Non-capabilities aware programs


You can create suid wrappers to drop all but needed capabilities before exec'ing a binary

exec'd programs still won't drop extra privs unless patched

What a pain in the butt