chroot
needs CAP_SYS_CHROOT
according to the manual. The unshare
command uses chroot.
The command unshare -UrR newroot/
will work without being run as root
, which makes sense since the -r
flag makes us root
inside the namespace, giving us the CAP_SYS_CHROOT
capability.
The problem begins when unshare -UR newroot/
doesn't require being run as root
, while unshare -U chroot newroot/
will give me the Operation not permitted
error. So in the first, I am not asking for being root
inside the user namespace, and the second is the same but trying to do it manually.
Checking the code, the only thing that happens when using -R
is setting the newroot
to optarg
, so I can't understand why in one example this works, and in the other, it doesn't.
This happens because
unshare(2)
is called first, and it's passedCLONE_NEWUSER
as one of the flags bceause of-U
. The manual remarks about that flag:Now that the process has a full set of capabilities in the new namespace, it can call
chroot(2)
. Note that that call occurs before the process with mapped IDs is invoked, so at that point, the process is still privileged in the new user namespace. The capabilities are dropped upon theexecve
call to start the new process.That's why your
chroot
command fails: because it lacks permissions, whereas theunshare
command is still privileged before it invokes any process.