-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsample-capability.conf
75 lines (62 loc) · 2.37 KB
/
sample-capability.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
###########################################################################
#
# sample capability.conf file
#
# the format is
#
# role <rolename> <cap_list>
# group <groupname> <rolename>
# user <username> <rolename>
#
# where <cap_list> conforms to cap_from_text(3) syntax with the following
# extension(s):
# 1. cap_* words without any +/-/,/= are automatically converted
# to "+i" for general convenience. This is all with which you
# should ever need concern yourself.
# 2. "cap_fs_mask" is an internally defined role that sets all
# filesystem-related capabilities. Explicitly, this expands to:
# "cap_chown cap_dac_override cap_dac_read_search
# cap_fowner cap_fsetid"
#
# matching usernames proceeds in this manner:
# 1. if uid == 0, return without modifying capabilities
# 2. if username is in the list of users (not '*') apply that role
# and return
# 3. walk the group list in order and return after FIRST group match
# of which username is a memeber
# 4. if user '*' declaration exists apply this role and return
# 5. clear all capabilities and bail.
#
# NOTES:
# 1. You should only set inheritable capabilities. effective
# and permitted will be lost upon exec(3).
# 2. CAP_SETPCAP is always automatically disabled.
#
###########################################################################
###########################################################################
# ROLES
###########################################################################
role admin all
# applications that need to bind to reserved (privileged) ports
role bindapp cap_net_bind_service cap_sys_chroot
role ntpapp bindapp \
cap_net_broadcast cap_sys_time
role poweruser cap_sys_time \
cap_sys_nice \
cap_sys_ptrace \
cap_net_admin \
cap_sys_boot
role desktopuser cap_sys_boot cap_sys_time
###########################################################################
# GROUPS
###########################################################################
# the 'wheel' group
group wheel admin
###########################################################################
# USERS
###########################################################################
# set up these accounts to bind to privileged ports
user mail bindapp
user apache bindapp
# ntp needs to be able to set the time as well
user ntp ntpapp