Bug 209873 - capsh argument "==" does not work reliably
Summary: capsh argument "==" does not work reliably
Status: RESOLVED CODE_FIX
Alias: None
Product: Tools
Classification: Unclassified
Component: libcap (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: Andrew G. Morgan
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-26 15:15 UTC by Andrew G. Morgan
Modified: 2020-10-28 14:01 UTC (History)
0 users

See Also:
Kernel Version: a/a
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Andrew G. Morgan 2020-10-26 15:15:11 UTC 
[This bug was reported via email by Marcus Gelderie.]

The "==" argument is supposed to re-exec capsh with the remaining command line arguments. It only works reliably if you explicitly specify the full pathname of the capsh file. For example:

$ /sbin/capsh == --print
Current: =
[...]

However, if you rely on the PATH to find capsh it fails with a misleading error:

$ PATH=/sbin capsh == --print
execve /bin/bash failed!

There are two issues here:

1. The "==" attempt fails in this latter case
2. The error is displaying the shell path and not the failed capsh binary path.

This fails at HEAD.

There is a subtlety at work here related to --chroot. There may not be a capsh present at the same location in the PATH after the chroot.

We'll resolve this bug when 1 and 2 are no longer true and we've documented how things work in the case of chroot use.
Comment 2 Andrew G. Morgan 2020-10-28 13:01:02 UTC 
Bug fix still needed.
Note You need to log in before you can comment on or make changes to this bug.