Why does unshare (CLONE_NEWNET) require CAP_SYS_ADMIN?

Question

Why does unshare (CLONE_NEWNET) require CAP_SYS_ADMIN?

I play with linux namespaces, and I noticed that if a user wants to execute a process in a new namespace on the network (without using user namespaces), he must be root or have the ability CAP_SYS_ADMIN .

unshare (2) manpage says:

CLONE_NEWNET (since Linux 2.6.24)
This flag has the same effect as the clone (2) CLONE_NEWNET flag. Disable the network namespace so that the calling process is moved to a new network resource namespace that is not shared with a pre-existing process. Using CLONE_NEWNET requires the CAP_SYS_ADMIN capability.

So, if I want to execute a PDF reader in a network sandbox, I have to use user-net namespaces or some privileged shell.

Why? The new process will be hosted in a new namespace on the network without interfaces, so it will be isolated from the real network, right? What security issues / threats do unprivileged, non-expert user namespaces make?

+5

linux linux-namespaces

Spectral wave Sep 16 '16 at 19:53

source share

1 answer

Juho Östman · Answer 1 · 2016-12-03T22:10:30+0000

Creating a namespace on the network allows you to control the runtime of binary files that have the setuid flag or otherwise have the privilege. User namespaces remove this feature because the process cannot obtain privileges that are not included in the user namespace.

In general, it cannot be known that no vulnerability arises from the failure of a privileged process from accessing the network. Therefore, the kernel assumes that the operation is privileged, and the system policy determines whether the privileged utility is provided for ordinary users.

Why does unshare (CLONE_NEWNET) require CAP_SYS_ADMIN?

More articles: