I was curious if there was a capabilities module which would allow me to set pam to give users logging in a particular set of capabilities. I read a bit of a capabilities overview document and it looks as if this could be done by giving the appropriate inheritable permissions to whatever process is spawning off the users shell? (im new to this so i dont know exactly how it'd work). Also would it be possible to somehow set the capability set of services that start up? (apache, or bind, etc?) [I dont see how this fits in with authentication, anywhere else in pam tho?] On an unrelated note, does anyone out there know if its possible to log file access attempts? (open as read only, read write, delete) I would assume that this would come in the form of a kernel patch. I was thinking that one of the ext2 extended attributes could be set to +[some letter denoting audit] to enable auditing of accesses on a file? (I know this would be someting to post to linux-kernel list, but, I figured I'd suggest it here first) Thanks, Mathew Johnston
