46 lines
1.8 KiB
Plaintext
46 lines
1.8 KiB
Plaintext
#
|
|
# /etc/security/capability.conf
|
|
#
|
|
# this is a sample capability file (to be used in conjunction with
|
|
# the pam_cap.so module)
|
|
#
|
|
# In order to use this module, it must have been linked with libcap
|
|
# and thus you'll know about Linux's capability support.
|
|
# [If you don't know about libcap, the sources for it are here:
|
|
#
|
|
# http://www.kernel.org/pub/linux/libs/security/linux-privs/
|
|
#
|
|
# .]
|
|
#
|
|
# Here are some sample lines (remove the preceding '#' if you want to
|
|
# use them
|
|
|
|
## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!)
|
|
#cap_setfcap morgan
|
|
|
|
## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!)
|
|
#cap_dac_override luser
|
|
|
|
## 'everyone else' gets no inheritable capabilities (restrictive config)
|
|
none *
|
|
|
|
## if there is no '*' entry, all users not explicitly mentioned will
|
|
## get all available capabilities. This is a permissive default, and
|
|
## possibly not what you want... On first reading, you might think this
|
|
## is a security problem waiting to happen, but it defaults to not being
|
|
## so in this sample file! Further, by 'get', we mean 'get in their inheritable
|
|
## set'. That is, if you look at a random process, even one run by root,
|
|
## you will see it has no inheritable capabilities (by default):
|
|
##
|
|
## $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}')
|
|
## 0000000000000000=
|
|
##
|
|
## The pam_cap module simply alters the value of this capability
|
|
## set. Including the 'none *' forces use of this module with an
|
|
## unspecified user to have their inheritable set forced to zero.
|
|
##
|
|
## Omitting the line will cause the inheritable set to be unmodified
|
|
## from what the parent process had (which is generally 0 unless the
|
|
## invoking user was bestowed with some inheritable capabilities by a
|
|
## previous invocation).
|