| CADO(1) | General Commands Manual | CADO(1) |
cado - Capability Ambient DO
cado [ OPTIONS ] capability_list [ command [ args ] ]
Cado allows the system administrator to delegate capabilities to users. Cado is a capability based sudo. Sudo allows authorized users to run programs as root (or as another user), cado allows authorized users to run programs with specific (ambient) capabilities.
Cado is more selective than sudo, users can be authorized to have only specific capabilities (and not others).
capability_list is a comma separated list of capability names or capability masks (exadecimal numbers). For brevity, the cap_ prefix of capability names can be omitted (e.g. net_admin and cap_net_admin have the same meaning).
If it is allowed for the current user to run processes with the requested capabilities, the user is asked to type their password (or to authenticate themselves as required by pam unless -S or --scado). Once the authentication succeeds, cado executes the command granting the required ambient capabilities.
If command is omitted cado launch the command specified in the environment variable $SHELL.
The file /etc/cado.conf (see cado.conf(5)) defines which capabilities can be provided by cado to each user. Cado itself is not a setuid executable, it uses the capability mechanism and it has an option to set its own capabilities. So after each change in the /etc/cado.conf, the capability set should be recomputed by root using the command cado -s or cado --setcap.
When cado runs is scado mode (by the option -S or
--scado), if
- the current user is allowed to run processes with the
requested capabilities,
- the command argument is an absolute pathname and
- there is a specific authorization line in the user's scado
file,
cado runs the command granting the required ambient capabilities
without any further authentication request (it does not prompt for a
password).
cado accepts the following options:
cado.conf(5), caprint(1), scado(1), capabilities(7)
| June 23, 2016 | VirtualSquare Labs |