Sigh. Compiling capsh statically and we get no getpw*() functions.

This is, at least, true on my Fedora based system. The chroot tests
won't work with a dynamic binary, so stop using --user and use --uid

Signed-off-by: Andrew G. Morgan <>
diff --git a/progs/ b/progs/
index ca6bf1e..48c9b9e 100755
--- a/progs/
+++ b/progs/
@@ -89,21 +89,25 @@
     exit 0
+# nobody's uid. Static compilation of the capsh binary can disable pwd
+# info discovery.
+nouid=$(/usr/bin/id nobody -u)
 pass_capsh --secbits=42 --print
 fail_capsh --secbits=32 --keep=1 --keep=0 --print
 pass_capsh --secbits=10 --keep=0 --keep=1 --print
-fail_capsh --secbits=47 -- -c "./tcapsh --user=nobody"
+fail_capsh --secbits=47 -- -c "./tcapsh --uid=$nouid"
 rm -f tcapsh
 # Suppress uid=0 privilege
-fail_capsh --secbits=47 --print -- -c "./capsh --user=nobody"
+fail_capsh --secbits=47 --print -- -c "./capsh --uid=$nouid"
 # suppress uid=0 privilege and test this privileged
-pass_capsh --secbits=0x2f --print -- -c "./privileged --user=nobody"
+pass_capsh --secbits=0x2f --print -- -c "./privileged --uid=$nouid"
 # observe that the bounding set can be used to suppress this forced capability
-fail_capsh --drop=cap_setuid --secbits=0x2f --print -- -c "./privileged --user=nobody"
+fail_capsh --drop=cap_setuid --secbits=0x2f --print -- -c "./privileged --uid=$nouid"
 # change the way the capability is obtained (make it inheritable)
 ./setcap cap_setuid,cap_setgid=ei ./privileged
@@ -111,7 +115,7 @@
 # Note, the bounding set (edited with --drop) only limits p
 # capabilities, not i's.
 pass_capsh --secbits=47 --inh=cap_setuid,cap_setgid --drop=cap_setuid \
-    --uid=500 --print -- -c "./privileged --user=nobody"
+    --uid=500 --print -- -c "./privileged --uid=$nouid"
 rm -f ./privileged
@@ -139,7 +143,7 @@
 # Max lockdown
-pass_capsh --keep=1 --user=nobody --caps=cap_setpcap=ep \
+pass_capsh --keep=1 --uid=$nouid --caps=cap_setpcap=ep \
     --drop=all --secbits=0x2f --caps= --print
 # Verify we can chroot