Attached are manpages for: 1) pam_cap.8 2) capability.conf.5
And, per lintian error: 3) getpcaps.1
'\" t .\" Title: capability.conf .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> .\" Date: 09/23/2011 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" .TH "CAPABILITY\&.CONF" "5" "09/23/2011" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" capablity.conf \- configuration file for the pam_cap module .SH "DESCRIPTION" .PP Each line of the file consists of two fields; the fields define: .PP \fB<capability-list>\fR .sp .RS 4 One or more comma-separated capabilities, specified as either the textual capability name, or numeric capability value. Text name(s) and numeric value(s) may be intermixed. .sp The special capability name \fBall\fR may be used to enable all capabilities known to the local system\&. .sp The special capability name \fBnone\fR may be used to disable all current inheritable capabilities\&. .RE .sp .RS 4 \fBNOTE:\fR No whitespace is pemitted between the values\&. The names all and none may not be combined with any other capabilities\&. .RE .PP \fB<username>\fR .sp .RS 4 One or more whitespace-separated usernames, or the wildcard \fB*\fR\&. .RE .sp .RS 4 \fBNOTE:\fR The first matching entry is used. Thus, only a single matching username entry, and/or a single wildcard entry, may be used. A matching username entry must \fIprecede\fR the wildcard entry in order to be effective\&. .RE .PP \fBIMPORTANT:\fR <capability-list> \fIreplaces\fR the current process' inherited capabilities; i.e. there is no provision for adding/subtracting from the current set. In most environments, the inheritable set of the process performing user authentication is 0 (empty)\&. .sp If any capability name or numeric value is invalid/unknown to the local system, the capabilities will be rejected, and the inheritable set will \fBnot\fR be modified. .SH "EXAMPLES" .PP These are some example lines which might be specified in /etc/security/capability\&.conf\&. .sp .if n \{\ .RS 4 .\} .nf # Simple cap_sys_ptrace developer cap_net_raw user1 # Multiple capablities cap_net_admin,cap_net_raw jrnetadmin # Identical, but with numeric values 12,13 jrnetadmin # Combining names and numerics cap_sys_admin,22,25 jrsysadmin # Next line has no effect; user1 already matched above 5,12,13 user1 # Insure any potential capailities from calling process are dropped none luser1 luser2 # Allow anyone to manipulate capabilities # Will NOT apply to users matched above ! cap_setpcap * .fi .if n \{\ .RE .\} .SH "SEE ALSO" .PP \fBpam_cap\fR(8), \fBpam.d\fR(5), \fBpam\fR(7), \fBcapabilities\fR(7) .SH "AUTHOR" .PP pam_cap was initially written by Andrew G. Morgan <morgan@kernel\&.org>
'\" t .\" Title: get_pcaps .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> .\" Date: 09/23/2011 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" .TH "GET_PCAPS" "1" "09/23/2011" "GET_PCAPS" "GET_PCAPS" .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" get_pcaps \- List Process Capabilities .SH "SYNOPSIS" .HP 5 \fBget_pcaps\fR <pid> [<pid> ...] .SH "DESCRIPTION" .PP \fBget_pcaps\fR is a simple utility to display the capabilities on the queried process(es)\&. The capabilities are displayed in the cap_from_text(3) format\&. .SH "FILES" .PP None .SH "SEE ALSO" .PP \fBcap_from_text\fR(3), .SH "COPYRIGHT" Copyright \(co 1997-8,2007 Andrew G. Morgan <[email protected]> .br
'\" t .\" Title: pam_cap .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.75.2 <http://docbook.sf.net/> .\" Date: 09/23/2011 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" .TH "PAM_CAP" "8" "09/23/2011" "Linux-PAM Manual" "Linux-PAM Manual" .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" pam_cap \- PAM module to set inheritable capabilities .SH "SYNOPSIS" .HP \w'\fBpam_cap\&.so\fR\ 'u \fBpam_cap\&.so\fR [config=\fI/path/to/capability.conf\fR] [debug] .SH "DESCRIPTION" .PP The pam_cap PAM module sets the current process' inheritable capabilities\&. .PP Capabilities are read from the /etc/security/capability\&.conf config file\&, or alternate file specified with the config= option\&. .PP The module must not be called by a multithreaded application\&. .PP .SH "OPTIONS" .PP \fBconfig=\fR\fB\fI/path/to/capability\&.conf\fR\fR .RS 4 Indicate an alternative capability\&.conf style configuration file to override the default\&. .RE .PP \fBdebug\fR .RS 4 Print debug information\&. .RE .SH "MODULE TYPES PROVIDED" .PP Only the \fBauthentication\fR module type is provided\&. .SH "RETURN VALUES" .PP PAM_AUTH_ERR .RS 4 The user is not known to the system\&. .RE .PP PAM_IGNORE .RS 4 No capabilities found for this user\&. .RE .PP PAM_INCOMPLETE .RS 4 Indicates a PAM-Conversation failure\&. .RE .PP PAM_SUCCESS .RS 4 Capabilities were set\&. .RE .SH "FILES" .PP /etc/security/capability\&.conf .RS 4 Default configuration file .RE .SH "EXAMPLES" .PP Nearly all applications/daemons which use PAM for authentication contain a configuration line: \fI@include common-auth\fR. Thus, to set inheritable capabilities in \fBall\fR of these applications, add the following as the last line to /etc/pam\&.d/common-auth .PP .RS 4 auth optional pam_cap.so .RE .PP To set inheritable capabilities for a user in a \fBspecific\fR application, or in application(s) which do not @include common-auth, add the line below to the application-specific file; e.g. /etc/pam\&.d/myapp .PP .RS 4 auth optional pam_cap.so .RE .PP .SH "SEE ALSO" .PP \fBcapability.conf\fR(5), \fBpam.d\fR(5), \fBpam\fR(7)\&. .SH "AUTHORS" .PP pam_cap was initially written by Andrew G. Morgan <morgan@kernel\&.org>
