Add the --keep-caps option to unshare to preserve capabilities that are granted when creating a new user namespace. This allows the child process to retain privilege within the new user namespace without also being UID 0.