linux-privs/`
			`#`
			`# .]`
			`#`
			`# Here are some sample lines (remove the preceding '#' if you want to`
			`# use them`

			`## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!)`
			`#cap_setfcap morgan`

			`## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!)`
			`#cap_dac_override luser`

			`## 'everyone else' gets no inheritable capabilities (restrictive config)`
			`none *`

			`## if there is no '*' entry, all users not explicitly mentioned will`
			`## get all available capabilities. This is a permissive default, and`
			`## possibly not what you want... On first reading, you might think this`
			`## is a security problem waiting to happen, but it defaults to not being`
			`## so in this sample file! Further, by 'get', we mean 'get in their inheritable`
			`## set'. That is, if you look at a random process, even one run by root,`
			`## you will see it has no inheritable capabilities (by default):`
			`##`
			`## $ /sbin/capsh --decode=$(grep CapInh /proc/1/status\|awk '{print $2}')`
			`## 0000000000000000=`
			`##`
			`## The pam_cap module simply alters the value of this capability`
			`## set. Including the 'none *' forces use of this module with an`
			`## unspecified user to have their inheritable set forced to zero.`
			`##`
			`## Omitting the line will cause the inheritable set to be unmodified`
			`## from what the parent process had (which is generally 0 unless the`
			`## invoking user was bestowed with some inheritable capabilities by a`
			`## previous invocation).`