pam_cap/capability.conf - platform/external/libcap - Git at Google

 #
 # /etc/security/capability.conf
 #
 # this is a sample capability file (to be used in conjunction with
 # the pam_cap.so module)
 #
 # In order to use this module, it must have been linked with libcap
 # and thus you'll know about Linux's capability support.
 # [If you don't know about libcap, read more about it here:
 #
 #   https://sites.google.com/site/fullycapable/
 #
 # There is a page devoted to pam_cap.so here:
 #
 #   https://sites.google.com/site/fullycapable/pam_cap-so
 #
 # .]
 #
 # Here are some sample lines (remove the preceding '#' if you want to
 # use them.
 #
 # The pam_cap.so module accepts the following arguments:
 #
 #   debug         - be more verbose logging things (unused by pam_cap for now)
 #   config=<file> - override the default config for the module with file
 #   keepcaps      - workaround for applications that setuid without this
 #   autoauth      - if you want pam_cap.so to always succeed for the auth phase
 #   default=<iab> - provide a fallback IAB value if there is no '*' rule

 ## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!)
 #cap_setfcap		morgan

 ## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!)
 #cap_dac_override	luser

 ## 'everyone else' gets no inheritable capabilities (restrictive config)
 none  *

 ## if there is no '*' entry, and no "default=<iab>" pam_cap.so module
 ## argument to fallback on, all users not explicitly mentioned will
 ## get all currently available inheritable capabilities. This is a
 ## permissive default, and possibly not what you want... On first
 ## reading, you might think this is a security problem waiting to
 ## happen, but it defaults to not being so in this sample file!
 ## Further, by 'get', we mean 'get in their IAB sets'. That is, if you
 ## look at a random process, even one run by root, you will see it has
 ## no IAB capabilities (by default):
 ##
 ##   $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}')
 ##   0000000000000000=
 ##
 ## The pam_cap module simply alters the value of the inheritable
 ## capability vactors (IAB). Including the 'none *' forces use of this
 ## module with an unspecified user to have their inheritable set
 ## forced to zero.
 ##
 ## Omitting the line will cause the inheritable set to be unmodified
 ## from what the parent process had (which is generally 0 unless the
 ## invoking user was bestowed with some inheritable capabilities by a
 ## previous invocation).
	#
	# /etc/security/capability.conf
	#
	# this is a sample capability file (to be used in conjunction with
	# the pam_cap.so module)
	#
	# In order to use this module, it must have been linked with libcap
	# and thus you'll know about Linux's capability support.
	# [If you don't know about libcap, read more about it here:
	#
	# https://sites.google.com/site/fullycapable/
	#
	# There is a page devoted to pam_cap.so here:
	#
	# https://sites.google.com/site/fullycapable/pam_cap-so
	#
	# .]
	#
	# Here are some sample lines (remove the preceding '#' if you want to
	# use them.
	#
	# The pam_cap.so module accepts the following arguments:
	#
	# debug - be more verbose logging things (unused by pam_cap for now)
	# config=<file> - override the default config for the module with file
	# keepcaps - workaround for applications that setuid without this
	# autoauth - if you want pam_cap.so to always succeed for the auth phase
	# default=<iab> - provide a fallback IAB value if there is no '*' rule

	## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!)
	#cap_setfcap morgan

	## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!)
	#cap_dac_override luser

	## 'everyone else' gets no inheritable capabilities (restrictive config)
	none *

	## if there is no '*' entry, and no "default=<iab>" pam_cap.so module
	## argument to fallback on, all users not explicitly mentioned will
	## get all currently available inheritable capabilities. This is a
	## permissive default, and possibly not what you want... On first
	## reading, you might think this is a security problem waiting to
	## happen, but it defaults to not being so in this sample file!
	## Further, by 'get', we mean 'get in their IAB sets'. That is, if you
	## look at a random process, even one run by root, you will see it has
	## no IAB capabilities (by default):
	##
	## $ /sbin/capsh --decode=$(grep CapInh /proc/1/status\|awk '{print $2}')
	## 0000000000000000=
	##
	## The pam_cap module simply alters the value of the inheritable
	## capability vactors (IAB). Including the 'none *' forces use of this
	## module with an unspecified user to have their inheritable set
	## forced to zero.
	##
	## Omitting the line will cause the inheritable set to be unmodified
	## from what the parent process had (which is generally 0 unless the
	## invoking user was bestowed with some inheritable capabilities by a
	## previous invocation).