I am trying to create a program that runs a command in a new network namespace. I'd like to be able to run my program without being root. What I have working at the moment is that I first create a new user namespace, and then within that I create the network namespace, and then within that I exec the command.

This works great, except that the uid and gid seen by the command are 0. I'd like to change things so that the command sees the original uid and gid of the user who ran my program in the first place.

My challenge is this: I need to be root within the user namespace in order to create the network namespace: that's why I'm creating a user namespace at all. Having created the network namespace, I'd like to change to the uid and gid of the original user. However, doing so means I also (I suppose) need to change the uid_map and gid_map because my initial mapping associates 0:0 within the user to the original user outside the user namespace. However you can't modify uid_map and gid_map once you've written them once.

So my question is this: what's a good way to handle this? I need to run certain things as root inside the user namespace. Therefore my initial mappings have to be from 0:0 to the original uid and gid. Having done those things, how can I setuid/setgid to the original user? Do I have to create a second user namespace nested within the first?