− configuration file for the pam_cap module
Each line of
the file consists of two fields; the fields define:
One or more
comma-separated capabilities, specified as either the
textual capability name, or numeric capability value. Text
name(s) and numeric value(s) may be intermixed.
capability name all may be used to enable all
capabilities known to the local system.
capability name none may be used to disable all
current inheritable capabilities.
whitespace is pemitted between the values. The names all and
none may not be combined with any other capabilities.
One or more
whitespace-separated usernames, or the wildcard
The first matching entry is used. Thus, only a single
matching username entry, and/or a single wildcard entry, may
be used. A matching username entry must precede the
wildcard entry in order to be effective.
<capability-list> replaces the current
process’ inherited capabilities; i.e. there is no
provision for adding/subtracting from the current set. In
most environments, the inheritable set of the process
performing user authentication is 0 (empty).
capability name or numeric value is invalid/unknown to the
local system, the capabilities will be rejected, and the
inheritable set will not be modified.
These are some
example lines which might be specified in
# Identical, but with numeric values
names and numerics
# Next line has
no effect; user1 already matched above
# Insure any
potential capailities from calling process are dropped
none luser1 luser2
# Allow anyone
to manipulate capabilities
# Will NOT apply to users matched above !
pam.d(5), pam(7), capabilities(7)
initially written by Andrew G. Morgan