Capabilities are read from the /etc/security/capability.conf config file, or alternate file specified with the config= option.
The module must not be called by a multithreaded application.
Nearly all applications/daemons which use PAM for authentication contain a configuration line: @include common-auth. Thus, to set inheritable capabilities in all of these applications, add the following as the last line to /etc/pam.d/common-auth
To set inheritable capabilities for a user in a specific application, or in application(s) which do not @include common-auth, add the line below to the application-specific file; e.g. /etc/pam.d/myapp
pam_cap was initially written by Andrew G. Morgan <email@example.com>