I'd like to announce a new linux pam module called "pam_capability". Taking a
cue from the capabilities FAQ:
ftp://ftp.guardian.no/pub/free/linux/capabilities/capfaq.txt
I have tried to implement role-based assigned capabilities for users via a
pam module. However, lacking capability support in VFS, I patched the kernel
to pass the process inheritable capabilities to an exec'd binary's permitted
and effective set during exec (in <src_dir>/fs/exec.c). This ensures that the
new exec'd binary's process effective set is equal to the inherited set. This
seemed simplest to implement. I believe it to be a good way to debug proper
capability support in the kernel prior to full VFS support. Suffice it to
say, you can now easily assign capabilities to users or to process users
(like "ntp", "apache", and "bind", granting them CAP_NET_BIND_SERVICE,
allowing them to bind to reserved ports w/o running as root) via pam for such
services as sshd, login, and su.
I'd like very much to get feedback and help w/ testing the supplied patch and
pam module: how it can be made more secure, what role definitions work well
for certain applications, bugs, anything.
The freshmeat project URL is:
http://freshmeat.net/projects/pam_capability/
and the download URL is:
http://ekline.com/linux/pam_capability/
Yours, in code,
-Erik Kline
Many personal thanks to Jason Baietto.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/