Control: tags -1 patch confirmed Hi Attached commit ready to push. Paul
From 2c36e76427bdf94d8e46138cb76c7b64414b5ddd Mon Sep 17 00:00:00 2001
From: Paul Gevers <elbrus@debian.org>
Date: Sat, 8 May 2021 21:52:43 +0200
Subject: [PATCH] issues.dbk: Linux enables user namespaces by default
---
en/issues.dbk | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/en/issues.dbk b/en/issues.dbk
index fb6682bd..b8506867 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -272,6 +272,38 @@ password [success=1 default=ignore] pam_unix.so obscure yescrypt
</para>
</section>
+ <section id="linux-user-namespaces">
+ <title>Linux enables user namespaces by default</title>
+ <para>
+ From <literal>Linux</literal> 5.10, all users are allowed to
+ create user namespaces by default. This will allow programs
+ such as web browsers and container managers to create more
+ restricted sandboxes for untrusted or less-trusted code,
+ without the need to run as root or to use a setuid-root
+ helper.
+ </para>
+ <para>
+ The previous Debian default was to restrict this feature to
+ processes running as root, because it exposed more security
+ issues in the kernel. However, as the implementation of this
+ feature has matured, we are now confident that the risk of
+ enabling it is outweighed by the security benefits it
+ provides.
+ </para>
+ <para>
+ If you prefer to keep this feature restricted, set the sysctl:
+ </para>
+ <programlisting>
+kernel.unprivileged_userns_clone = 0
+ </programlisting>
+ <para>
+ Note that various desktop and container features will not work
+ with this restriction in place, including web browsers,
+ <literal>WebKitGTK</literal>, <literal>Flatpak</literal> and
+ <literal>GNOME</literal> thumbnailing.
+ </para>
+ </section>
+
<section id="before-first-reboot">
<title>Things to do post upgrade before rebooting</title>
<!-- If there is nothing to do -->
--
2.30.2
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature