-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathcado.1.html
133 lines (109 loc) · 4.19 KB
/
cado.1.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
Content-type: text/html; charset=UTF-8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Man page of CADO</TITLE>
</HEAD><BODY>
<H1>CADO</H1>
Section: User Commands (1)<BR>Updated: June 23, 2016<BR><A HREF="#index">Index</A>
<A HREF="/#/man/index">Return to Main Contents</A><HR>
<A NAME="lbAB"> </A>
<H2>NAME</H2>
cado - Capability Ambient DO
<A NAME="lbAC"> </A>
<H2>SYNOPSIS</H2>
<B>cado</B>
[
<I>OPTIONS</I>
]
<I>capability_list</I>
[
<I>command</I>
[
<I>args</I>
]
]
<P>
<A NAME="lbAD"> </A>
<H2>DESCRIPTION</H2>
Cado allows the system administrator to delegate capabilities to users.
Cado is a capability based sudo. Sudo allows authorized users to run programs as root (or as another user),
cado allows authorized users to run programs with specific (ambient) capabilities.
<P>
Cado is more selective than sudo, users can be authorized to have only specific capabilities (and not others).
<P>
<I>capability_list</I> is a comma separated list of capability names or capability masks (exadecimal numbers).
For brevity, the <B>cap_</B> prefix of capability names can be omitted (e.g. <B>net_admin</B> and <B>cap_net_admin</B>
have the same meaning).
<P>
If it is allowed for the current user to run processes with the requested capabilities, the user is asked to
type their password (or to authenticate themselves as required by pam unless <B>-S</B> or <B>--scado</B>).
Once the authentication succeeds, <B>cado</B> executes the command granting the required ambient capabilities.
<P>
If <I>command</I> is omitted cado launch the command specified in the environment
variable $SHELL.
<P>
The file /etc/cado.conf (see <B><A HREF="/#/man/man5/cado.conf.5.html">cado.conf</A></B>(5)) defines which capabilities can be provided by <B>cado</B> to each user.
Cado itself is not a setuid executable, it uses the capability mechanism and it has an option to
set its own capabilities. So after each change in the /etc/cado.conf, the capability set should be
recomputed by root using the command <B>cado -s</B> or <B>cado --setcap</B>.
<P>
When <B>cado</B> runs is scado mode (by the option <B>-S</B> or <B>--scado</B>), if
<BR>
- the current user is allowed to run processes with the requested capabilities,
<BR>
- the <B>command</B> argument is an absolute pathname and
<BR>
- there is a specific authorization line in the user's scado file,
<BR>
<B>cado</B> runs the command granting the required ambient capabilities without any further authentication request
(it does not prompt for a password).
<BR>
<P>
<A NAME="lbAE"> </A>
<H2>OPTIONS</H2>
<I>cado</I>
accepts the following options:
<DL COMPACT>
<DT><B>-v<DD>
--verbose
run in verbose mode. cado</B> shows the set of allowed capabilities, requested cababilities, unavailable capabilities and
(in case of -s) the set of capabilities assigned to <B>cado.conf</B> itself.
<DT><B>-f<DD>
--force
do not fail in case the user asks for unavailable capabilities, cado</B> in this case grants the intersection between the
set of requested cababilities and the set of allowed capabilities
<DT><B>-s<DD>
--setcap
cado</B> computes the miminal set of capability required by itself and sets the file capability of the cado executable.
<DT><B>-S<DD>
--scado
launch cado</B> with <B><A HREF="/#/man/man1/scado.1.html">scado</A></B>(1) support. <I>command</I> must be an absolute pathname and a specific authorization line must
appear in the user's scado file.
<DT><B>-h<DD>
--help
print a short usage banner and exit.
<P>
</DL>
</B><A NAME="lbAF"> </A>
<H2>SEE ALSO</H2>
<B><A HREF="/#/man/man5/cado.conf.5.html">cado.conf</A></B>(5),
<B><A HREF="/#/man/man1/caprint.1.html">caprint</A></B>(1),
<B><A HREF="/#/man/man1/scado.1.html">scado</A></B>(1),
<B><A HREF="/#/man/man7/capabilities.7.html">capabilities</A></B>(7)
<P>
<P>
<HR>
<A NAME="index"> </A><H2>Index</H2>
<DL>
<DT><A HREF="#lbAB">NAME</A><DD>
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT><A HREF="#lbAE">OPTIONS</A><DD>
<DT><A HREF="#lbAF">SEE ALSO</A><DD>
</DL>
<HR>
This document was created by
<A HREF="/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 15:22:07 GMT, November 27, 2023
</BODY>
</HTML>