Each line of the file consists of two fields; the fields define:
<capability-list>
The special capability name all may be used to enable all capabilities known to the local system.
The special capability name none may be used to disable all current inheritable capabilities.
<username>
IMPORTANT: <capability-list> replaces the current process' inherited capabilities; i.e. there is no provision for adding/subtracting from the current set. In most environments, the inheritable set of the process performing user authentication is 0 (empty).
If any capability name or numeric value is invalid/unknown to the local system, the capabilities will be rejected, and the inheritable set will not be modified.
These are some example lines which might be specified in /etc/security/capability.conf.
# Simple cap_sys_ptrace developer cap_net_raw user1 # Multiple capablities cap_net_admin,cap_net_raw jrnetadmin # Identical, but with numeric values 12,13 jrnetadmin # Combining names and numerics cap_sys_admin,22,25 jrsysadmin # Next line has no effect; user1 already matched above 5,12,13 user1 # Insure any potential capailities from calling process are dropped none luser1 luser2 # Allow anyone to manipulate capabilities # Will NOT apply to users matched above ! cap_setpcap *
pam_cap(8), pam.d(5), pam(7), capabilities(7)
pam_cap was initially written by Andrew G. Morgan <morgan@kernel.org>