I have tried to use pam_cap. It works! This bug perhaps shall be closed. First, my system has a user named 'test1'. I edited /etc/security/capability.conf:
... cap_dac_override test1 ... Then, use 'su test1'. zhi@debian-testing:/etc/pam.d$ su test1 Password: After that, I check the shell process's capabilities: $ cat /proc/$$/status Name: sh State: S (sleeping) Tgid: 2466 Pid: 2466 PPid: 2458 TracerPid: 0 Uid: 1002 1002 1002 1002 Gid: 1002 1002 1002 1002 FDSize: 64 Groups: 1002 VmPeak: 4092 kB VmSize: 4092 kB VmLck: 0 kB VmHWM: 608 kB VmRSS: 608 kB VmData: 192 kB VmStk: 88 kB VmExe: 100 kB VmLib: 1636 kB VmPTE: 32 kB Threads: 1 SigQ: 0/3906 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 0000000000284004 SigCgt: 0000000000000002 CapInh: 0000000000000002 CapPrm: 0000000000000000 CapEff: 0000000000000000 CapBnd: ffffffffffffffff Cpus_allowed: 1 Cpus_allowed_list: 0 Mems_allowed: 00000000,00000001 Mems_allowed_list: 0 voluntary_ctxt_switches: 9 nonvoluntary_ctxt_switches: 0 $ Please notice the line: CapInh: 0000000000000002 That's it! The capability! -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libcap2-bin depends on: ii libc6 2.13-4 Embedded GNU C Library: Shared lib ii libcap2 1:2.21-1 support for getting/setting POSIX. ii libpam-runtime 1.1.3-1 Runtime support for the PAM librar ii libpam0g 1.1.3-1 Pluggable Authentication Modules l libcap2-bin recommends no packages. Versions of packages libcap2-bin suggests: ii libcap-dev 1:2.21-1 development libraries and header f -- debconf-show failed -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
