* [Bug 216215] New: clone and unshare say CAP_SYS_ADMIN is required to create new namespaces
@ 2022-07-07 18:50 bugzilla-daemon
2022-07-10 22:19 ` [Bug 216215] " bugzilla-daemon
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: bugzilla-daemon @ 2022-07-07 18:50 UTC (permalink / raw)
To: linux-man
https://bugzilla.kernel.org/show_bug.cgi?id=216215
Bug ID: 216215
Summary: clone and unshare say CAP_SYS_ADMIN is required to
create new namespaces
Product: Documentation
Version: unspecified
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P1
Component: man-pages
Assignee: documentation_man-pages@kernel-bugs.osdl.org
Reporter: linuxkernelbugzilla@pxeger.com
Regression: No
According to clone(2) and unshare(2), the various CLONE_NEW* flags for creating
new namespaces require CAP_SYS_ADMIN. But this is not the case, and never has
been (as best I can tell from some git log grepping in the kernel).
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 216215] clone and unshare say CAP_SYS_ADMIN is required to create new namespaces
2022-07-07 18:50 [Bug 216215] New: clone and unshare say CAP_SYS_ADMIN is required to create new namespaces bugzilla-daemon
@ 2022-07-10 22:19 ` bugzilla-daemon
2022-07-11 8:01 ` bugzilla-daemon
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2022-07-10 22:19 UTC (permalink / raw)
To: linux-man
https://bugzilla.kernel.org/show_bug.cgi?id=216215
Alejandro Colomar (man-pages) (alx.manpages@gmail.com) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |alx.manpages@gmail.com
Resolution|--- |INVALID
--- Comment #1 from Alejandro Colomar (man-pages) (alx.manpages@gmail.com) ---
$ cat unshare.c
#define _GNU_SOURCE
#include <err.h>
#include <sched.h>
#include <stdlib.h>
int main(void)
{
if (unshare(CLONE_NEWPID) == -1)
err(EXIT_FAILURE, "unshare(2)");
exit(EXIT_SUCCESS);
}
$ cc -Wall -Wextra unshare.c
$ sudo setcap 'cap_sys_admin=' a.out
$ ./a.out
a.out: unshare(2): Operation not permitted
$ sudo setcap 'cap_sys_admin=eip' a.out
$ ./a.out
$
CAP_SYS_ADMIN is required, as the example above demonstrates.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 216215] clone and unshare say CAP_SYS_ADMIN is required to create new namespaces
2022-07-07 18:50 [Bug 216215] New: clone and unshare say CAP_SYS_ADMIN is required to create new namespaces bugzilla-daemon
2022-07-10 22:19 ` [Bug 216215] " bugzilla-daemon
@ 2022-07-11 8:01 ` bugzilla-daemon
2022-07-19 15:04 ` bugzilla-daemon
2022-09-06 12:31 ` bugzilla-daemon
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2022-07-11 8:01 UTC (permalink / raw)
To: linux-man
https://bugzilla.kernel.org/show_bug.cgi?id=216215
--- Comment #2 from pxeger (linuxkernelbugzilla@pxeger.com) ---
Ah, I understand the confusion I was having now: all namespaces, *except user
namespaces*, require CAP_SYS_ADMIN. But creating a new user namespace
automatically confers a full set of capabilities. So, when using clone(2) with
CLONE_NEWUSER and some other CLONE_NEW* flags for other namespaces, at the same
time, you don't need CAP_SYS_ADMIN in the parent, because it's given to the
child during the clone call.
Is this worth mentioning somewhere?
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 216215] clone and unshare say CAP_SYS_ADMIN is required to create new namespaces
2022-07-07 18:50 [Bug 216215] New: clone and unshare say CAP_SYS_ADMIN is required to create new namespaces bugzilla-daemon
2022-07-10 22:19 ` [Bug 216215] " bugzilla-daemon
2022-07-11 8:01 ` bugzilla-daemon
@ 2022-07-19 15:04 ` bugzilla-daemon
2022-09-06 12:31 ` bugzilla-daemon
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2022-07-19 15:04 UTC (permalink / raw)
To: linux-man
https://bugzilla.kernel.org/show_bug.cgi?id=216215
Alejandro Colomar (man-pages) (alx.manpages@gmail.com) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |---
--- Comment #3 from Alejandro Colomar (man-pages) (alx.manpages@gmail.com) ---
Maybe we could add that to NOTES in unshare(2).
Would you mind sending a patch?
Thanks,
Alex
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug 216215] clone and unshare say CAP_SYS_ADMIN is required to create new namespaces
2022-07-07 18:50 [Bug 216215] New: clone and unshare say CAP_SYS_ADMIN is required to create new namespaces bugzilla-daemon
` (2 preceding siblings ...)
2022-07-19 15:04 ` bugzilla-daemon
@ 2022-09-06 12:31 ` bugzilla-daemon
3 siblings, 0 replies; 5+ messages in thread
From: bugzilla-daemon @ 2022-09-06 12:31 UTC (permalink / raw)
To: linux-man
https://bugzilla.kernel.org/show_bug.cgi?id=216215
Alejandro Colomar (man-pages) (alx.manpages@gmail.com) changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |DOCUMENTED
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-09-06 12:32 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-07 18:50 [Bug 216215] New: clone and unshare say CAP_SYS_ADMIN is required to create new namespaces bugzilla-daemon
2022-07-10 22:19 ` [Bug 216215] " bugzilla-daemon
2022-07-11 8:01 ` bugzilla-daemon
2022-07-19 15:04 ` bugzilla-daemon
2022-09-06 12:31 ` bugzilla-daemon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).