diff --git a/infra/image/shcontainer b/infra/image/shcontainer
index 018fac8c207e58d203206b47fd0aa4bcd10b1d12..3b6c49689fe9f3b2be93dbf76b88dcd6e39dd2cc 100644
--- a/infra/image/shcontainer
+++ b/infra/image/shcontainer
@@ -4,6 +4,7 @@
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
 
+# shellcheck disable=SC1091
 . "${SCRIPTDIR}/shdefaults"
 
 # shellcheck disable=SC1091
@@ -15,7 +16,8 @@ container_create() {
     shift 2
     declare -a extra_opts
     readarray -t extra_opts < \
-        <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" <<< "${CAP_DEFAULTS[@]}")
+        <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" \
+        <<< "$(printf '%s\n' "${CAP_DEFAULTS[@]}")")
     for opt in "$@"
     do
         [ -z "${opt}" ] && continue
diff --git a/infra/image/shdefaults b/infra/image/shdefaults
index 86c50ab490e922b3a0412309c70c2d13561cb095..b5768cca05861ab5374b26130d0200b4ca6fcd04 100644
--- a/infra/image/shdefaults
+++ b/infra/image/shdefaults
@@ -5,4 +5,5 @@
 # Use +CAP to add the capability and -CAP to drop the capability.
 CAP_DEFAULTS=(
     "+DAC_READ_SEARCH"  # Required for SSSD
+    "+SYS_PTRACE"       # Required for debugging
 )