cmd/run: Ensure that 'run' has the same container environment as 'enter'

Currently, commands invoked using 'toolbox run' have a different
environment than the interactive environment offered by 'toolbox enter'.
This is because 'toolbox run' was invoking the commands using something
like this:
  $ bash -c 'exec "$@"' bash [COMMAND]

... whereas, 'toolbox enter' was using something like this:
  $ bash -c 'exec "$@"' bash bash --login

In the first case, the helper Bash shell is a non-interactive non-login
shell.  This means that it doesn't read any of the usual start-up files,
and, hence, it doesn't pick up anything that's specified in them.  It
runs with the default environment variables set up by Podman and the
Toolbx image, plus the environment variables set by Toolbx itself.

In the second case, even though the helper Bash shell is still the same
as the first, it eventually invokes a login shell, which runs the usual
set of start-up files and picks up everything that's specified in them.

Therefore, to ensure parity, 'toolbox run' should always have a login
shell in the call chain inside the Toolbx container.

The easiest option is to always use a helper shell that's a login shell
with 'toolbox run', but not 'toolbox enter' so as to avoid reading the
same start-up files twice, due to two login shells in the call chain.
It will still end up reading the same start-up files twice, if someone
tried to invoke a login shell through 'toolbox run', which is fine.
It's very difficult to be sure that the user is invoking a login shell
through 'toolbox run', and it's not what most users will be doing.

https://github.com/containers/toolbox/issues/1076

src/cmd/run.go

@@ -300,7 +300,12 @@ func runCommandWithFallbacks(container string, command []string, emitEscapeSeque
 	workDir := workingDirectory
 
 	for {
-		execArgs := constructExecArgs(container, command, detachKeysSupported, envOptions, workDir)
+		execArgs := constructExecArgs(container,
+			command,
+			detachKeysSupported,
+			envOptions,
+			fallbackToBash,
+			workDir)
 
 		if emitEscapeSequence {
 			fmt.Printf("\033]777;container;push;%s;toolbox;%s\033\\", container, currentUser.Uid)
@@ -421,8 +426,14 @@ func callFlatpakSessionHelper(container string) error {
 	return nil
 }
 
-func constructCapShArgs(command []string) []string {
+func constructCapShArgs(command []string, useLoginShell bool) []string {
-	capShArgs := []string{"capsh", "--caps=", "--", "-c", "exec \"$@\"", "bash"}
+	capShArgs := []string{"capsh", "--caps=", "--"}
+
+	if useLoginShell {
+		capShArgs = append(capShArgs, []string{"--login"}...)
+	}
+
+	capShArgs = append(capShArgs, []string{"-c", "exec \"$@\"", "bash"}...)
 	capShArgs = append(capShArgs, command...)
 
 	return capShArgs
@@ -432,6 +443,7 @@ func constructExecArgs(container string,
 	command []string,
 	detachKeysSupported bool,
 	envOptions []string,
+	fallbackToBash bool,
 	workDir string) []string {
 	var detachKeys []string
 
@@ -470,7 +482,7 @@ func constructExecArgs(container string,
 		container,
 	}...)
 
-	capShArgs := constructCapShArgs(command)
+	capShArgs := constructCapShArgs(command, !fallbackToBash)
 	execArgs = append(execArgs, capShArgs...)
 
 	return execArgs

test/system/104-run.bats

@@ -13,6 +13,21 @@ teardown() {
   cleanup_containers
 }
 
+@test "run: Ensure that a login shell is used to invoke the command" {
+  create_default_container
+
+  cp "$HOME"/.bash_profile "$HOME"/.bash_profile.orig
+  echo "echo \"~/.bash_profile read\"" >>"$HOME"/.bash_profile
+
+  run $TOOLBOX run true
+
+  mv "$HOME"/.bash_profile.orig "$HOME"/.bash_profile
+
+  assert_success
+  assert_line --index 0 "~/.bash_profile read"
+  assert [ ${#lines[@]} -eq 1 ]
+}
+
 @test "run: Try to run a command in the default container with no containers created" {
   local default_container_name="$(get_system_id)-toolbox-$(get_system_version)"