Bug#987777: Linux enabled user namespaces by default
On Thu, 29 Apr 2021 at 12:31:21 +0200, Paul Gevers wrote:
> Does either of you have anything to add?
>
> """
> From Linux 5.10, all users are allowed to create user namespaces by
> default. This will allow programs such as web browsers and container
> managers to create more restricted sandboxes for untrusted or
> less-trusted code, without the need to run as root or to use a
> setuid-root helper.
>
> The previous Debian default was to restrict this feature to processes
> running as root, because it exposed more security issues in the
> kernel. However, the security benefits of more widespread sandboxing
> probably now outweigh this risk.
>
> If you prefer to keep this feature restricted, set the sysctl:
>
> kernel.unprivileged_userns_clone = 0
> """
I think this probably needs some wording about how that setting will make
web browsers, desktop features and Flatpak stop working (including things
that you wouldn't necessarily expect to be using containers, like GNOME's
thumbnailers). I'm not going to try to make bubblewrap work automatically
both ways - I think the most likely result of that would be a security flaw.
Perhaps something like this?
"""
If you prefer to keep this feature restricted, set the sysctl:
kernel.unprivileged_userns_clone = 0
Note that various desktop and container features will not work with this
restriction in place, including web browsers, WebKitGTK, Flatpak and GNOME
thumbnailing.
"""
smcv
Reply to: