revise excessive capabilties

install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 # POSIX-compliant shell script for capability checking.
 # excessive-capabilities.sh checks that no more than the necessary
-# NET_ADMIN NET_BIND_SERVICE and NET_RAW capabilities are present.
+# CHOWN SETGID SETUID NET_ADMIN NET_BIND_SERVICE and NET_RAW capabilities are present.
 
 
 # if we are running in devcontainer then we should exit immediately without checking
@@ -21,8 +21,8 @@ fi
 #POSIX compliant base16 on permissions
 BND_DEC=$(awk 'BEGIN { h = "0x'"$BND_HEX"'"; if (h ~ /^0x[0-9A-Fa-f]+$/) { printf "%d", h; exit 0 } else { exit 1 } }') || exit 0
 
-# Allowed capabilities: NET_BIND_SERVICE (10), NET_ADMIN (12), NET_RAW (13)
-ALLOWED_DEC=$(( ( 1 << 10 )  | ( 1 << 12 ) | ( 1 << 13 ) ))
+# Allowed capabilities: CHOWN (0), SETGID (6), SETUID (7), NET_BIND_SERVICE (10), NET_ADMIN (12), NET_RAW (13)
+ALLOWED_DEC=$(( ( 1 << 0 ) | ( 1 << 6 ) | ( 1 << 7 ) | ( 1 << 10 ) | ( 1 << 12 ) | ( 1 << 13 ) ))
 
 # Check for excessive capabilities (any bits set outside allowed)
 EXTRA=$(( BND_DEC & ~ALLOWED_DEC ))
@@ -32,8 +32,8 @@ if [ "$EXTRA" -ne 0 ]; then
 ══════════════════════════════════════════════════════════════════════════════
 ⚠️  Warning: Excessive capabilities detected (bounding caps: 0x$BND_HEX).
 
-    Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container.
-    Please remove unnecessary capabilities.
+    Only CHOWN, SETGID, SETUID, NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are 
+	required in this container. Please remove unnecessary capabilities.
 
     https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md
 ══════════════════════════════════════════════════════════════════════════════