#
# See capabilities(8) and /usr/include/linux/capability.h
#

# CAP_SYS_ADMIN etc are essentially root access!
# There is little to no security offered by doing this.

#
# coreutils
#

su=cap_dac_read_search,cap_setgid,cap_setuid

#
# dcron
#

crontab=cap_dac_override,cap_setgid

#
# inetutils
#

ping=cap_net_raw
ping6=cap_net_raw

traceroute=cap_net_raw
traceroute6=cap_net_raw

rsh=cap_net_bind_service
rcp=cap_net_bind_service
rlogin=cap_net_bind_service

#
# libexec
#

ssh-keysign=cap_dac_read_search

#
# pam
#

unix_chkpwd=cap_dac_read_search

#
# shadow
#

chage=cap_dac_read_search
chfn=cap_chown,cap_setuid
chsh=cap_chown,cap_setuid
expiry=cap_dac_override,cap_setgid

gpasswd=cap_chown,cap_dac_override,cap_setuid
newgrp=cap_dac_override,cap_setgid
passwd=cap_chown,cap_dac_override,cap_fowner

#
# util-linux-ng
#

# Warning: Do not use it, because mount and umount can not do some checks,
# then users can mount/umount filesystems that do not have permission.

#mount=cap_dac_override,cap_sys_admin
#umount=cap_dac_override,cap_sys_admin

#
# X11
#

Xorg=cap_dac_override,cap_chown,cap_sys_rawio,cap_sys_admin

#
# YZ (CR/KX/RM or other programs that may benefit from capabilities)
#

# Be sure to do the following first (for they may well; not be setuid safe):
# chgrp wheel `which utility`
# chmod 710 `which utility`
#
#beep=cap_dac_override,cap_sys_tty_config
#chvt=cap_dac_read_search,cap_sys_tty_config
#iftop=cap_net_raw
#mii-tool=cap_net_admin
#tcpdump=cap_net_raw
