Your message dated Thu, 13 May 2021 21:14:40 +0200 with message-id <cd297aaa-f500-b51c-7727-9c4cd614b04b@debian.org> and subject line Re: Bug#987777: Linux enabled user namespaces by default has caused the Debian Bug report #987777, regarding Linux enabled user namespaces by default to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 987777: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987777 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: Linux enabled user namespaces by default
- From: Paul Gevers <elbrus@debian.org>
- Date: Thu, 29 Apr 2021 12:31:21 +0200
- Message-id: <27056a8f-cbb0-8a60-2a89-de8f8c1bec41@debian.org>
- In-reply-to: <cbfb1a8844621df292c73b70c48b8d581ba64e27.camel@decadent.org.uk>
- References: <152606429001.13234.16221071531184316429.reportbug@valinor.bigon.be> <20200330095648.GA654721@espresso.pseudorandom.co.uk> <4032f8fa0897a3c6ff743f51962cfb6a5395c778.camel@decadent.org.uk> <20200415073208.GA258475@espresso.pseudorandom.co.uk> <cbfb1a8844621df292c73b70c48b8d581ba64e27.camel@decadent.org.uk> <cbfb1a8844621df292c73b70c48b8d581ba64e27.camel@decadent.org.uk>
Package: release-notes Hi Ben, Simon, On Thu, 16 Apr 2020 03:09:25 +0100 Ben Hutchings <ben@decadent.org.uk> wrote: > So I think we should do something like this: > > * Document user.max_user_namespaces in procps's shipped > /etc/sysctl.conf > * Set kernel.unprivileged_userns_clone to 1 by default, and deprecate > it (log a warning if it's changed) > * Document the change in bullseye release notes I just stumbled over bug 898446 because of Simon's reply to bug 985617. I pretty sure the last point still needs to happen. I found this in the NEWS, that looks pretty good as a starting point. Does either of you have anything to add? """ From Linux 5.10, all users are allowed to create user namespaces by default. This will allow programs such as web browsers and container managers to create more restricted sandboxes for untrusted or less-trusted code, without the need to run as root or to use a setuid-root helper. The previous Debian default was to restrict this feature to processes running as root, because it exposed more security issues in the kernel. However, the security benefits of more widespread sandboxing probably now outweigh this risk. If you prefer to keep this feature restricted, set the sysctl: kernel.unprivileged_userns_clone = 0 """ PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: 987777-done@bugs.debian.org
- Subject: Re: Bug#987777: Linux enabled user namespaces by default
- From: Paul Gevers <elbrus@debian.org>
- Date: Thu, 13 May 2021 21:14:40 +0200
- Message-id: <cd297aaa-f500-b51c-7727-9c4cd614b04b@debian.org>
- In-reply-to: <[🔎] 20210509041844.GB1855@jbr.me.uk>
- References: <cbfb1a8844621df292c73b70c48b8d581ba64e27.camel@decadent.org.uk> <27056a8f-cbb0-8a60-2a89-de8f8c1bec41@debian.org> <YIsZPEW1J43nOzc+@momentum.pseudorandom.co.uk> <27056a8f-cbb0-8a60-2a89-de8f8c1bec41@debian.org> <[🔎] a911ed3c-11ab-ee55-fc3e-c9ea5f29bc92@debian.org> <[🔎] 20210509041844.GB1855@jbr.me.uk>
Hi, On 09-05-2021 06:18, Justin B Rye wrote: > Paul Gevers wrote: >> Attached commit ready to push. > > Looks good to me. Pushed. PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---