Use capsh to ensure file capabilities aren't set

stage2/01-sys-tweaks/01-run.sh

@@ -10,7 +10,7 @@ install -m 644 files/ttyoutput.conf			${ROOTFS_DIR}/etc/systemd/system/rc-local.
 install -m 644 files/50raspi				${ROOTFS_DIR}/etc/apt/apt.conf.d/
 
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 systemctl disable hwclock.sh
 systemctl disable nfs-common
 systemctl disable rpcbind
@@ -20,7 +20,7 @@ systemctl enable apply_noobs_os_config
 systemctl enable resize2fs_once
 EOF
 
-on_chroot sh -e - << \EOF
+on_chroot << \EOF
 for GRP in input spi i2c gpio; do
 	groupadd -f -r $GRP
 done
@@ -29,11 +29,11 @@ for GRP in adm dialout cdrom audio users sudo video games plugdev input gpio spi
 done
 EOF
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 setupcon --force --save-only -v
 EOF
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 usermod --pass='*' root
 EOF
 

stage2/03-cleanup/00-run.sh

@@ -1,5 +1,5 @@
 #!/bin/bash -e
 
-on_chroot sh -e - <<EOF
+on_chroot << EOF
 apt-get clean
 EOF