Bug 215926

All versions of capsh that support the --user argument generate some complaints from bash when changing user. For example:

$ sudo /sbin/capsh --user=$(whoami) --
bash: /root/.bashrc: Permission denied
$ 

I've been looking into this and it appears that what is going wrong is capsh is not fixing up the HOME environment variable when the user ids are changed. Bash uses what it gets for HOME, and since the sudo wrapper has set HOME to /root the resulting error makes sense.

I'm filing this bug so I can reference it in the https://sites.google.com/site/fullycapable/inheriting-privilege article. When I originally wrote that, I chose not to dig into why it happened and found a workaround to use in the examples. One such example was this:

$ sudo capsh --user=$(whoami) --iab='^cap_setuid' -- --norc

The --norc argument (supplied to bash) skips trying to parse /root/.bashrc so that muted the error.

I'm going to modify capsh to, by default, change USER and HOME environment variables when --user= is specified. I'm going to provide an override for this that will resurrect the annoying legacy behavior. To do this, you should precede  --user with --noenv.

After I've released the next libcap (it will be libcap-2.65 release date undecided) this error will no longer be present. I'll also trim that article to not use the --norc flag. (It is that documentation change that I want to point back to this bug for an explanation.)