libcap-2.70 with PAM

Introduction to libcap with PAM

The libcap package was installed in LFS, but if Linux-PAM support is desired, the PAM module must be built (after installation of Linux-PAM).

[Note]

Note

Development versions of BLFS may not build or run some packages properly if LFS or dependencies have been updated since the most recent stable versions of the books.

Package Information

libcap Dependencies

Required

Linux-PAM-1.6.1

Installation of libcap

[Note]

Note

If you are upgrading libcap from a previous version, use the instructions in LFS libcap page to upgrade libcap. If Linux-PAM-1.6.1 has been built, the PAM module will automatically be built too.

Install libcap by running the following commands:

make -C pam_cap

This package does not come with a test suite.

Now, as the root user:

install -v -m755 pam_cap/pam_cap.so /usr/lib/security &&
install -v -m644 pam_cap/capability.conf /etc/security

Configuring Libcap

In order to allow Linux-PAM to grant privileges based on POSIX capabilities, you need to add the libcap module to the beginning of the /etc/pam.d/system-auth file. Make the required edits with the following commands:

mv -v /etc/pam.d/system-auth{,.bak} &&
cat > /etc/pam.d/system-auth << "EOF" &&
# Begin /etc/pam.d/system-auth

auth      optional    pam_cap.so
EOF
tail -n +3 /etc/pam.d/system-auth.bak >> /etc/pam.d/system-auth

Additionally, you'll need to modify the /etc/security/capability.conf file to grant necessary privileges to users, and utilize the setcap utility to set capabilities on specific utilities as needed. See man 8 setcap and man 3 cap_from_text for additional information.

Contents

Installed Programs: None
Installed Library: pam_cap.so
Installed Directories: None