Namespaces in operation, part 2: the namespaces API

Posted Jan 8, 2013 22:04 UTC (Tue) by justincormack (subscriber, #70439)
Parent article: Namespaces in operation, part 2: the namespaces API

I have spent a fair amount of time with these interfaces, except the shiny new user namespace, so I am a bit confused by that. If you change to a new user ns and therefore become "root" what can you do? Is it affected by which other namespaces you are in? eg if you create a new user ns and new netns can you say use ping or other root-requiring network ops? I guess I should install a new kernel and experiment...

Namespaces in operation, part 2: the namespaces API

Posted Jan 9, 2013 0:23 UTC (Wed) by rvolgers (guest, #63218) [Link]

Looking at the source a user namespace root user has all capabilities within that namespace, and raw socket access is controlled by a ns_capable(...) check, so it should be possible.

I have not tested this, so take it with a grain of salt.

Namespaces in operation, part 2: the namespaces API

Posted Jan 9, 2013 1:24 UTC (Wed) by hallyn (subscriber, #22558) [Link] (1 responses)

> eg if you create a new user ns and new netns can you say use ping or other root-requiring network ops?

Yes - but only with nics owned by your new network namespace. Which means nics which you create (which won't be hooked into the parent ns), or nics which a privileged task in the parent netns passed into your ns.

Namespaces in operation, part 2: the namespaces API

Posted Jan 17, 2013 3:03 UTC (Thu) by kevinm (guest, #69913) [Link]

So with a VPN (or IPv6 tunnel) endpoint that uses TUN/TAP, you could bring up your VPN and pingflood away to your heart's content.