Provided by: libpam-cap_2.75-7ubuntu1_amd64 bug

NAME
       pam_cap - Capabilities PAM module


SYNOPSIS
       [service-name] auth control-flag pam_cap [options]


DESCRIPTION
       The  pam_so  module  can  be  used to specify Inheritable capabilities to process trees rooted in the PAM
       application. The module also supports blocking Bounding vector capabilities  and  adding  Ambient  vector
       capabilities.

       For  general  PAM apps to work correctly, the application must be run with at least CAP_SETPCAP raised in
       its Permitted capability flag. Many PAM applications run as root, which  has  all  of  the  bits  in  the
       Bounding  set  raised,  so  this requirement is typically met. To grant an Ambient vector capability, the
       corresponding Permitted bit must be available to the application too.

       The pam_so module is a Linux-PAM auth module. It provides functionality to back pam_sm_authenticate() and
       pam_sm_setcred(). It is the latter that actually modifies the inheritable 3-tuple of capability  vectors:
       the configured IAB. In a typical application configuration you might have a line like this:

           auth    optional    pam_cap.so

       The module arguments are:

       ○   debug: While supported, this is a no-op at present.

       ○   config=/path/to/file:  Override  the default config for the module. The unspecified default value for
           this file is /etc/security/capability.conf. Note, config=/dev/null is a  valid  value.  See  default=
           below for situations in which this might be appropriate.

       ○   keepcaps:  This  is as much as the pam_cap.so module can do to help an application support use of the
           Ambient capability vector. The application support for the Ambient set is poor at the present time.

       ○   autoauth: This argument causes the pam_cap.so module to return  PAM_SUCCESS  if  the  PAM_USER  being
           authenticated  exists.  The absence of this argument will cause pam_cap.so to only return PAM_SUCCESS
           if the PAM_USER is covered by a specific rule in the prevailing config file.

       ○   default=IAB: This argument is ignored if the prevailing configuration file contains a  "*"  rule.  If
           there  is  no such rule, the IAB 3-tuple is inserted at the end of the config file and applies to all
           PAM_USERs not covered by an earlier rule. Note, if you want all  PAM_USERs  to  be  covered  by  this
           default rule, you can supply the module argument config=/dev/null.

       ○   defer:  This  argument  arranges  for the IAB capabilities granted to a user to be added sufficiently
           late in the Linux-PAM authentication stack that they stick. That is, after the application  does  its
           setuid(UID)  call.  As  such,  in  conjunction  with  the  keepcaps  module  argument, such compliant
           applications can support granting Ambient vector capabilities with pam_cap.so.


SEE ALSO
       pam.conf(5), capability.conf(5), pam(8).

                                                   April 2024                                         PAM_CAP(8)