capability(4) capability(4) NAME capability - user capability database DESCRIPTION The file /etc/capability describes the default capability set a user may have when logging onto the system, and the maximum capability set a user may have when logging onto the system or using the su(1M) command. There is one entry for each user. Each entry is separated from the next by a newline. Each field within each entry is separated by a colon. An entry beginning with # is ignored. The capability file contains the following information for each user: name User's login name. This must exactly match the corresponding entry in /etc/passwd. default capability set The default capability set a user gets when logging onto the system. This consists of a capability set in a form acceptable to cap_from_text(3C). maximum capability set The maximum capability set a user may specify when logging onto the system, or when using su(1M). This field has the same form as the default field. This field should be a superset of the default field. EXAMPLE Here is a sample /etc/capability file: root:all+eip:all+eip sysadm:all=:all= cmwlogin:all+eip:all+eip diag:all=:all= daemon:all=:all= bin:all=:all= uucp:all=:all= sys:all=:all= adm:all=:all= lp:all=:all= nuucp:all=:all= auditor:CAP_AUDIT_WRITE,CAP_AUDIT_CONTROL,CAP_KILL+eip:CAP_AUDIT_WRITE,CAP_AUDIT_CONTROL,CAP_KILL+eip dbadmin:all=:all= xserver:all=:all= demos:all=:all= tutor:all=:all= guest:all=:all= jenny:all=:CAP_DAC_READ_SEARCH+eip In this example, there are specific entries for users root and auditor, to assure that they have non-empty capability sets when logging in, and that they can acquire all the capabilities they need when necessary. There is also a specific entry for user jenny, who has an empty capability set by default, but can request CAP_DAC_READ_SEARCH capability when necessary FILES /etc/capability SEE ALSO cap_from_text(3C), chcap(1), login(1), passwd(1), su(1M). Page 2