Can't use busybox unshare without root:

$ ./busybox unshare -r ./busybox sh -c "echo hi"
unshare: unshare(0x4000000): Operation not permitted

If I use the non busybox binary versions things work as expected:

$ unshare -r sh -c "echo hi"
hi

If I run as root things work as expected.

Here is the strace output:

# strace ./busybox unshare -r ./busybox sh -c "echo hi"
execve("./busybox", ["./busybox", "unshare", "-r", "./busybox", "sh", "-c", "echo hi"], [/* 73 vars */]) = 0
arch_prctl(ARCH_SET_FS, 0x6f0f30)       = 0
set_tid_address(0x6f0f68)               = 26481
getuid()                                = 1000
stat("/etc/busybox.conf", 0x7ffc27391b70) = -1 ENOENT (No such file or directory)
getgid()                                = 1000
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
setgid(1000)                            = 0
futex(0x6f1360, FUTEX_WAKE_PRIVATE, 2147483647) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1 RT_2], [], 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[], NULL, 8) = 0
setuid(1000)                            = 0
futex(0x6f1360, FUTEX_WAKE_PRIVATE, 2147483647) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
geteuid()                               = 1000
getegid()                               = 1000
unshare(CLONE_NEWUTS)                   = -1 EPERM (Operation not permitted)
write(2, "unshare: unshare(0x4000000): Ope"..., 53unshare: unshare(0x4000000): Operation not permitted
) = 53
exit_group(1)                           = ?

So it fails on the call to unshare


Given that this works fine with the non-busybox version of unshare, its clearly not a problem of my system, but with busybox.

I suspect it has to do with the calls to setgid + setuid before calling unshare (these do not appear on the strace of the regular unshare binary).