From fbc96cdd1741021f3d18e49eac3757297aaba851 Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Fri, 19 Feb 2021 11:34:39 -0500
Subject: [PATCH] Only drop all caps in exec when non-root

We were dropping too many capabilities otherwise, which broke
some critical system tools (e.g. useradd) in exec sessions.

Fix RHBZ#1930552

Signed-off-by: Matthew Heon <mheon@redhat.com>
---
 libpod/oci_conmon_linux.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libpod/oci_conmon_linux.go b/libpod/oci_conmon_linux.go
index d5973a1a6..18ede031e 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -1107,7 +1107,7 @@ func prepareProcessExec(c *Container, cmd, env []string, tty bool, cwd, user, se
 	pspec.Capabilities.Effective = []string{}
 	if privileged {
 		pspec.Capabilities.Bounding = allCaps
-	} else {
+	} else if execUser.Uid != 0 {
 		pspec.Capabilities.Bounding = []string{}
 	}
 	pspec.Capabilities.Inheritable = pspec.Capabilities.Bounding
-- 
2.29.2