Notice something, though: the hello_pause program above really has no idea that it actually has these capabilities; in other words, it programmatically has done nothing to query or set POSIX capabilities on itself. Yet, via the file capabilities model (and the setcap(8) utility) we have "injected" capabilities into it. This type of binary is therefore called a capability-dumb binary.

It's still vastly superior to doing a clumsy setuid-root security-wise, but it could get even "smarter" if the application itself—programmatically—used APIs to query and set capabilities upon itself at runtime. We can think of this kind of app as a capability-smart binary.

Often, when porting a legacy setuid-root (or worse, just a root) type of application, developers will strip it of the setuid-root bit, knock off root ownership from the binary and then convert it into a capability-dumb binary by running setcap(8) on it. This is a good first step towards better security (or "hardening").