Discussion:
Bug#987777: Linux enabled user namespaces by default
(too old to reply)
Paul Gevers
2021-04-29 10:40:01 UTC
Permalink
Package: release-notes

Hi Ben, Simon,
* Document user.max_user_namespaces in procps's shipped
/etc/sysctl.conf
* Set kernel.unprivileged_userns_clone to 1 by default, and deprecate
it (log a warning if it's changed)
* Document the change in bullseye release notes
I just stumbled over bug 898446 because of Simon's reply to bug 985617.
I pretty sure the last point still needs to happen. I found this in the
NEWS, that looks pretty good as a starting point. Does either of you
have anything to add?

"""
From Linux 5.10, all users are allowed to create user namespaces by
default. This will allow programs such as web browsers and container
managers to create more restricted sandboxes for untrusted or
less-trusted code, without the need to run as root or to use a
setuid-root helper.

The previous Debian default was to restrict this feature to processes
running as root, because it exposed more security issues in the
kernel. However, the security benefits of more widespread sandboxing
probably now outweigh this risk.

If you prefer to keep this feature restricted, set the sysctl:

kernel.unprivileged_userns_clone = 0
"""

Paul
Ben Hutchings
2021-04-29 14:10:01 UTC
Permalink
Post by Paul Gevers
Package: release-notes
Hi Ben, Simon,
On Thu, 16 Apr 2020 03:09:25 +0100 Ben Hutchings
* Document user.max_user_namespaces in procps's shipped
  /etc/sysctl.conf
* Set kernel.unprivileged_userns_clone to 1 by default, and
deprecate
  it (log a warning if it's changed)
* Document the change in bullseye release notes
I just stumbled over bug 898446 because of Simon's reply to bug 985617.
I pretty sure the last point still needs to happen. I found this in the
NEWS, that looks pretty good as a starting point. Does either of you
have anything to add?
[...]

I have nothing to add to this.

Ben.
--
Ben Hutchings
Lowery's Law:
If it jams, force it. If it breaks, it needed replacing anyway.
Noah Meyerhans
2021-04-29 18:00:02 UTC
Permalink
Post by Paul Gevers
The previous Debian default was to restrict this feature to processes
running as root, because it exposed more security issues in the
kernel. However, the security benefits of more widespread sandboxing
probably now outweigh this risk.
I don't really like the use of "probably" in this reasoning. We should
have a more definitive answer than "it's probably fine", or should at
least justify our decision somehow. Maybe we could replace the last
sentence with something to the effect of "However, as the implementation
of this feature has matured, we are now confident that the risk of
enabling it is outweighed by the security benefits it provides."

Just a thought. It's still a little hand-wavey, but at least provides
some justification for the change.

noah
Simon McVittie
2021-04-29 20:50:02 UTC
Permalink
Does either of you have anything to add?
"""
From Linux 5.10, all users are allowed to create user namespaces by
default. This will allow programs such as web browsers and container
managers to create more restricted sandboxes for untrusted or
less-trusted code, without the need to run as root or to use a
setuid-root helper.
The previous Debian default was to restrict this feature to processes
running as root, because it exposed more security issues in the
kernel. However, the security benefits of more widespread sandboxing
probably now outweigh this risk.
kernel.unprivileged_userns_clone = 0
"""
I think this probably needs some wording about how that setting will make
web browsers, desktop features and Flatpak stop working (including things
that you wouldn't necessarily expect to be using containers, like GNOME's
thumbnailers). I'm not going to try to make bubblewrap work automatically
both ways - I think the most likely result of that would be a security flaw.

Perhaps something like this?

"""
If you prefer to keep this feature restricted, set the sysctl:

kernel.unprivileged_userns_clone = 0

Note that various desktop and container features will not work with this
restriction in place, including web browsers, WebKitGTK, Flatpak and GNOME
thumbnailing.
"""

smcv
Paul Gevers
2021-05-08 20:00:02 UTC
Permalink
Control: tags -1 patch confirmed

Hi

Attached commit ready to push.

Paul
Justin B Rye
2021-05-09 04:30:01 UTC
Permalink
Post by Paul Gevers
Attached commit ready to push.
Looks good to me.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
Debian Bug Tracking System
2021-05-08 20:00:02 UTC
Permalink
tags -1 patch confirmed
Bug #987777 [release-notes] Linux enabled user namespaces by default
Added tag(s) patch and confirmed.
--
987777: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987777
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Debian Bug Tracking System
2021-05-13 19:20:01 UTC
Permalink
Your message dated Thu, 13 May 2021 21:14:40 +0200
with message-id <cd297aaa-f500-b51c-7727-***@debian.org>
and subject line Re: Bug#987777: Linux enabled user namespaces by default
has caused the Debian Bug report #987777,
regarding Linux enabled user namespaces by default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ***@bugs.debian.org
immediately.)
--
987777: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987777
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...