Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
For example, to be able to configure network setting, instead of becoming root user, if the process has
CAP_NET_ADMIN capability, the relevant syscall will be permitted by kernel.
More information about capabilities can be found in Linux man page:
man 7 CAPABILITIES.
Linux provides the following
namespaces
Namespace Constant Isolates
IPC CLONE_NEWIPC System V IPC, POSIX message queues
Network CLONE_NEWNET Network devices, stacks, ports, etc.
Mount CLONE_NEWNS Mount points
PID CLONE_NEWPID Process IDs
User CLONE_NEWUSER User and group IDs
UTS CLONE_NEWUTS Hostname and NIS domain name
User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs (see credentials(7)), the root directory, keys (see keyctl(2)), and capabilities (see capabilities(7)).
When a new user namespace is created(either using clone or unshare), it starts with *a complete/full set of capabilities*.
But that's good enough for us to run some test program inside. Inspired by the namespace-sandbox.c tool from
bazel, I wrote a simpler version
new-network-namespace.c that just creates an empty user namespace with network namespace and launch a given program inside the namespace. Inside that program, the user can perform ifconfig/iptables operation without being the real root, and without
worrying about break the real system by accident.
For example:
$ ./new-network-namespace /bin/bash
root@myhost:~# ifconfig -a
lo Link encap:Local Loopback
LOOPBACK MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Please give it a try, :)
