diff --git a/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh b/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh index 4aae3c3f..4a8b85a9 100755 --- a/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh +++ b/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh @@ -1,7 +1,7 @@ #!/bin/sh # POSIX-compliant shell script for capability checking. # excessive-capabilities.sh checks that no more than the necessary -# NET_ADMIN NET_BIND_SERVICE and NET_RAW capabilities are present. +# CHOWN SETGID SETUID NET_ADMIN NET_BIND_SERVICE and NET_RAW capabilities are present. # if we are running in devcontainer then we should exit immediately without checking @@ -21,8 +21,8 @@ fi #POSIX compliant base16 on permissions BND_DEC=$(awk 'BEGIN { h = "0x'"$BND_HEX"'"; if (h ~ /^0x[0-9A-Fa-f]+$/) { printf "%d", h; exit 0 } else { exit 1 } }') || exit 0 -# Allowed capabilities: NET_BIND_SERVICE (10), NET_ADMIN (12), NET_RAW (13) -ALLOWED_DEC=$(( ( 1 << 10 ) | ( 1 << 12 ) | ( 1 << 13 ) )) +# Allowed capabilities: CHOWN (0), SETGID (6), SETUID (7), NET_BIND_SERVICE (10), NET_ADMIN (12), NET_RAW (13) +ALLOWED_DEC=$(( ( 1 << 0 ) | ( 1 << 6 ) | ( 1 << 7 ) | ( 1 << 10 ) | ( 1 << 12 ) | ( 1 << 13 ) )) # Check for excessive capabilities (any bits set outside allowed) EXTRA=$(( BND_DEC & ~ALLOWED_DEC )) @@ -32,8 +32,8 @@ if [ "$EXTRA" -ne 0 ]; then ══════════════════════════════════════════════════════════════════════════════ ⚠️ Warning: Excessive capabilities detected (bounding caps: 0x$BND_HEX). - Only NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are required in this container. - Please remove unnecessary capabilities. + Only CHOWN, SETGID, SETUID, NET_ADMIN, NET_BIND_SERVICE, and NET_RAW are + required in this container. Please remove unnecessary capabilities. https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/excessive-capabilities.md ══════════════════════════════════════════════════════════════════════════════