Provided by: cado_0.9.5-1_amd64 bug

NAME

       cado.conf - Capability Ambient DO: configuration file

DESCRIPTION

       The  /etc/cado.conf  file is used to configure which ambient cabalities can be provided by
       cado to users.  cado uses the capability cap_dac_read_search to access /etc/cado.conf,  so
       this configuration does not need to be readable by users.

       All lines beginning with the sign '#' are comments.

       Non-comment lines have the following syntax
              list_of_capabilities: list_of_users_and_groups
       or
              list_of_capabilities: list_of_users_and_groups: list_of_auth_commands

       Both  list_of_capabilities  and  list_of_users_and_groups  are  comma  separated  lists of
       identifiers.

       Items of  list_of_capabilities  are  capability  names  or  capability  masks  (exadecimal
       numbers).  For brevity, the cap_ prefix of capability names can be omitted (e.g. net_admin
       and cap_net_admin have the same meaning).

       Items of list_of_users_and_groups are usernames or groupnames (groupnames must be prefexed
       by '@').

       list_of_auth_commands  is  a  command or a list of commands separated by semicolon (;). If
       present, cado runs all the sequence of commands it grants the capabilities as  defined  in
       the current line only if all return zero as their exit status.

       Example of cado.conf file:

            # Capability Ambient DO configuration file
            # cado.conf

            net_admin: @netadmin,renzo: /usr/bin/logger cado net_admin $USER; /bin/echo OK
            net_admin: @privatenet: /usr/local/lib/cado_autorize_privatenet
            net_admin,net_bind_service,net_raw,net_broadcast: @vxvdex
            cap_kill: renzo

       In this example the renzo's processes can be granted (by cado) cap_net_admin and cap_kill.
       cap_net_admin can be acquired by processes owned by users belonging to the netadmin group.
       Users   in   vxvdex   can   provide  their  processes  with  a  subset  of  cap_net_admin,
       cap_net_bind_service, cap_net_raw and cap_net_broadcast

SEE ALSO

       cado(1), caprint(1), capabilities(7)