[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Ambient Caps support in capabilities.conf



On Mon, 31 Jul 2017, Kees Cook wrote:

> On Mon, Jul 31, 2017 at 10:19 AM, Christopher Lameter <cl linux com> wrote:
> > I saw that Morgan added ambient capabilities support in libpcap awhile
> > ago.
> >
> > Could we also have support through /etc/security/capability.conf?
> >
> > Would like to have certain users with a set of ambient caps on login so
> > that close to hardware operations can be done restricted to a certain
> > user.
>
> That'd be pretty awesome! I know systemd is providing configs for
> ambient caps for services too.

systemd works if you configure the user from systemd and then equip it
with ambient caps. But you cannot do this with sshd or some such thing
because the ambient caps are lost when the userid changes.

If ambient caps would work in pam then I could get certain users the
priviledges they need to directly access hardware and networking and
scheduling syscalls.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]