1# 2# /etc/security/capability.conf 3# 4# this is a sample capability file (to be used in conjunction with 5# the pam_cap.so module) 6# 7# In order to use this module, it must have been linked with libcap 8# and thus you'll know about Linux's capability support. 9# [If you don't know about libcap, the sources for it are here: 10# 11# http://www.kernel.org/pub/linux/libs/security/linux-privs/ 12# 13# .] 14# 15# Here are some sample lines (remove the preceding '#' if you want to 16# use them 17 18## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!) 19#cap_setfcap morgan 20 21## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!) 22#cap_dac_override luser 23 24## 'everyone else' gets no inheritable capabilities (restrictive config) 25none * 26 27## if there is no '*' entry, all users not explicitly mentioned will 28## get all available capabilities. This is a permissive default, and 29## possibly not what you want... On first reading, you might think this 30## is a security problem waiting to happen, but it defaults to not being 31## so in this sample file! Further, by 'get', we mean 'get in their inheritable 32## set'. That is, if you look at a random process, even one run by root, 33## you will see it has no inheritable capabilities (by default): 34## 35## $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}') 36## 0000000000000000= 37## 38## The pam_cap module simply alters the value of this capability 39## set. Including the 'none *' forces use of this module with an 40## unspecified user to have their inheritable set forced to zero. 41## 42## Omitting the line will cause the inheritable set to be unmodified 43## from what the parent process had (which is generally 0 unless the 44## invoking user was bestowed with some inheritable capabilities by a 45## previous invocation). 46