PAM_CAP(8) System Manager's Manual PAM_CAP(8)
NAME
pam_cap - Capabilities PAM module
SYNOPSIS
[service-name] auth control-flag pam_cap [options]
DESCRIPTION
The pam_so module can be used to specify Inheritable capabilities to
process trees rooted in the PAM application. The module also supports
blocking Bounding vector capabilities and adding Ambient vector capabil-
ities.
For general PAM apps to work correctly, the application must be run with
at least CAP_SETPCAP raised in its Permitted capability flag. Many PAM
applications run as root, which has all of the bits in the Bounding set
raised, so this requirement is typically met. To grant an Ambient vector
capability, the corresponding Permitted bit must be available to the ap-
plication too.
The pam_so module is a Linux-PAM auth module. It provides functionality
to back pam_sm_authenticate() and pam_sm_setcred(). It is the latter
that actually modifies the inheritable 3-tuple of capability vectors:
the configured IAB. In a typical application configuration you might
have a line like this:
auth optional pam_cap.so
The module arguments are:
○ debug: While supported, this is a no-op at present.
○ config=/path/to/file: Override the default config for the module.
The unspecified default value for this file is /etc/security/capa-
bility.conf. Note, config=/dev/null is a valid value. See default=
below for situations in which this might be appropriate.
○ keepcaps: This is as much as the pam_cap.so module can do to help an
application support use of the Ambient capability vector. The appli-
cation support for the Ambient set is poor at the present time.
○ autoauth: This argument causes the pam_cap.so module to return
PAM_SUCCESS if the PAM_USER being authenticated exists. The absence
of this argument will cause pam_cap.so to only return PAM_SUCCESS if
the PAM_USER is covered by a specific rule in the prevailing config
file.
○ default=IAB: This argument is ignored if the prevailing configura-
tion file contains a "*" rule. If there is no such rule, the IAB
3-tuple is inserted at the end of the config file and applies to all
PAM_USERs not covered by an earlier rule. Note, if you want all
PAM_USERs to be covered by this default rule, you can supply the
module argument config=/dev/null.
○ defer: This argument arranges for the IAB capabilities granted to a
user to be added sufficiently late in the Linux-PAM authentication
stack that they stick. That is, after the application does its se-
tuid(UID) call. As such, in conjunction with the keepcaps module ar-
gument, such compliant applications can support granting Ambient
vector capabilities with pam_cap.so.
SEE ALSO
pam.conf(5), capability.conf(5), pam(8).
April 2024 PAM_CAP(8)
Generated by dwww version 1.16 on Tue Dec 16 06:32:59 CET 2025.