EDIT: Sorted. I've added new lines into this otherwise it just widens out the forum (posting) width too much)
This (I think) runs seamonkey-spot with additionally many capabilities also dropped
Code: Select all
#!/bin/sh
cd /home/spot
capsh --drop=cap_dac_override,cap_dac_read_search,cap_fsetid,
cap_kill,cap_setpcap,cap_linux_immutable,cap_net_bind_service,
cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,
cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,
cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,
cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,
cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,
cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,
cap_block_suspend,cap_audit_read -- /usr/bin/seamonkey-spot
Also serves as a reminder to not forget to change the default woofwoof root password ... as otherwise spot can easily/commonly su into root.