Permissions and capabilities are basically two different things in Linux, although Android uses the terms somewhat interchangeably. Your basic permissions in Linux are read, write, and execute, which means search access when applied to a directory. Capabilities in Linux are security specific bits that are all 1s for root and all 0s for everyone else. See man capabilities(7). Linux also allows for ACLs which is an Access Control List. This allows setting specific permissions for a specific user or group. See man setfacl(1). You must enable ACLs when you mount your Linux file system though in order to use them. ext4 does allow the use of ACLs, but I don't know if any of the other file system types do.
The idea of using capabilities is to "harden" a program by giving it only what it needs to do its job, rather than running it as root with setuid. This is known as the principle of least privilege.
Personally I think sysadmin stuff should be left to root, but some users may benefit from some very limited capabilities. My ftp and web servers both use cap_net_bind_service so they can bind(2) to the correct port number without having to run as root. My ftp server also uses cap_sys_chroot so it can use chroot(2) to limit access to the correct directory space. The ftp server only allows anonymous ftp logins.
Please let me know if you want more information about these topics.
Signed,
Matthew Campbell
