Provided by: cado_0.9.6-1build1_amd64 
NAME
cado.conf - Capability Ambient DO: configuration file
DESCRIPTION
The /etc/cado.conf file is used to configure which ambient cabalities can be provided by cado to users.
cado uses the capability cap_dac_read_search to access /etc/cado.conf, so this configuration does not
need to be readable by users.
All lines beginning with the sign '#' are comments.
Non-comment lines have the following syntax
list_of_capabilities: list_of_users_and_groups
or
list_of_capabilities: list_of_users_and_groups: list_of_auth_commands
Both list_of_capabilities and list_of_users_and_groups are comma separated lists of identifiers.
Items of list_of_capabilities are capability names or capability masks (exadecimal numbers). For
brevity, the cap_ prefix of capability names can be omitted (e.g. net_admin and cap_net_admin have the
same meaning).
Items of list_of_users_and_groups are usernames or groupnames (groupnames must be prefexed by '@').
list_of_auth_commands is a command or a list of commands separated by semicolon (;). If present, cado
runs all the sequence of commands it grants the capabilities as defined in the current line only if all
return zero as their exit status.
Example of cado.conf file:
# Capability Ambient DO configuration file
# cado.conf
net_admin: @netadmin,renzo: /usr/bin/logger cado net_admin $USER; /bin/echo OK
net_admin: @privatenet: /usr/local/lib/cado_autorize_privatenet
net_admin,net_bind_service,net_raw,net_broadcast: @vxvdex
cap_kill: renzo
In this example the renzo's processes can be granted (by cado) cap_net_admin and cap_kill. cap_net_admin
can be acquired by processes owned by users belonging to the netadmin group. Users in vxvdex can provide
their processes with a subset of cap_net_admin, cap_net_bind_service, cap_net_raw and cap_net_broadcast
SEE ALSO
cado(1), caprint(1), capabilities(7)
VirtualSquare Labs June 23, 2016 CADO.CONF(5)