Capabilities (cont)

By default,  all capabilities are provided to any program that runs as root.  However

The process can drop capabilities if desired
Allows it to have just the enhanced privs necessary.

The capabilities can be set to be non inheritable
Allows it to run other procs without extra privs with less code

Capabilities can be removed on a kernel-wide basis
No more processes will be able to get those capabilities

Many advanced Linux kernel security models manipulate capabilites.

Lcap can be used to view or remove capabilities from the running system.