Mr Pang
Reputation: 1181
What capabilities can open /proc/pid/ns/net?
setcap cap_net_raw,cap_net_admin,cap_sys_admin,cap_dac_override,cap_dac_read_search,cap_fowner+eip
I want a process running by normal user, switch to another process's netns, another process is running by root user. What I need to do is to open /proc/pid/ns/net and then call setns.
I have given many capabilities to the executable as above, but it still says Permission denied. Any ideas?
Upvotes: 2
Views: 1141
Answers (2)
Michael Dreher
Reputation: 1399
You need SYS_PTRACE and SYS_ADMIN capabilities.
This is documented in https://man7.org/linux/man-pages/man7/namespaces.7.html (the reference for SYS_ADMIN was already given in the other answer)
The /proc/[pid]/ns/ directory
[...]
Permission to dereference or read (readlink(2)) these symbolic links is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2).
Upvotes: 2
Tinkerer
Reputation: 1068
https://man7.org/linux/man-pages/man2/setns.2.html suggests:
Network, IPC, time, and UTS namespaces
In order to reassociate itself with a new network, IPC,
time, or UTS namespace, the caller must have the
CAP_SYS_ADMIN capability both in its own user namespace
and in the user namespace that owns the target namespace.
Upvotes: 1
Related Questions
- How to find out what Linux capabilities a process requires to work?
- What is the Linux capability(7) to write to /proc/sys/net/ipv6/conf/$IF/disable_ipv6?
- How to read content of /proc/[pid]/ns/mnt?
- Use capabilities to open privileged ports without being root
- Request Linux Capabilities During Runtime
- Does a process that have the root user always have all of the capabilities available in Linux?
- How to compute the minimal capabilities' set for a process?
- Grant capabilities to a running process
- How to execute a process with CAP_SYS_RESOURCE
- Read /proc/<pid>/fd/<fd> without full root access