Linux.com: Linux Capabilities

“There will be undiscovered holes in software, and we want to
minimize the impact a breach in a daemon or service will have on
your machine. This idea of hardening your system is what this
article focuses on. Traditional unix has the root user which can do
anything, read, write, whatever. You know the drill. Obviously this
is a problem if your machine is cracked, the attacker now has
control over your machine. Let’s say, for example, your car breaks
down and you have to take it in to the local garage to have it
fixed. You would give the mechanic the keys to your car only. It
would be silly to also give the mechanic the keys to your house,
mailbox, job, or whatever else. Traditional root user exit stage
left, Linux Capabilities enter stage right.”

Linux Capabilities create the ability to give processes
specific capabilities to do only the job required and nothing more.
In other words, splitting the root power up into little
Take a peek at /usr/include/linux/capability.h for a
list of caps. In a real capabilities only model, uid 0 is just a
normal user. There are 3 capability ‘sets’…”