From e902973f24c75b24576e914d44a68beaaf2aff5b Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 25 May 2010 10:21:03 -0700 Subject: Add pam_cap capability configuration --- Makefile.am | 1 + debian/vyatta-cfg-system.postinst.in | 3 +++ sysconf/capability.conf | 10 ++++++++++ 3 files changed, 14 insertions(+) create mode 100644 sysconf/capability.conf diff --git a/Makefile.am b/Makefile.am index e57021f1..3157173c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -81,6 +81,7 @@ sysconf_DATA += sysconf/blacklist.RSA-2048 sysconf_DATA += sysconf/level sysconf_DATA += sysconf/pam_radius.cfg sysconf_DATA += sysconf/filecaps +sysconf_DATA += sysconf/capability.conf libudev_SCRIPTS = scripts/vyatta_net_name etcudev_DATA = sysconf/vyatta-net.rules diff --git a/debian/vyatta-cfg-system.postinst.in b/debian/vyatta-cfg-system.postinst.in index 7778ea87..dee13d4f 100644 --- a/debian/vyatta-cfg-system.postinst.in +++ b/debian/vyatta-cfg-system.postinst.in @@ -137,6 +137,9 @@ EOF # Set file capabilities sed -r -e '/^#/d' -e '/^[[:blank:]]*$/d' <$sysconfdir/filecaps \ | xargs -i sh -c "setcap {}" + + # Install pam_cap config + cp $sysconfdir/capability.conf /etc/security/capability.conf fi # create needed directories diff --git a/sysconf/capability.conf b/sysconf/capability.conf new file mode 100644 index 00000000..0a7235f1 --- /dev/null +++ b/sysconf/capability.conf @@ -0,0 +1,10 @@ +# this is a capability file (used in conjunction with the pam_cap.so module) + +# Special capability for Vyatta admin +all %vyattacfg + +# Vyatta Operator +cap_net_admin,cap_sys_boot,cap_audit_write %vyattaop + +## 'everyone else' gets no inheritable capabilities +none * -- cgit v1.2.3