summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Hemminger <stephen.hemminger@vyatta.com>2010-05-25 10:21:03 -0700
committerStephen Hemminger <stephen.hemminger@vyatta.com>2010-06-04 14:09:56 -0700
commite902973f24c75b24576e914d44a68beaaf2aff5b (patch)
treedb6072e677d632f8f52e0134dcdfbfa58dfa6847
parent379c2618cfbc337625f809f63fd4cb22793eccf8 (diff)
downloadvyatta-cfg-system-e902973f24c75b24576e914d44a68beaaf2aff5b.tar.gz
vyatta-cfg-system-e902973f24c75b24576e914d44a68beaaf2aff5b.zip
Add pam_cap capability configuration
-rw-r--r--Makefile.am1
-rw-r--r--debian/vyatta-cfg-system.postinst.in3
-rw-r--r--sysconf/capability.conf10
3 files changed, 14 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
index e57021f1..3157173c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -81,6 +81,7 @@ sysconf_DATA += sysconf/blacklist.RSA-2048
sysconf_DATA += sysconf/level
sysconf_DATA += sysconf/pam_radius.cfg
sysconf_DATA += sysconf/filecaps
+sysconf_DATA += sysconf/capability.conf
libudev_SCRIPTS = scripts/vyatta_net_name
etcudev_DATA = sysconf/vyatta-net.rules
diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in
index 7778ea87..dee13d4f 100644
--- a/debian/vyatta-cfg-system.postinst.in
+++ b/debian/vyatta-cfg-system.postinst.in
@@ -137,6 +137,9 @@ EOF
# Set file capabilities
sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' <$sysconfdir/filecaps \
| xargs -i sh -c "setcap {}"
+
+ # Install pam_cap config
+ cp $sysconfdir/capability.conf /etc/security/capability.conf
fi
# create needed directories
diff --git a/sysconf/capability.conf b/sysconf/capability.conf
new file mode 100644
index 00000000..0a7235f1
--- /dev/null
+++ b/sysconf/capability.conf
@@ -0,0 +1,10 @@
+# this is a capability file (used in conjunction with the pam_cap.so module)
+
+# Special capability for Vyatta admin
+all %vyattacfg
+
+# Vyatta Operator
+cap_net_admin,cap_sys_boot,cap_audit_write %vyattaop
+
+## 'everyone else' gets no inheritable capabilities
+none *