-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathcapability.conf.5
156 lines (149 loc) · 4.07 KB
/
capability.conf.5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
.TH capability.conf 5 "March 2002" " " "Role-Based Access"
.SH NAME
.B capability.conf
\- define capability roles and assign them to users and groups
.SH SYNOPSIS
.B /etc/security/capability.conf
.PP
.SH DESCRIPTION
The \fBcapability.conf\fP file provides information about the roles that
can be defined and assigned to users and groups. The file has three types of
entries: Roles, Users and Groups.
.PP
.SS
Roles
.PP
A role is a defined set of valid Linux capabilities. The current set of all
valid Linux capabilities can be found in the
\fI/usr/include/linux/capability.h\fR kernel header file or by using the
\fB_cap_names[]\fR string array. This array is described in the
\fBcap_from_text\fR(3) man page. Additionally, the following capability
keywords are pre-defined for convenience:
.PP
.nf
.ft CW
all : all capabilities (except cap_setpcap)
cap_fs_mask : all filesystem-related capabilities
none : no capabilities whatsoever
.fi
.ft 1
.PP
As the name implies, it is expected that different roles will be defined,
based on the duties that various system users and groups need to perform.
.PP
The format of a role entry in the \fBcapability.conf\fR file is:
.PP
.nf
.ft CW
role <rolename> <capability_list>
.fi
.ft 1
.PP
Entries in the capability list can reference previously defined roles. For
example, you can define a role called \fIbasic\fR in the file and then add
this role as one of your capabilities in the capability list of a
subsequent role. Note that the capability list is a whitespace or comma
-separated list of capabilities that will be turned on in the user's
inheritable set.
.PP
.SS Users
.PP
A user is a standard Linux user login name that correpsonds to a valid user
with a login on the current system. User entries that do not correspond
to valid users on the current system (verified by \fBgetpwnam\fR(3)) are
ignored.
.PP
The format of a user entry in the \fBcapability.conf\fR file is:
.PP
.nf
.ft CW
user <username> <rolename>
.fi
.ft 1
.PP
The special username '*' can be used to assign a default role for users
that do not match any listed users or have membership in a listed group:
.PP
.nf
.ft CW
user * <default_rolename>
.fi
.ft 1
.PP
.SS Groups
.PP
A group is a standard Linux group name that corresponds to a valid group
defined on the current system. Group entries that do not correspond to
valid groups on the current system (verified by \fBgetgrnam\fR(3)) are
ignored.
.PP
The format of a group entry in the \fBcapability.conf\fR file is:
.PP
.nf
.ft CW
group <groupname> <rolename>
.fi
.ft 1
.SH EXAMPLES
.PP
The following example sets up an administrative role that is roughly
equivalent to root:
.PP
.ft CW
.nf
role admin all
.ft 1
.fi
.PP
.PP
The following example sets up a desktop user role that adds sys_boot and
sys_time to the inheritable capability set:
.PP
.ft CW
.nf
role desktopuser cap_sys_boot \\
cap_sys_time
.ft 1
.fi
.PP
The following example sets up a poweruser user role, using the desktopuser
role created previously:
.PP
.ft CW
.nf
role poweruser desktopuser \\
cap_sys_ptrace \\
cap_sys_nice \\
cap_net_admin
.ft 1
.fi
.PP
To assign the desktopuser role to a user, enter the following in the USERS
section of the \fBcapability.conf\fR file:
.PP
.ft CW
.nf
user joe desktopuser
.ft 1
.fi
.PP
To assign the poweruser role to a group, enter the following in the GROUPS
section of the \fBcapability.conf\fR file:
.PP
.ft CW
.nf
group hackers poweruser
.ft 1
.fi
.SH SEE ALSO
\fBcapget\fR(2), \fBcapset\fR(2), \fBcap_set_proc\fR(3), \fBcap_get_proc\fR(3),
\fBcapgetp\fR(3), \fBcapsetp\fR(3), \fBpam_capability\fR(8),
\fIftp://ftp.guardian.no/pub/free/linux/capabilities\fR.
.SH COPYRIGHT
Copyright (C) 2002 Erik M. A. Kline
.br
The pam_capability module source code is licensed under the GNU GPL Version 2.
.SH AUTHOR
The pam_capability module was developed by Erik M. A. Kline
<[email protected]>. This man page was written by Joe Ansell