The developer behind the grsecurity project, Brad Spengler, has pointed out that most of the privilege control capabilities implemented under Linux carry a significant potential for compromising a system and wreaking other havoc.
The intended purpose of capabilities is to prevent precisely that by restricting services and processes to certain operations and specific resources. Among other things, they aim to reduce the effects of successful attacks and can, for example, prevent an exploit for an office tool from installing a back door because the office tool doesn't have the capabilities required for binding services to network ports. Capabilities can also make it unnecessary to use SUID

The link for this article located at H Security is no longer available.