chroot
needs CAP_SYS_CHROOT
according to the manual. The unshare
command uses chroot.
The command unshare -UrR newroot/
will work without being run as root
, which makes sense since the -r
flag makes us root
inside the namespace, giving us the CAP_SYS_CHROOT
capability.
The problem begins when unshare -UR newroot/
doesn't require being run as root
, while unshare -U chroot newroot/
will give me the Operation not permitted
error. So in the first, I am not asking for being root
inside the user namespace, and the second is the same but trying to do it manually.
Checking the code, the only thing that happens when using -R
is setting the newroot
to optarg
, so I can't understand why in one example this works, and in the other, it doesn't.
This happens because unshare(2)
is called first, and it's passed CLONE_NEWUSER
as one of the flags bceause of -U
. The manual remarks about that flag:
Unshare the user namespace, so that the calling process is moved into a new user namespace which is not shared with any previously existing process. As with the child process created by
clone(2)
with theCLONE_NEWUSER
flag, the caller obtains a full set of capabilities in the new namespace.
Now that the process has a full set of capabilities in the new namespace, it can call chroot(2)
. Note that that call occurs before the process with mapped IDs is invoked, so at that point, the process is still privileged in the new user namespace. The capabilities are dropped upon the execve
call to start the new process.
That's why your chroot
command fails: because it lacks permissions, whereas the unshare
command is still privileged before it invokes any process.