"Jason A. Donenfeld" <[email protected]> writes: > On Wed, Jan 13, 2021 at 5:46 PM Toke Høiland-Jørgensen <[email protected]> wrote: >> 5. also requires CAP_SYS_ADMIN (and I think by extension, so does 3., >> and 4.). From 'man setns': >> >> Network, IPC, time, and UTS namespaces >> In order to reassociate itself with a new network, IPC, >> time, or UTS namespace, the caller must have the >> CAP_SYS_ADMIN capability both in its own user namespace >> and in the user namespace that owns the target namespace. > > For this, you just create a new user namespace first. You can try it > yourself from the command line: > > zx2c4@thinkpad ~ $ unshare -n > unshare: unshare failed: Operation not permitted > zx2c4@thinkpad ~ $ unshare -Un > nobody@thinkpad ~ $ ip a > 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
Ah, right, of course, silly me :) -Toke
