Am Mittwoch, 11. Januar 2017 14:20 CET, Felipe Ferreri Tonello
<eu(a)felipetonello.com> schrieb:
Hi Ralf,
On 11/01/17 12:52, Ralf Mattes wrote:
Am Mittwoch, 11. Januar 2017 13:21 CET, Felipe Ferreri Tonello
<eu(a)felipetonello.com> schrieb:
Hi Ralf,
On 03/01/17 21:37, Ralf Mattes wrote:
>
> Am Dienstag, 03. Januar 2017 19:31 CET, Felipe Ferreri Tonello
<eu(a)felipetonello.com> schrieb:
>
>
>> If sched_setscheduler() returns -1, check if errno is set to EPERM. In
>> this case the user trying to perform this operation does not have
>> CAP_SYS_NICE[1] capability, which is *required*.
>>
>> [1]
http://man7.org/linux/man-pages/man7/capabilities.7.html
>>
>> If you want this type of feature, set CAP_SYS_NICE to the group audio
>> that you are referring.
>
> ??? How can I grant capabilities to a group? I thought capabilites where either given
to
> a user (via /etc/security/capability.conf) or to a binary (by means of setcap).
AFAIK, pam_cap support users and groups.
Not according to my local manpages (pam_cap(8) 09/23/2011 and CAPABILITY.CONF(5) --
09/23/2011).
Do you have any y reference for your information?
I never tested, but try out based on this reference[1] paragraph 2.2.
Yes, but that paragraph seems to be simply wrong. And the code you link to
in [3] clearly shows that.
Apparently there are two implementations for
pam_cap. One supports the
other doesn't.
No. That's wrong. pam_cap doesn't support caps by group, your second link points
the pam_capability module. IIRC that was only ever available in OpenSuse. The git log
(single line ...) of that repository doesn't really make me want to integrate it into
a seccurity
service.
If that feature is really important for you, you can always patch
pam_cap.c from lipcap2.
It seems like a nice feature to have, IMO.
--
Felipe