101 lines
2.1 KiB
Groff
101 lines
2.1 KiB
Groff
.\" $Revision: 1.2 $
|
|
.TH capability 4
|
|
.SH NAME
|
|
capability \- user capability database
|
|
.SH DESCRIPTION
|
|
The file
|
|
.I /etc/capability
|
|
describes the default capability set a user may have when logging onto
|
|
the system, and the maximum capability set a user may have
|
|
when logging onto the system or using the
|
|
.IR su (1M)
|
|
command. There is one entry for each user. Each entry is separated from
|
|
the next by a newline. Each field within each entry is separated by
|
|
a colon. An entry beginning with # is ignored.
|
|
.LP
|
|
The
|
|
.I capability
|
|
file contains the following information for each user:
|
|
.IP name 10
|
|
User's login name. This must exactly match the corresponding entry
|
|
in
|
|
.IR /etc/passwd .
|
|
.IP "default capability set" 10
|
|
The default capability set a user gets when logging onto the system.
|
|
This consists of a capability set in a form acceptable to
|
|
.IR cap_from_text (3C) .
|
|
.IP "maximum capability set" 10
|
|
The maximum capability set a user may specify when logging onto the system,
|
|
or when using
|
|
.IR su (1M) .
|
|
This field has the same form as the
|
|
.I default
|
|
field. This field should be a superset of the
|
|
.I default
|
|
field.
|
|
.SH EXAMPLE
|
|
.PP
|
|
Here is a sample
|
|
.I /etc/capability
|
|
file:
|
|
.PP
|
|
.Ex
|
|
.br
|
|
root:all+eip:all+eip
|
|
.br
|
|
sysadm:all=:all=
|
|
.br
|
|
cmwlogin:all+eip:all+eip
|
|
.br
|
|
diag:all=:all=
|
|
.br
|
|
daemon:all=:all=
|
|
.br
|
|
bin:all=:all=
|
|
.br
|
|
uucp:all=:all=
|
|
.br
|
|
sys:all=:all=
|
|
.br
|
|
adm:all=:all=
|
|
.br
|
|
lp:all=:all=
|
|
.br
|
|
nuucp:all=:all=
|
|
.br
|
|
auditor:CAP_AUDIT_WRITE,CAP_AUDIT_CONTROL,CAP_KILL+eip:CAP_AUDIT_WRITE,CAP_AUDIT_CONTROL,CAP_KILL+eip
|
|
.br
|
|
dbadmin:all=:all=
|
|
.br
|
|
xserver:all=:all=
|
|
.br
|
|
demos:all=:all=
|
|
.br
|
|
tutor:all=:all=
|
|
.br
|
|
guest:all=:all=
|
|
.br
|
|
jenny:all=:CAP_DAC_READ_SEARCH+eip
|
|
.br
|
|
.Ee
|
|
.PP
|
|
In this example, there are specific entries for users
|
|
.I root
|
|
and
|
|
.IR auditor ,
|
|
to assure that they have non-empty capability sets when logging in,
|
|
and that they can acquire all the capabilities they need when
|
|
necessary. There is also a specific entry for user
|
|
.IR jenny ,
|
|
who has an empty capability set by default, but can request
|
|
.B CAP_DAC_READ_SEARCH
|
|
capability when necessary
|
|
.SH FILES
|
|
/etc/capability
|
|
.SH "SEE ALSO"
|
|
cap_from_text(3C),
|
|
chcap(1),
|
|
login(1),
|
|
passwd(1),
|
|
su(1M).
|