User namespaces progress

Posted Jan 3, 2013 21:09 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
In reply to: User namespaces progress by andresfreund
Parent article: User namespaces progress

That's much better than setting caps for executable files, but still has the problem of non-locality. It's impossible to understand from the daemon's command line that it magically acquires additional caps.

User namespaces progress

Posted Jan 3, 2013 21:21 UTC (Thu) by andresfreund (subscriber, #69562) [Link] (1 responses)

Hm, I don't really see that as a problem. But anyway:

sudo /sbin/capsh --caps=cap_net_bind_service+pei == --user=andres -- -c "nc -l 434"

Yes. Ugly. But it works. (capsh is/was a demo tool)

User namespaces progress

Posted Jan 3, 2013 21:24 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Doesn't work with Java, just tried it on my system (it's Debian Stable).