Add Linux-PAM configuration for libcap.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@21620 af4574ff-66df-0310-9fd7-8a98e5e911e0
2025-01-24 06:52:14 +08:00 · 2019-05-24 03:18:24 +00:00 · 2019-05-24 03:18:24 +00:00 · 3706c7fe34
commit 3706c7fe34
parent 9da30c5415
3 changed files with 36 additions and 2 deletions
--- a/general.ent
+++ b/general.ent
@ -1,12 +1,12 @@
 <!-- $LastChangedBy$ $Date$ -->

-<!ENTITY day          "21">                   <!-- Always 2 digits -->
+<!ENTITY day          "24">                   <!-- Always 2 digits -->
 <!ENTITY month        "05">                   <!-- Always 2 digits -->
 <!ENTITY year         "2019">
 <!ENTITY copyrightdate "2001-&year;">
 <!ENTITY copyholder   "The BLFS Development Team">
 <!ENTITY version      "&year;-&month;-&day;">
-<!ENTITY releasedate  "May 21st, &year;">
+<!ENTITY releasedate  "May 24th, &year;">
 <!ENTITY pubdate      "&year;-&month;-&day;"> <!-- metadata req. by TLDP -->
 <!ENTITY blfs-version "svn">                  <!-- svn|[release #] -->
 <!ENTITY lfs-version  "development">          <!-- x.y|development -->
--- a/introduction/welcome/changelog.xml
+++ b/introduction/welcome/changelog.xml
@ -41,6 +41,15 @@
      </itemizedlist>
    </listitem>
    -->
+    <listitem>
+      <para>May 24th, 2019</para>
+      <itemizedlist>
+        <listitem>
+          <para>[dj] - Add Linux-PAM configuration for libcap.</para>
+        </listitem>
+      </itemizedlist>
+    </listitem>
+
    <listitem>
      <para>May 21st, 2019</para>
      <itemizedlist>
--- a/postlfs/security/libcap.xml
+++ b/postlfs/security/libcap.xml
@ -87,6 +87,31 @@ install -v -m644 pam_cap/capability.conf /etc/security</userinput></screen>

  </sect2>

+  <sect2 role="configuration">
+    <title>Configuring Libcap</title>
+
+    <para>In order to allow <application>Linux-PAM</application> to grant
+    privileges based on POSIX capabilites, you need to add the libcap module
+    to the begining of the <filename>/etc/pam.d/system-auth</filename> file.
+    Make the required edits with the following commands:</para>
+
+<screen role="root"><userinput>mv -v /etc/pam.d/system-auth{,.bak} &amp;&amp;
+cat &gt; /etc/pam.d/system-auth &lt;&lt; "EOF" &amp;&amp;
+# Begin /etc/pam.d/system-auth
+
+auth      optional    pam_cap.so
+EOF
+tail -n +3 /etc/pam.d/system-auth.bak &lt;&lt; /etc/pam.d/system-auth</userinput></screen>
+
+    <para>Additonally, you'll need to modify the
+    <filename>/etc/security/capability.conf</filename> file to grant necessary
+    privileges to users, and utilize the <application>setcap</application>
+    utiltiy to set capabilities on specific utilities as needed. See
+    <command>man 8 setcap</command> and <command>man 3 cap_from_text</command>
+    for additional information.</para>
+ 
+  </sect2>
+
  <sect2 role="content">
    <title>Contents</title>