User namespaces progress
Posted Jan 3, 2013 3:31 UTC (Thu) by mkerrisk
In reply to: User namespaces progress
Parent article: User namespaces progress
So, what stops an unprivileged process from creating a new user namespace, so acquiring CAP_BIND in the new namespace, then binding a privileged port?
I think the answer there is that while the unprivileged process that creates a user namespace gets all privileges for operations inside the namespace, that doesn't give it privilege for operations on objects (e.g., a network namespace) outside the user namespace. To do what you are thinking of would require creating a network namespace inside the user namespace; you could then bind to privileged ports inside that network namespace.
to post comments)