from small one page howto to huge articles all in one place
Last additions:
May 25th. 2007:
April, 26th. 2006:
| 
PAM_CAP
Section: Misc. Reference Manual Pages (8) Updated: 202-0-19 Index
Return to Main Contents
NAME
pam_cap - Capabilities PAM module
SYNOPSIS
[service-name] auth control-flag pam_cap [options]
DESCRIPTION
The pam_so module can be used to specify Inheritable
capabilities to process trees rooted in the PAM application. The
module also supports blocking Bounding vector capabilities and
adding Ambient vector capabilities.
For general PAM apps to work correctly, the application must be run
with at least CAP_SETPCAP raised in its Permitted
capability flag. Many PAM applications run as root, which has
all of the bits in the Bounding set raised, so this requirement
is typically met. To grant an Ambient vector capability, the
corresponding Permitted bit must be available to the application too.
The pam_so module is a Linux-PAM auth module. It
provides functionality to back pam_sm_authenticate() and
pam_sm_setcred(). It is the latter that actually modifies the
inheritable 3-tuple of capability vectors: the configured
IAB. In a typical application configuration you might have a
line like this:
-
auth optional pam_cap.so
-
The module arguments are:
- [ci]
-
debug: While supported, this is a no-op at present.
- [ci]
-
config=/path/to/file: Override the default config for the
module. The unspecified default value for this file is
/etc/security/capability.conf. Note, config=/dev/null is
a valid value. See default= below for situations in which this
might be appropriate.
- [ci]
-
keepcaps: This is as much as the pam_cap.so module can do
to help an application support use of the Ambient capability
vector. The application support for the Ambient set is poor at
the present time.
- [ci]
-
autoauth: This argument causes the pam_cap.so module to
return PAM_SUCCESS if the PAM_USER being authenticated
exists. The absence of this argument will cause pam_cap.so to
only return PAM_SUCCESS if the PAM_USER is covered by a
specific rule in the prevailing config file.
- [ci]
-
default=IAB: This argument is ignored if the prevailing
configuration file contains a "*" rule. If there is no such
rule, the IAB 3-tuple is inserted at the end of the config file
and applies to all PAM_USERs not covered by an earlier
rule. Note, if you want all PAM_USERs to be covered by this
default rule, you can supply the module argument
config=/dev/null.
- [ci]
-
defer: This argument arranges for the IAB capabilities
granted to a user to be added sufficiently late in the Linux-PAM
authentication stack that they stick. That is, after the
application does its setuid(UID) call. As such, in conjunction
with the keepcaps module argument, such compliant applications
can support granting Ambient vector capabilities with
pam_cap.so.
-
SEE ALSO
pam.conf(5),
capability.conf(5),
cap_text_formats(7),
pam(8).
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- SEE ALSO
-
| 
|
|
- Running on 
-
:
