**before you begin**

Naturally, the first step is to upgrade to the IronPenguin kernel in the usual way.

To make full use of capabilities requires fscaps which, in turn, requires the filesystem to be mointed with the user_xattr option. For the usual case of an ext2 or ext3 filesystem, ''tune2fs'' can be used to enable mount options by default. To enable user_xattr and acl (//acl is not required, but suggested//), do the following for every filesystem on the machine (where xxx is the relevant block device):

  tune2fs -o +user_xattr,+acl /dev/xxx

After that, either reboot or (for every filesystem currently mounted):

  mount -oremount,user_xattr,acl /


In the event that only jails are desired, this step can (//but shouldn't//) be skipped.


**User utils**

Next, to take advantage of the new functionality, you will need to install the [[user_utils|user utilities]]. This procedure will differ depending on the base distro you're using. Debian packages and RPMs will be posted shortly. If all else fails, the source may be downloaded, built, and installed.

**Audit**

Next, locate all setuid-root binaries on the system using something like
  find / -type f -perm +04000


For each file identified, it is necessary to decide if it **//REALLY//** needs to be setuid-root or if simply forcing one or 2 capabilities would suffice. Note that if you intend to remove default capabilities from root later, for cases where full setuid-root IS called for, it will be necessary to force all capabilities.

Use ''fcap'' to set the desired forced and allowed capabilities, then chmod (and perhaps chown) to remove setuid (unless setuid is necessary).

The setup and use of [[jail_syscall|jails]] is beyond the scope of this page and will be covered [[jail_setup|here]].