libcap-2.31 with PAM

Introduction to libcap with PAM

The libcap package was installed in LFS, but if Linux-PAM support is desired, the PAM module must be built (after installation of Linux-PAM).

This package is known to build and work properly using an LFS-9.1 platform.

Package Information

libcap Dependencies

Required

Linux-PAM-1.3.1

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/libcap

Installation of libcap

[Note]

Note

If you are upgrading libcap from a previous version, use the instructions in LFS libcap page to upgrade libcap. If the PAM module has been built, it will automatically be picked up.

Install libcap by running the following commands:

make -C pam_cap

This package does not come with a test suite.

Now, as the root user:

install -v -m755 pam_cap/pam_cap.so /lib/security &&
install -v -m644 pam_cap/capability.conf /etc/security

Configuring Libcap

In order to allow Linux-PAM to grant privileges based on POSIX capabilites, you need to add the libcap module to the begining of the /etc/pam.d/system-auth file. Make the required edits with the following commands:

mv -v /etc/pam.d/system-auth{,.bak} &&
cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth

auth      optional    pam_cap.so
EOF
tail -n +3 /etc/pam.d/system-auth.bak >> /etc/pam.d/system-auth

Additonally, you'll need to modify the /etc/security/capability.conf file to grant necessary privileges to users, and utilize the setcap utility to set capabilities on specific utilities as needed. See man 8 setcap and man 3 cap_from_text for additional information.

Contents

Installed Programs: None
Installed Library: pam_cap.so
Installed Directories: None

Last updated on 2020-02-15 08:54:30 -0800