Bug 209873

Summary:	capsh argument "==" does not work reliably
Product:	Tools	Reporter:	Andrew G. Morgan (morgan)
Component:	libcap	Assignee:	Andrew G. Morgan (morgan)
Status:	RESOLVED CODE_FIX
Severity:	normal
Priority:	P1
Hardware:	All
OS:	Linux
Kernel Version:	a/a	Subsystem:
Regression:	No	Bisected commit-id:

Description Andrew G. Morgan 2020-10-26 15:15:11 UTC

[This bug was reported via email by Marcus Gelderie.]

The "==" argument is supposed to re-exec capsh with the remaining command line arguments. It only works reliably if you explicitly specify the full pathname of the capsh file. For example:

$ /sbin/capsh == --print
Current: =
[...]

However, if you rely on the PATH to find capsh it fails with a misleading error:

$ PATH=/sbin capsh == --print
execve /bin/bash failed!

There are two issues here:

1. The "==" attempt fails in this latter case
2. The error is displaying the shell path and not the failed capsh binary path.

This fails at HEAD.

There is a subtlety at work here related to --chroot. There may not be a capsh present at the same location in the PATH after the chroot.

We'll resolve this bug when 1 and 2 are no longer true and we've documented how things work in the case of chroot use.

Comment 1 Andrew G. Morgan 2020-10-28 03:26:21 UTC

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=68240b124cc62744a7a412a7afc85b5c56a48e14

Comment 2 Andrew G. Morgan 2020-10-28 13:01:02 UTC

Bug fix still needed.

Comment 3 Andrew G. Morgan 2020-10-28 14:01:54 UTC

https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=9d8eaab7f74cf1d925910901e5181173ab11d14d