xref: /aosp_15_r20/external/libcap/pam_cap/capability.conf (revision 2810ac1b38eead2603277920c78344c84ddf3aff) 
1#
2# /etc/security/capability.conf
3#
4# this is a sample capability file (to be used in conjunction with
5# the pam_cap.so module)
6#
7# In order to use this module, it must have been linked with libcap
8# and thus you'll know about Linux's capability support.
9# [If you don't know about libcap, read more about it here:
10#
11#   https://sites.google.com/site/fullycapable/
12#
13# There is a page devoted to pam_cap.so here:
14#
15#   https://sites.google.com/site/fullycapable/pam_cap-so
16#
17# .]
18#
19# Here are some sample lines (remove the preceding '#' if you want to
20# use them.
21#
22# The pam_cap.so module accepts the following arguments:
23#
24#   debug         - be more verbose logging things (unused by pam_cap for now)
25#   config=<file> - override the default config for the module with file
26#   keepcaps      - workaround for applications that setuid without this
27#   autoauth      - if you want pam_cap.so to always succeed for the auth phase
28#   default=<iab> - provide a fallback IAB value if there is no '*' rule
29
30## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!)
31#cap_setfcap		morgan
32
33## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!)
34#cap_dac_override	luser
35
36## 'everyone else' gets no inheritable capabilities (restrictive config)
37none  *
38
39## if there is no '*' entry, and no "default=<iab>" pam_cap.so module
40## argument to fallback on, all users not explicitly mentioned will
41## get all currently available inheritable capabilities. This is a
42## permissive default, and possibly not what you want... On first
43## reading, you might think this is a security problem waiting to
44## happen, but it defaults to not being so in this sample file!
45## Further, by 'get', we mean 'get in their IAB sets'. That is, if you
46## look at a random process, even one run by root, you will see it has
47## no IAB capabilities (by default):
48##
49##   $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}')
50##   0000000000000000=
51##
52## The pam_cap module simply alters the value of the inheritable
53## capability vactors (IAB). Including the 'none *' forces use of this
54## module with an unspecified user to have their inheritable set
55## forced to zero.
56##
57## Omitting the line will cause the inheritable set to be unmodified
58## from what the parent process had (which is generally 0 unless the
59## invoking user was bestowed with some inheritable capabilities by a
60## previous invocation).
61