The code in a SUID application could at will switch, through setuid(2), between real and saved set-user-ID. So in this particular case, it should be possible to switch back to real user ID immediately upon program started and go this way until socket(2) call needed to open the raw socket. Just before this call, setuid() should be called to switch to saved set-user-ID (which means to switch to superuser privileges), and immediately after socket() returned the descriptor, setuid() should be employed again to switch back to real user ID (which means to return to executing as ordinary user). And that's the whole magic. Now, I'm pretty sure that things are not actually that simple in the ping source code, but still I fail to see what advantage this complicated capabilities mechanism could have over careful code examination, and applying proved techniques as this one I tried to describe above.