Ask Your Question
0

Replacement of pam_cap.so?

asked 2017-11-30 20:43:12 -0500

q2dg gravatar image

pam_cap.so module is missing in Fedora.

Although I haven't found any notice about it, I suspect the reason could be it is deprecated because, documentation is pretty old and this module (which is present in Ubuntu repositories) doesn't work there neither.

Anyway, how can I restrict use of kernel capabilities to certain users, then? Thanks!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2017-12-01 00:17:53 -0500

villykruse gravatar image

It is not missing in fedora. pam_cap.so is provided by the libcap package.

$ rpm -ql libcap
/usr/lib/libcap.so.2
/usr/lib/libcap.so.2.25
/usr/lib/security/pam_cap.so
/usr/sbin/capsh
/usr/sbin/getcap
/usr/sbin/getpcaps
/usr/sbin/setcap
/usr/share/doc/libcap
/usr/share/doc/libcap/capability.notes
/usr/share/licenses/libcap
/usr/share/licenses/libcap/License
/usr/share/man/man1/capsh.1.gz
/usr/share/man/man8/getcap.8.gz
/usr/share/man/man8/getpcaps.8.gz
/usr/share/man/man8/setcap.8.gz
edit flag offensive delete link more

Comments

Oooh, sorry! I was looking at "pam" package. Anyway, I miss its man page (man pam_cap), which I haven't been able to find. Thanks a lot!!!!

q2dg gravatar imageq2dg ( 2017-12-01 05:08:55 -0500 )edit

You will need to use the ubunto manpage.

villykruse gravatar imagevillykruse ( 2017-12-01 06:28:22 -0500 )edit

I see.../etc/security/capability.conf isn't created by default...

q2dg gravatar imageq2dg ( 2017-12-01 06:43:27 -0500 )edit

It doesn't work neither . If I assign a capability to a binary (setcap capnetraw=ip /bin/customping), all users can enjoy it : via pam_cap I've not been able to restrict this to only a "selected" pool of privileged users.

I desist.

NOTE: I've put at the beginning of /etc/pam.d/su the line "auth required pamcap.so" and at the beginning of /etc/security/capability.conf the line "capnet_raw userPrivileged" and, below it, the line "none *"

q2dg gravatar imageq2dg ( 2017-12-01 06:50:03 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-11-30 20:43:12 -0500

Seen: 112 times

Last updated: Dec 01 '17