jammy (1) cado.1.gz

Provided by: cado_0.9.5-1_amd64 bug

NAME
       cado - Capability Ambient DO


SYNOPSIS
       cado [ OPTIONS ] capability_list [ command [ args ] ]


DESCRIPTION
       Cado allows the system administrator to delegate capabilities to users.  Cado is a capability based sudo.
       Sudo allows authorized users to run programs as root (or as another user), cado allows  authorized  users
       to run programs with specific (ambient) capabilities.

       Cado  is  more  selective  than sudo, users can be authorized to have only specific capabilities (and not
       others).

       capability_list is a comma separated list of capability names or capability masks  (exadecimal  numbers).
       For  brevity,  the  cap_ prefix of capability names can be omitted (e.g. net_admin and cap_net_admin have
       the same meaning).

       If it is allowed for the current user to run processes with the requested capabilities, the user is asked
       to type their password (or to authenticate themselves as required by pam unless -S or --scado).  Once the
       authentication succeeds, cado executes the command granting the required ambient capabilities.

       If command is omitted cado launch the command specified in the environment variable $SHELL.

       The file /etc/cado.conf (see cado.conf(5)) defines which capabilities can be provided  by  cado  to  each
       user.   Cado  itself is not a setuid executable, it uses the capability mechanism and it has an option to
       set its own capabilities. So after each change in  the  /etc/cado.conf,  the  capability  set  should  be
       recomputed by root using the command cado -s or cado --setcap.

       When cado runs is scado mode (by the option -S or --scado), if
         - the current user is allowed to run processes with the requested capabilities,
         - the command argument is an absolute pathname and
         - there is a specific authorization line in the user's scado file,
       cado  runs  the  command  granting  the  required ambient capabilities without any further authentication
       request (it does not prompt for a password).


OPTIONS
       cado accepts the following options:

       -v
       --verbose
              run in verbose  mode.  cado  shows  the  set  of  allowed  capabilities,  requested  cababilities,
              unavailable capabilities and (in case of -s) the set of capabilities assigned to cado.conf itself.

       -f
       --force
              do  not  fail  in  case  the user asks for unavailable capabilities,  cado in this case grants the
              intersection between the set of requested cababilities and the set of allowed capabilities

       -s
       --setcap
              cado computes the miminal set of capability required by itself and sets the file capability of the
              cado executable.

       -S
       --scado
              launch  cado  with  scado(1)  support.  command  must  be  an  absolute  pathname  and  a specific
              authorization line must appear in the user's scado file.

       -h
       --help print a short usage banner and exit.


SEE ALSO
       cado.conf(5), caprint(1), scado(1), capabilities(7)