Index: Linux-PAM/configure.in
===================================================================
--- Linux-PAM/configure.in	(revision 384)
+++ Linux-PAM/configure.in	(working copy)
@@ -246,7 +246,7 @@
 AC_HEADER_DIRENT
 AC_HEADER_STDC
 AC_HEADER_SYS_WAIT
-AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termios.h unistd.h sys/fsuid.h)
+AC_CHECK_HEADERS(fcntl.h limits.h malloc.h sys/file.h sys/ioctl.h sys/time.h syslog.h net/if.h termios.h unistd.h sys/fsuid.h sys/capability.h )
 
 dnl Linux wants features.h in some of the source files.
 AC_CHECK_HEADERS(features.h)
@@ -410,6 +410,7 @@
 AC_FUNC_MEMCMP
 AC_FUNC_VPRINTF
 AC_CHECK_FUNCS(gethostname gettimeofday mkdir select strcspn strdup strerror strspn strstr strtol uname)
+AC_CHECK_LIB(cap, cap_init)
 
 AC_CHECK_FUNCS(getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r getgrouplist)
 
Index: Linux-PAM/modules/pam_limits/pam_limits.c
===================================================================
--- Linux-PAM/modules/pam_limits/pam_limits.c	(revision 385)
+++ Linux-PAM/modules/pam_limits/pam_limits.c	(working copy)
@@ -19,6 +19,10 @@
 
 #include <security/_pam_aconf.h>
 
+#ifdef HAVE_SYS_CAPABILITY_H
+#include <sys/capability.h>
+#include <sys/prctl.h>
+#endif /* HAVE_SYS_CAPABILITY_H */
 #include <stdio.h>
 #include <unistd.h>
 #include <string.h>
@@ -75,6 +79,10 @@
 			      specific user or to count all logins */
     int priority;	 /* the priority to run user process with */
     char chroot_dir[8092]; /* directory to chroot into */
+#ifdef HAVE_SYS_CAPABILITY_H
+  cap_t capabilities; /*capability handle*/
+  int caps_set;
+#endif /* HAVE_SYS_CAPABILITY_H */
     int supported[RLIM_NLIMITS];
     struct user_limits_struct limits[RLIM_NLIMITS];
     char conf_file[BUFSIZ];
@@ -87,6 +95,7 @@
 
 #define LIMIT_PRI RLIM_NLIMITS+3
 #define LIMIT_CHROOT RLIM_NLIMITS+4
+#define LIMIT_CAPS RLIM_NLIMITS+5
 
 #define LIMIT_SOFT  1
 #define LIMIT_HARD  2
@@ -292,6 +301,10 @@
     pl->login_limit = -2;
     pl->login_limit_def = LIMITS_DEF_NONE;
 
+#ifdef HAVE_SYS_CAPABILITY_H
+    pl->capabilities = cap_init();
+    pl->caps_set = 0;
+#endif /* HAVE_SYS_CAPABILITY_H */
     pl->chroot_dir[0] = '\0';
     
     return retval;
@@ -365,6 +378,10 @@
 	limit_item = LIMIT_PRI;
     } else if (strcmp(lim_item, "chroot") == 0) {
 	limit_item = LIMIT_CHROOT;
+#ifdef HAVE_SYS_CAPABILITY_H
+    } else if (strcmp(lim_item, "capabilities") == 0) {
+	limit_item = LIMIT_CAPS;
+#endif /* HAVE_SYS_CAPABILITY_H */
     } else {
         _pam_log(LOG_DEBUG,"unknown limit item '%s'", lim_item);
         return;
@@ -449,6 +466,13 @@
 
     if (limit_item == LIMIT_CHROOT)
 	strncpy(pl->chroot_dir, value_orig, sizeof(pl->chroot_dir));
+#ifdef HAVE_SYS_CAPABILITY_H
+    else if (limit_item == LIMIT_CAPS) {
+	pl->capabilities = cap_from_text(value_orig);
+	prctl(PR_SET_KEEPCAPS, 1);
+	pl->caps_set = 1;
+    }
+#endif
     else if ( (limit_item != LIMIT_LOGIN)
 	 && (limit_item != LIMIT_NUMSYSLOGINS)
 	 && (limit_item != LIMIT_PRI) ) {
@@ -662,6 +686,12 @@
 	if (i != 0)
 	    retval = LIMIT_ERR;
     }
+#ifdef HAVE_SYS_CAPABILITY_H
+    if (!retval && pl->caps_set) {
+	retval = cap_set_proc(pl->capabilities) ? LIMIT_ERR : 0;
+	cap_free(pl->capabilities);
+    }
+#endif /* HAVE_SYS_CAPABILITY_H */
     return retval;
 }
 
Index: Linux-PAM/Make.Rules.in
===================================================================
--- Linux-PAM/Make.Rules.in	(revision 378)
+++ Linux-PAM/Make.Rules.in	(working copy)
@@ -113,7 +113,7 @@
 RANLIB=@RANLIB@
 STRIP=@STRIP@
 CC_STATIC=@CC_STATIC@
-
+LIBS=@LIBS@
 LINKLIBS = $(NEED_LINK_LIB_C) $(LIBDL)
 
 USESONAME=@USESONAME@
Index: Linux-PAM/_pam_aconf.h.in
===================================================================
--- Linux-PAM/_pam_aconf.h.in	(revision 383)
+++ Linux-PAM/_pam_aconf.h.in	(working copy)
@@ -75,6 +75,8 @@
 /* read both confs - read /etc/pam.d and /etc/pam.conf in serial */
 #undef PAM_READ_BOTH_CONFS
 
+#undef HAVE_SYS_CAPABILITY_H
+
 #undef HAVE_PATHS_H
 #ifdef HAVE_PATHS_H
 #include <paths.h>
@@ -82,6 +84,7 @@
 /* location of the mail spool directory */
 #undef PAM_PATH_MAILDIR
 
+
 /* where should we include setfsuid's prototype from? If this is not
    defined, we get it from unistd.h */
 #undef HAVE_SYS_FSUID_H
