It seems that in order to take full advantage of capabilities, files should not be owned by root. Files should be owned by a non-login user (e.g. bin).
Currently: -rwxr-xr-x 1 root root 42300 jul 29 13:26 /bin/ls* It should be: -rwxr-xr-x 1 bin bin 42300 jul 29 13:26 /bin/ls* That's because root will be just another user, with its set of capabilities, and you may like to prevent him from altering system files. As this is a major change, we'd better start now. This will also help people who want to implement a capabilities setup before we do... Do you like this? Do I send a "formal proposal"?
