I just spent a few minutes debugging this one, so I'm filing a bug about it in case someone else runs into it. When you try this in the libcap git sandbox build tree on a machine recently upgraded to Fedora 35 from an earlier Fedora release you get a segfault: $ make distclean all [...] $ ./capsh --print Current: = Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_ net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore Ambient set = Current IAB: Securebits: 00/0x0/1'b0 (no-new-privs=0) secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) secure-no-ambient-raise: no (unlocked) Segmentation fault (core dumped) $ gdb ./capsh (gdb) run --print [...] Current IAB: Program received signal SIGSEGV, Segmentation fault. sss_cli_check_socket (errnop=errnop@entry=0x501368, timeout=300000, socket_name=<synthetic pointer>) at src/sss_client/common.c:644 644 ret = fstat(sss_cli_sd, &mysb); (gdb) bt #0 sss_cli_check_socket (errnop=errnop@entry=0x501368, timeout=300000, socket_name=<synthetic pointer>) at src/sss_client/common.c:644 #1 0x00007ffff7fcd138 in sss_nss_make_request_timeout (timeout=300000, errnop=0x501368, replen=0x7fffffffd5d0, repbuf=0x7fffffffd5d8, rd=0x7fffffffd5e0, cmd=SSS_NSS_GETPWUID) at src/sss_client/common.c:735 #2 sss_nss_make_request (cmd=cmd@entry=SSS_NSS_GETPWUID, rd=rd@entry=0x7fffffffd5e0, repbuf=repbuf@entry=0x7fffffffd5d8, replen=replen@entry=0x7fffffffd5d0, errnop=errnop@entry=0x501368) at src/sss_client/common.c:787 #3 0x00007ffff7fce1a4 in _nss_sss_getpwuid_r (uid=2000, result=0x4ff080 <resbuf>, buffer=0x502d40 "\240\204O", buflen=1024, errnop=0x501368) at src/sss_client/nss_passwd.c:304 #4 0x000000000045556f in getpwuid_r () #5 0x0000000000455003 in getpwuid () #6 0x0000000000402ca2 in main () (gdb) The issue was that "/etc/nsswitch.conf" had been auto-upgraded to include these lines: [...] passwd: sss files systemd shadow: files sss group: sss files systemd [...] It looks like some auto updating stuff messed up in some way, since sssd is not configured to run on my upgraded machine. I was able to fix the problem by editing the above file to read: [...] passwd: files sss systemd shadow: files sss group: files sss systemd [...]
This bug explains how to resolve itself.
Also, note static compilation still fails even in this way if you try to sudo ./capsh --uid=1234 --print when the uid value you choose is unknown. This has been broken for static compilation forever on Fedora/glibc/?? when compiling statically. Indeed, there are a number of compilation warnings to the effect that this is not supposed to work, but I'm ever hopeful it will be fixed. $ sudo gdb ./capsh (gdb) run --uid=1234 --print Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7fccbe0 in sss_cli_check_socket.constprop () from /lib64/libnss_sss.so.2 Missing separate debuginfos, use: dnf debuginfo-install sssd-client-2.7.3-1.fc35.x86_64 (gdb) bt #0 0x00007ffff7fccbe0 in sss_cli_check_socket.constprop () from /lib64/libnss_sss.so.2 #1 0x00007ffff7fcd138 in sss_nss_make_request () from /lib64/libnss_sss.so.2 #2 0x00007ffff7fce1a4 in _nss_sss_getpwuid_r () from /lib64/libnss_sss.so.2