#!/bin/bash
function limit() {
    echo -n "($2)"
    if setcap -o $3 $1 > /dev/null 2>&1; then
	echo " ook"
    else
	echo " !!! needs only $3"
    fi
}

function needs() {
    echo " ($2) needs uid 0 for now"
}

find /bin /sbin /usr -perm +4000 -uid 0 | {
    while read name; do
	echo -n "$name: "
	lastname=`echo $name | sed 's-.*/--'`
	case $lastname in
ping|traceroute)
	limit $name " ping programs " "-c NET_RAW -c NET_BROADCAST -s";;
fping)
	needs $name " ping programs " "-c NET_RAW -c NET_BROADCAST -s";;
mount|umount|fdmount)
	needs $name " mount utilities " "-c SYS_ADMIN -s";;
su|login)
	needs $name " user login " "-c SETUID -c SETGID -s";;
newgrp)
	needs $name " group login " "-c SETGID -s";;
rcp|rlogin|rsh|ssh1)
	limit $name " remote login " "-c NET_BIND_SERVICE -s";;
cons.saver)
	needs $name " vcsa access wrapper for midnight " "-c none -s";;
gpasswd)
	needs $name " setting of group information " "-c none -s";;
chfn|chsh|passwd|chage)
	needs $name " setting of user information " "-c none -s";;
screen|xterm)
	needs $name " terminals " "-c none -s";;
ncpmount|ncpumount|nwsfind)
	needs $name " netware utilities " "-c SYS_ADMIN -c NET_RAW -s";;
XF86_*|Xwrapper)
	needs $name " X-windows servers " "-c NET_BIND_SERVICE -c SYS_RAWIO -s";;
lpr|lprm|lpq|lpc)
	needs $name " printer spooling " "-c none -s";;
sendmail)
	limit $name " mail handler " "-c NET_BIND_SERVICE -s";;
procmail)
	needs $name " mail delivery " "-c SETUID -s";;
at|crontab)
	needs $name " Scheduling of jobs for later execution " "-c none -s";;
suidperl|sperl*)
	needs $name " Perl setuid handler " "-c ALL -s";;
pppd)
	needs $name " Point-to-point protocol handler " "-c none -s";;
dga|xload|expiry)
	needs $name " Miscelaus " "-c none -s";;
zgv)
	needs $name " SVGAlib programs " "-c none -s";;
init)
	needs $name " System runlevel changer " "-c ALL -s";;
gpm|syslogd|klogd|cardmgr|bdflush|*getty|cron)
	needs $name " Basic system daemons " "-c ALL -s";;
portmap)
	needs $name " Port mapping service for rpc " "-c NET_BIND_SERVICE -s";;
inetd|munetd)
	needs $name " Launchers of other daemons " "-c ALL -s";;
sshd|rpc.nfsd|rpc.mountd|rpc.rstatd|ftpd|in.telnetd|in.rshd|in.rlogind|in.rexecd|in.ntalkd|in.talkd|bootps|cucipop|*finger*)
	needs $name " internet services " "-c ALL -s";;
identd|tftp)
	needs $name " internet services " "-c none -s";;
*)
	needs $name " unknown to me " "-c none -s";;
        esac
    done
}