Re: Ambient Caps support in capabilities.conf

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Mon, 31 Jul 2017, Kees Cook wrote:

> On Mon, Jul 31, 2017 at 10:19 AM, Christopher Lameter <cl@xxxxxxxxx> wrote:
> > I saw that Morgan added ambient capabilities support in libpcap awhile
> > ago.
> >
> > Could we also have support through /etc/security/capability.conf?
> >
> > Would like to have certain users with a set of ambient caps on login so
> > that close to hardware operations can be done restricted to a certain
> > user.
> That'd be pretty awesome! I know systemd is providing configs for
> ambient caps for services too.

systemd works if you configure the user from systemd and then equip it
with ambient caps. But you cannot do this with sshd or some such thing
because the ambient caps are lost when the userid changes.

If ambient caps would work in pam then I could get certain users the
priviledges they need to directly access hardware and networking and
scheduling syscalls.

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux