From 7e2d91e53ddbc79f7fff287c05adf4eebb2ba228 Mon Sep 17 00:00:00 2001
From: Alexei Znamensky <103110+russoz@users.noreply.github.com>
Date: Tue, 5 Aug 2025 06:00:39 +1200
Subject: [PATCH] capabilities: command args as list rather than string
 (#10524)

* capabilities: command args as list rather than string

* add changelog frag
---
 changelogs/fragments/10524-capabilities-cmd-list.yml | 2 ++
 plugins/modules/capabilities.py                      | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/fragments/10524-capabilities-cmd-list.yml

diff --git a/changelogs/fragments/10524-capabilities-cmd-list.yml b/changelogs/fragments/10524-capabilities-cmd-list.yml
new file mode 100644
index 0000000000..e6af832b5c
--- /dev/null
+++ b/changelogs/fragments/10524-capabilities-cmd-list.yml
@@ -0,0 +1,2 @@
+minor_changes:
+  - capabilities - using safer mechanism to run external command (https://github.com/ansible-collections/community.general/pull/10524).
diff --git a/plugins/modules/capabilities.py b/plugins/modules/capabilities.py
index 08bd2e85ff..625de99b44 100644
--- a/plugins/modules/capabilities.py
+++ b/plugins/modules/capabilities.py
@@ -109,7 +109,7 @@ class CapabilitiesModule(object):
 
     def getcap(self, path):
         rval = []
-        cmd = "%s -v %s" % (self.getcap_cmd, path)
+        cmd = [self.getcap_cmd, "-v", path]
         rc, stdout, stderr = self.module.run_command(cmd)
         # If file xattrs are set but no caps are set the output will be:
         #   '/foo ='
@@ -144,7 +144,7 @@ class CapabilitiesModule(object):
 
     def setcap(self, path, caps):
         caps = ' '.join([''.join(cap) for cap in caps])
-        cmd = "%s '%s' %s" % (self.setcap_cmd, caps, path)
+        cmd = [self.setcap_cmd, caps, path]
         rc, stdout, stderr = self.module.run_command(cmd)
         if rc != 0:
             self.module.fail_json(msg="Unable to set capabilities of %s" % path, stdout=stdout, stderr=stderr)