Package: release-notes Hi Ben, Simon, On Thu, 16 Apr 2020 03:09:25 +0100 Ben Hutchings <ben@decadent.org.uk> wrote: > So I think we should do something like this: > > * Document user.max_user_namespaces in procps's shipped > /etc/sysctl.conf > * Set kernel.unprivileged_userns_clone to 1 by default, and deprecate > it (log a warning if it's changed) > * Document the change in bullseye release notes I just stumbled over bug 898446 because of Simon's reply to bug 985617. I pretty sure the last point still needs to happen. I found this in the NEWS, that looks pretty good as a starting point. Does either of you have anything to add? """ From Linux 5.10, all users are allowed to create user namespaces by default. This will allow programs such as web browsers and container managers to create more restricted sandboxes for untrusted or less-trusted code, without the need to run as root or to use a setuid-root helper. The previous Debian default was to restrict this feature to processes running as root, because it exposed more security issues in the kernel. However, the security benefits of more widespread sandboxing probably now outweigh this risk. If you prefer to keep this feature restricted, set the sysctl: kernel.unprivileged_userns_clone = 0 """ Paul
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature