NAME¶

cado.conf - Capability Ambient DO: configuration file

DESCRIPTION¶

The /etc/cado.conf file is used to configure which ambient cabalities can be provided by cado to users. cado uses the capability cap_dac_read_search to access /etc/cado.conf, so this configuration does not need to be readable by users.

All lines beginning with the sign '#' are comments.

Non-comment lines have the following syntax

       list_of_capabilities: list_of_users_and_groups

       list_of_capabilities: list_of_users_and_groups: list_of_auth_commands

Both list_of_capabilities and list_of_users_and_groups are comma separated lists of identifiers.

Items of list_of_capabilities are capability names or capability masks (exadecimal numbers). For brevity, the cap_ prefix of capability names can be omitted (e.g. net_admin and cap_net_admin have the same meaning).

Items of list_of_users_and_groups are usernames or groupnames (groupnames must be prefexed by '@').

list_of_auth_commands is a command or a list of commands separated by semicolon (;). If present, cado runs all the sequence of commands it grants the capabilities as defined in the current line only if all return zero as their exit status.

Example of cado.conf file:

	# Capability Ambient DO configuration file
	# cado.conf
	
	net_admin: @netadmin,renzo: /usr/bin/logger cado net_admin $USER; /bin/echo OK
	net_admin: @privatenet: /usr/local/lib/cado_autorize_privatenet
	net_admin,net_bind_service,net_raw,net_broadcast: @vxvdex
	cap_kill: renzo

In this example the renzo's processes can be granted (by cado) cap_net_admin and cap_kill. cap_net_admin can be acquired by processes owned by users belonging to the netadmin group. Users in vxvdex can provide their processes with a subset of cap_net_admin, cap_net_bind_service, cap_net_raw and cap_net_broadcast

SEE ALSO¶

cado(1), caprint(1), capabilities(7)