| |||||||||||||
Namespaces in operation, part 2: the namespaces APINamespaces in operation, part 2: the namespaces APIPosted Jan 8, 2013 22:04 UTC (Tue) by justincormack (subscriber, #70439)Parent article: Namespaces in operation, part 2: the namespaces API
I have spent a fair amount of time with these interfaces, except the shiny new user namespace, so I am a bit confused by that. If you change to a new user ns and therefore become "root" what can you do? Is it affected by which other namespaces you are in? eg if you create a new user ns and new netns can you say use ping or other root-requiring network ops? I guess I should install a new kernel and experiment...
(Log in to post comments)
Namespaces in operation, part 2: the namespaces API Posted Jan 9, 2013 0:23 UTC (Wed) by rvolgers (subscriber, #63218) [Link]
Looking at the source a user namespace root user has all capabilities within that namespace, and raw socket access is controlled by a ns_capable(...) check, so it should be possible.
I have not tested this, so take it with a grain of salt.
Namespaces in operation, part 2: the namespaces API Posted Jan 9, 2013 1:24 UTC (Wed) by hallyn (subscriber, #22558) [Link]
> eg if you create a new user ns and new netns can you say use ping or other root-requiring network ops?
Yes - but only with nics owned by your new network namespace. Which means nics which you create (which won't be hooked into the parent ns), or nics which a privileged task in the parent netns passed into your ns.
Namespaces in operation, part 2: the namespaces API Posted Jan 17, 2013 3:03 UTC (Thu) by kevinm (guest, #69913) [Link]
So with a VPN (or IPv6 tunnel) endpoint that uses TUN/TAP, you could bring up your VPN and pingflood away to your heart's content.
|
|||||||||||||