before you begin
Naturally, the first step is to upgrade to the IronPenguin kernel in the usual way.
To make full use of capabilities requires fscaps which, in turn, requires the filesystem to be mointed with the user_xattr option. For the usual case of an ext2 or ext3 filesystem,
tune2fs can be used to enable mount options by default. To enable user_xattr and acl (acl is not required, but suggested), do the following for every filesystem on the machine (where xxx is the relevant block device):
tune2fs -o +user_xattr,+acl /dev/xxx
After that, either reboot or (for every filesystem currently mounted):
mount -oremount,user_xattr,acl /
In the event that only jails are desired, this step can (but shouldn't) be skipped.
Next, to take advantage of the new functionality, you will need to install the user utilities. This procedure will differ depending on the base distro you're using. Debian packages and RPMs will be posted shortly. If all else fails, the source may be downloaded, built, and installed.
Next, locate all setuid-root binaries on the system using something like
find / -type f -perm +04000
For each file identified, it is necessary to decide if it REALLY needs to be setuid-root or if simply forcing one or 2 capabilities would suffice. Note that if you intend to remove default capabilities from root later, for cases where full setuid-root IS called for, it will be necessary to force all capabilities.
fcap to set the desired forced and allowed capabilities, then chmod (and perhaps chown) to remove setuid (unless setuid is necessary).