cado.conf - Capability Ambient DO: configuration file

The /etc/cado.conf file is used to configure which ambient cabalities can be provided by cado to users. cado uses the capability cap_dac_read_search to access /etc/cado.conf, so this configuration does not need to be readable by users. All lines beginning with the sign '#' are comments. Non-comment lines have the following syntax list_of_capabilities:list_of_users_and_groups or list_of_capabilities:list_of_users_and_groups:list_of_auth_commands Both list_of_capabilities and list_of_users_and_groups are comma separated lists of identifiers. Items of list_of_capabilities are capability names or capability masks (exadecimal numbers). For brevity, the cap_ prefix of capability names can be omitted (e.g. net_admin and cap_net_admin have the same meaning). Items of list_of_users_and_groups are usernames or groupnames (groupnames must be prefexed by '@'). list_of_auth_commands is a command or a list of commands separated by semicolon (;). If present, cado runs all the sequence of commands it grants the capabilities as defined in the current line only if all return zero as their exit status. Example of cado.conf file: # Capability Ambient DO configuration file # cado.conf net_admin: @netadmin,renzo: /usr/bin/logger cado net_admin $USER; /bin/echo OK net_admin: @privatenet: /usr/local/lib/cado_autorize_privatenet net_admin,net_bind_service,net_raw,net_broadcast: @vxvdex cap_kill: renzo In this example the renzo's processes can be granted (by cado) cap_net_admin and cap_kill. cap_net_admin can be acquired by processes owned by users belonging to the netadmin group. Users in vxvdex can provide their processes with a subset of cap_net_admin, cap_net_bind_service, cap_net_raw and cap_net_broadcast

cado.conf - Capability Ambient DO: configuration file

cado(1), caprint(1), capabilities(7) VirtualSquare Labs June 23, 2016 CADO.CONF(5)