Capabilities

Capabilities are like privileges you can give a process. A root process has all the capabilities. But there exists a capabilities boundig set. In a normal kernel, when you remove a capability from the boundig set, nobody can ever use it again, until next reboot. (see http://www.netcom.com/~spoon/lcap for the normal use).

LIDS modifies this behaviour to enable you to switch theses on and off, whenever you want. An access to the /proc/sys/kernel/cap_bset^9.1 is trapped and raise a security alert. lidsadm performs all the job.

What follows is extracted from linux/include/linux/capability.h