Paul Gevers
2021-04-29 10:40:01 UTC
Package: release-notes
Hi Ben, Simon,
I pretty sure the last point still needs to happen. I found this in the
NEWS, that looks pretty good as a starting point. Does either of you
have anything to add?
"""
From Linux 5.10, all users are allowed to create user namespaces by
default. This will allow programs such as web browsers and container
managers to create more restricted sandboxes for untrusted or
less-trusted code, without the need to run as root or to use a
setuid-root helper.
The previous Debian default was to restrict this feature to processes
running as root, because it exposed more security issues in the
kernel. However, the security benefits of more widespread sandboxing
probably now outweigh this risk.
If you prefer to keep this feature restricted, set the sysctl:
kernel.unprivileged_userns_clone = 0
"""
Paul
Hi Ben, Simon,
* Document user.max_user_namespaces in procps's shipped
/etc/sysctl.conf
* Set kernel.unprivileged_userns_clone to 1 by default, and deprecate
it (log a warning if it's changed)
* Document the change in bullseye release notes
I just stumbled over bug 898446 because of Simon's reply to bug 985617./etc/sysctl.conf
* Set kernel.unprivileged_userns_clone to 1 by default, and deprecate
it (log a warning if it's changed)
* Document the change in bullseye release notes
I pretty sure the last point still needs to happen. I found this in the
NEWS, that looks pretty good as a starting point. Does either of you
have anything to add?
"""
From Linux 5.10, all users are allowed to create user namespaces by
default. This will allow programs such as web browsers and container
managers to create more restricted sandboxes for untrusted or
less-trusted code, without the need to run as root or to use a
setuid-root helper.
The previous Debian default was to restrict this feature to processes
running as root, because it exposed more security issues in the
kernel. However, the security benefits of more widespread sandboxing
probably now outweigh this risk.
If you prefer to keep this feature restricted, set the sysctl:
kernel.unprivileged_userns_clone = 0
"""
Paul