Index: trunk/server/doc/install-howto.sh
===================================================================
--- trunk/server/doc/install-howto.sh	(revision 2246)
+++ trunk/server/doc/install-howto.sh	(revision 2298)
@@ -316,6 +316,6 @@
 python host.py push $server
 
-# This is superseded by credit-card, but only for [PRODUCTION]
-# Don't use credit-card on [WIZARD]: it will put in the wrong creds!
+# This is superseded by credit-card, which works for [PRODUCTION] and
+# [WIZARD].  We don't have an easy way of running credit-card for XVM...
 #
 #   # All types of servers will have an /etc/daemon.keytab file, however,
@@ -384,5 +384,7 @@
 
 # Check for unwanted setuid/setgid binaries
-    find / -xdev -not -perm -o=x -prune -o -type f -perm /ug=s -print | grep -Fxvf /etc/scripts/allowed-setugid.list 
+    find / -xdev -not -perm -o=x -prune -o -type f -perm /ug=s -print | grep -Fxvf /etc/scripts/allowed-setugid.list
+    find / -xdev -not -perm -o=x -prune -o -type f -print0 | xargs -0r /usr/sbin/getcap | cut -d' ' -f1 | grep -Fxvf /etc/scripts/allowed-filecaps.list
+    # You can prune binaries using 'chmod u-s' and 'chmod g-s'
 
 # Fix etc by making sure none of our config files got overwritten
@@ -425,4 +427,5 @@
 #   - We don't serve the web, so don't bind scripts.mit.edu
 #   - We don't serve LDAP, so use another server
+# XXX: Someone should write sed scripts to do this
 # This involves editing the following files:
         \rm /etc/sysconfig/network-scripts/ifcfg-lo:{0,1,2,3}
@@ -442,5 +445,4 @@
 #       with: server_host = ldap://scripts.mit.edu
 # to use scripts.mit.edu instead of localhost.
-# XXX: someone should write sed scripts to do this
 
 # [WIZARD/TESTSERVER] If you are setting up a non-production server,
@@ -449,5 +451,5 @@
     vim /home/afsagent/renew # replace all mentions of daemon.scripts.mit.edu
 
-# [TESTERVER]
+# [TESTSERVER]
 #   - You need a self-signed SSL cert or Apache will refuse to start
 #     or do SSL.  Generate with: