1
0
mirror of https://github.com/rd235/cado synced 2025-01-28 12:39:26 +01:00
cado/man/cado.conf.5

53 lines
2.0 KiB
Groff
Raw Normal View History

2016-06-25 14:12:41 +02:00
.TH CADO.CONF 5 "June 23, 2016" "VirtualSquare Labs"
.SH NAME
cado.conf \- Capability Ambient DO: configuration file
.SH DESCRIPTION
The \fB/etc/cado.conf\fR file is used to configure which ambient cabalities can be provided by \fBcado\fR to users.
\fBcado\fR uses the capability cap_dac_read_search to access \fB/etc/cado.conf\fR, so this configuration does not
need to be readable by users.
All lines beginning with the sign '#' are comments.
Non-comment lines have the following syntax
.nf
\fIlist_of_capabilities\fB:\fI list_of_users_and_groups\fR
.fi
or
.nf
\fIlist_of_capabilities\fB:\fI list_of_users_and_groups\fB:\fR \fIlist_of_auth_commands\fR
.fi
2016-06-25 14:12:41 +02:00
Both \fIlist_of_capabilities\fR and \fIlist_of_users_and_groups\fR are comma separated lists of identifiers.
Items of \fIlist_of_capabilities\fR are capability names or capability masks (exadecimal numbers).
For brevity, the \fBcap_\fR prefix of capability names can be omitted (e.g. \fBnet_admin\fR and \fBcap_net_admin\fR
have the same meaning).
Items of \fIlist_of_users_and_groups\fR are usernames or groupnames (groupnames must be prefexed by '@').
\fIlist_of_auth_commands\fR is a command or a list of commands separated by semicolon (;). If present, cado runs
all the sequence of commands it grants the capabilities as defined in the current line only if all return zero as
their exit status.
2016-06-25 14:12:41 +02:00
Example of \fBcado.conf\fR file:
2016-06-25 14:12:41 +02:00
.nf
# Capability Ambient DO configuration file
# cado.conf
net_admin: @netadmin,renzo: /usr/bin/logger cado net_admin $USER; /bin/echo OK
net_admin: @privatenet: /usr/local/lib/cado_autorize_privatenet
net_admin,net_bind_service,net_raw,net_broadcast: @vxvdex
cap_kill: renzo
2016-06-25 14:12:41 +02:00
.fi
In this example the renzo's processes can be granted (by \fBcado\fR) cap_net_admin and cap_kill.
cap_net_admin can be acquired by processes owned by users belonging to the netadmin group.
Users in vxvdex can provide their processes with a subset of cap_net_admin, cap_net_bind_service, cap_net_raw and cap_net_broadcast
.SH SEE ALSO
\fBcado\fR(1),
\fBcaprint\fR(1),
\fBcapabilities\fR(7)