Provided by: cado_0.9.6-1build1_amd64 bug

NAME
       cado - Capability Ambient DO


SYNOPSIS
       cado [ OPTIONS ] capability_list [ command [ args ] ]


DESCRIPTION
       Cado allows the system administrator to delegate capabilities to users.  Cado is a capability based sudo.
       Sudo  allows  authorized users to run programs as root (or as another user), cado allows authorized users
       to run programs with specific (ambient) capabilities.

       Cado is more selective than sudo, users can be authorized to have only  specific  capabilities  (and  not
       others).

       capability_list  is  a comma separated list of capability names or capability masks (exadecimal numbers).
       For brevity, the cap_ prefix of capability names can be omitted (e.g. net_admin  and  cap_net_admin  have
       the same meaning).

       If it is allowed for the current user to run processes with the requested capabilities, the user is asked
       to type their password (or to authenticate themselves as required by pam unless -S or --scado).  Once the
       authentication succeeds, cado executes the command granting the required ambient capabilities.

       If command is omitted cado launch the command specified in the environment variable $SHELL.

       The  file  /etc/cado.conf  (see  cado.conf(5)) defines which capabilities can be provided by cado to each
       user.  Cado itself is not a setuid executable, it uses the capability mechanism and it has an  option  to
       set  its  own  capabilities.  So  after  each  change in the /etc/cado.conf, the capability set should be
       recomputed by root using the command cado -s or cado --setcap.

       When cado runs is scado mode (by the option -S or --scado), if
         - the current user is allowed to run processes with the requested capabilities,
         - the command argument is an absolute pathname and
         - there is a specific authorization line in the user's scado file,
       cado runs the command granting the required  ambient  capabilities  without  any  further  authentication
       request (it does not prompt for a password).


OPTIONS
       cado accepts the following options:

       -v
       --verbose
              run  in  verbose  mode.  cado  shows  the  set  of  allowed  capabilities, requested cababilities,
              unavailable capabilities and (in case of -s) the set of capabilities assigned to cado.conf itself.

       -f
       --force
              do not fail in case the user asks for unavailable capabilities,  cado  in  this  case  grants  the
              intersection between the set of requested cababilities and the set of allowed capabilities

       -s
       --setcap
              cado computes the miminal set of capability required by itself and sets the file capability of the
              cado executable.

       -S
       --scado
              launch  cado  with  scado(1)  support.  command  must  be  an  absolute  pathname  and  a specific
              authorization line must appear in the user's scado file.

       -h
       --help print a short usage banner and exit.


SEE ALSO
       cado.conf(5), caprint(1), scado(1), capabilities(7)

VirtualSquare Labs                                June 23, 2016                                          CADO(1)