| # |
| # /etc/security/capability.conf |
| # |
| # this is a sample capability file (to be used in conjunction with |
| # the pam_cap.so module) |
| # |
| # In order to use this module, it must have been linked with libcap |
| # and thus you'll know about Linux's capability support. |
| # [If you don't know about libcap, the sources for it are here: |
| # |
| # http://www.kernel.org/pub/linux/libs/security/linux-privs/ |
| # |
| # .] |
| # |
| # Here are some sample lines (remove the preceding '#' if you want to |
| # use them |
| |
| ## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!) |
| #cap_setfcap morgan |
| |
| ## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!) |
| #cap_dac_override luser |
| |
| ## 'everyone else' gets no inheritable capabilities (restrictive config) |
| none * |
| |
| ## if there is no '*' entry, all users not explicitly mentioned will |
| ## get all available capabilities. This is a permissive default, and |
| ## possibly not what you want... On first reading, you might think this |
| ## is a security problem waiting to happen, but it defaults to not being |
| ## so in this sample file! Further, by 'get', we mean 'get in their inheritable |
| ## set'. That is, if you look at a random process, even one run by root, |
| ## you will see it has no inheritable capabilities (by default): |
| ## |
| ## $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}') |
| ## 0000000000000000= |
| ## |
| ## The pam_cap module simply alters the value of this capability |
| ## set. Including the 'none *' forces use of this module with an |
| ## unspecified user to have their inheritable set forced to zero. |
| ## |
| ## Omitting the line will cause the inheritable set to be unmodified |
| ## from what the parent process had (which is generally 0 unless the |
| ## invoking user was bestowed with some inheritable capabilities by a |
| ## previous invocation). |