How unshare makes possible to use chroot without real root?

Question

chroot needs CAP_SYS_CHROOT according to the manual. The unshare command uses chroot.

The command unshare -UrR newroot/ will work without being run as root, which makes sense since the -r flag makes us root inside the namespace, giving us the CAP_SYS_CHROOT capability.

The problem begins when unshare -UR newroot/ doesn't require being run as root, while unshare -U chroot newroot/ will give me the Operation not permitted error. So in the first, I am not asking for being root inside the user namespace, and the second is the same but trying to do it manually.

Checking the code, the only thing that happens when using -R is setting the newroot to optarg, so I can't understand why in one example this works, and in the other, it doesn't.

Answer 1

This happens because unshare(2) is called first, and it's passed CLONE_NEWUSER as one of the flags bceause of -U. The manual remarks about that flag:

Unshare the user namespace, so that the calling process is moved into a new user namespace which is not shared with any previously existing process. As with the child process created by clone(2) with the CLONE_NEWUSER flag, the caller obtains a full set of capabilities in the new namespace.

Now that the process has a full set of capabilities in the new namespace, it can call chroot(2). Note that that call occurs before the process with mapped IDs is invoked, so at that point, the process is still privileged in the new user namespace. The capabilities are dropped upon the execve call to start the new process.

That's why your chroot command fails: because it lacks permissions, whereas the unshare command is still privileged before it invokes any process.