From 015c2d4d167941bea6bad67262ef58261b208afe Mon Sep 17 00:00:00 2001
From: frank <frank@bruni.home.brehm-online.com>
Date: Sun, 15 Jan 2012 23:31:31 +0100
Subject: [PATCH] committing changes in /etc after emerge run

Package changes:
+sys-libs/libcap-2.22
---
 .etckeeper               |  1 +
 security/capability.conf | 45 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)
 create mode 100644 security/capability.conf

diff --git a/.etckeeper b/.etckeeper
index 07fdc62d..4228dfdc 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -364,6 +364,7 @@ maybe chmod 0644 './screenrc'
 maybe chmod 0600 './securetty'
 maybe chmod 0755 './security'
 maybe chmod 0644 './security/access.conf'
+maybe chmod 0644 './security/capability.conf'
 maybe chmod 0644 './security/group.conf'
 maybe chmod 0644 './security/limits.conf'
 maybe chmod 0755 './security/limits.d'
diff --git a/security/capability.conf b/security/capability.conf
new file mode 100644
index 00000000..dd93ea74
--- /dev/null
+++ b/security/capability.conf
@@ -0,0 +1,45 @@
+#
+# /etc/security/capability.conf
+#
+# this is a sample capability file (to be used in conjunction with
+# the pam_cap.so module)
+#
+# In order to use this module, it must have been linked with libcap
+# and thus you'll know about Linux's capability support.
+# [If you don't know about libcap, the sources for it are here:
+#
+#   http://linux.kernel.org/pub/linux/libs/security/linux-privs/
+#
+# .]
+#
+# Here are some sample lines (remove the preceding '#' if you want to
+# use them
+
+## user 'morgan' gets the CAP_SETFCAP inheritable capability (commented out!)
+#cap_setfcap		morgan
+
+## user 'luser' inherits the CAP_DAC_OVERRIDE capability (commented out!)
+#cap_dac_override	luser
+
+## 'everyone else' gets no inheritable capabilities (restrictive config)
+none  *
+
+## if there is no '*' entry, all users not explicitly mentioned will
+## get all available capabilities. This is a permissive default, and
+## possibly not what you want... On first reading, you might think this
+## is a security problem waiting to happen, but it defaults to not being
+## so in this sample file! Further, by 'get', we mean 'get in their inheritable
+## set'. That is, if you look at a random process, even one run by root,
+## you will see it has no inheritable capabilities (by default):
+##
+##   $ /sbin/capsh --decode=$(grep CapInh /proc/1/status|awk '{print $2}')
+##   0000000000000000=
+##
+## The pam_cap module simply alters the value of this capability
+## set. Including the 'none *' forces use of this module with an
+## unspecified user to have their inheritable set forced to zero.
+##
+## Omitting the line will cause the inheritable set to be unmodified
+## from what the parent process had (which is generally 0 unless the
+## invoking user was bestowed with some inheritable capabilities by a
+## previous invocation).
-- 
2.39.5