capability(4) capability(4)
capability - user capability database
The file /etc/capability describes the default capability set a user may
have when logging onto the system, and the maximum capability set a user
may have when logging onto the system or using the su(1M) command. There
is one entry for each user. Each entry is separated from the next by a
newline. Each field within each entry is separated by a colon. An entry
beginning with # is ignored.
The capability file contains the following information for each user:
name User's login name. This must exactly match the corresponding
entry in /etc/passwd.
default capability set
The default capability set a user gets when logging onto the
system. This consists of a capability set in a form acceptable
to cap_from_text(3C).
maximum capability set
The maximum capability set a user may specify when logging onto
the system, or when using su(1M). This field has the same form
as the default field. This field should be a superset of the
default field.
Here is a sample /etc/capability file:
root:all+eip:all+eip
sysadm:all=:all=
cmwlogin:all+eip:all+eip
diag:all=:all=
daemon:all=:all=
bin:all=:all=
uucp:all=:all=
sys:all=:all=
adm:all=:all=
lp:all=:all=
nuucp:all=:all=
auditor:CAP_AUDIT_WRITE,CAP_AUDIT_CONTROL,CAP_KILL+eip:CAP_AUDIT_WRITE,CAP_AUDIT_CONTROL,CAP_KILL+eip
dbadmin:all=:all=
xserver:all=:all=
demos:all=:all=
tutor:all=:all=
guest:all=:all=
jenny:all=:CAP_DAC_READ_SEARCH+eip
Page 1
capability(4) capability(4)
In this example, there are specific entries for users root and auditor,
to assure that they have non-empty capability sets when logging in, and
that they can acquire all the capabilities they need when necessary.
There is also a specific entry for user jenny, who has an empty
capability set by default, but can request CAP_DAC_READ_SEARCH capability
when necessary
/etc/capability
cap_from_text(3C), chcap(1), login(1), passwd(1), su(1M).
P�P�P�Pa�a�a�ag�g�g�ge�e�e�e 2�2�2�2 [ Back ]
|
