Ambient Caps support in capabilities.conf
Christopher Lameter
cl at linux.com
Tue Aug 1 12:57:42 UTC 2017
On Mon, 31 Jul 2017, Kees Cook wrote:
> On Mon, Jul 31, 2017 at 10:19 AM, Christopher Lameter <cl at linux.com> wrote:
> > I saw that Morgan added ambient capabilities support in libpcap awhile
> > ago.
> >
> > Could we also have support through /etc/security/capability.conf?
> >
> > Would like to have certain users with a set of ambient caps on login so
> > that close to hardware operations can be done restricted to a certain
> > user.
>
> That'd be pretty awesome! I know systemd is providing configs for
> ambient caps for services too.
systemd works if you configure the user from systemd and then equip it
with ambient caps. But you cannot do this with sshd or some such thing
because the ambient caps are lost when the userid changes.
If ambient caps would work in pam then I could get certain users the
priviledges they need to directly access hardware and networking and
scheduling syscalls.
More information about the Pam-list
mailing list