Short answer: http://www.kernel.org/pub/linux/libs/pam/pre/modules/pam_cap-0.1.tar.gz Long answer: Because of a kernel bug that got removed around 2.2.16, the above module is pretty tricky to use. Basically, you need to raise the inheritiable set of init and lower the cap_bset within the init process before init spawns any children. The bug was that a non-privileged user could suppress the privilege of a setuid-0 program it exec()ed and this led to unpredictable behavior -- a sendmail exploit was the initial attack, but there were others. If you want to use the POSIX capability implementation as nature intended, you might like to check out this kernel patch - which should work fine with the above module: http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2-fcap/ Cheers Andrew Mathew A Johnston wrote: > > I was curious if there was a capabilities module which would allow me to > set pam to give users logging in a particular set of capabilities. I read > a bit of a capabilities overview document and it looks as if this could be > done by giving the appropriate inheritable permissions to whatever process > is spawning off the users shell? (im new to this so i dont know exactly > how it'd work). > > Also would it be possible to somehow set the capability set of services > that start up? (apache, or bind, etc?) [I dont see how this fits in with > authentication, anywhere else in pam tho?] > > On an unrelated note, does anyone out there know if its possible to log > file access attempts? (open as read only, read write, delete) I would > assume that this would come in the form of a kernel patch. I was thinking > that one of the ext2 extended attributes could be set to +[some letter > denoting audit] to enable auditing of accesses on a file? (I know this > would be someting to post to linux-kernel list, but, I figured I'd suggest > it here first) > > Thanks, > Mathew Johnston > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list
