Your message dated Mon, 26 Jul 2021 19:55:18 +0200 with message-id <899d18c9-003b-3d0f-1314-eeb5ed28c9a1@debian.org> and subject line Re: Bug#991426: release-notes: Recommend user.max_user_namespaces over kernel.unprivileged_userns_clone? has caused the Debian Bug report #991426, regarding release-notes: Recommend user.max_user_namespaces over kernel.unprivileged_userns_clone? to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 991426: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991426 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: release-notes: Recommend user.max_user_namespaces over kernel.unprivileged_userns_clone?
- From: Simon McVittie <smcv@debian.org>
- Date: Fri, 23 Jul 2021 10:25:07 +0100
- Message-id: <[🔎] YPqK87YpYGF90x6E@momentum.pseudorandom.co.uk>
Package: release-notes Severity: normal Tags: patch moreinfo X-Debbugs-Cc: debian-kernel@lists.debian.org If I understand correctly, user.max_user_namespaces is an upstream kernel feature, but kernel.unprivileged_userns_clone comes from a Debian-specific patch that might be removed in future releases. It seems better to recommend the upstream version (also used in e.g. RHEL). A possible patch is attached, but I'd prefer to get confirmation from a kernel maintainer before applying this, hence tagged +moreinfo. smcv>From 4f306c09371023ff71f921e4e4adec09233325bd Mon Sep 17 00:00:00 2001 From: Simon McVittie <smcv@debian.org> Date: Fri, 23 Jul 2021 10:21:12 +0100 Subject: [PATCH] Recommend user.max_user_namespaces over kernel.unprivileged_userns_clone If I understand correctly, user.max_user_namespaces is an upstream kernel feature, but kernel.unprivileged_userns_clone comes from a Debian-specific patch that might be removed in future releases. Signed-off-by: Simon McVittie <smcv@debian.org> --- en/issues.dbk | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/en/issues.dbk b/en/issues.dbk index d0918474..ec8b75e8 100644 --- a/en/issues.dbk +++ b/en/issues.dbk @@ -307,7 +307,7 @@ password [success=1 default=ignore] pam_unix.so obscure yescrypt If you prefer to keep this feature restricted, set the sysctl: </para> <programlisting> -kernel.unprivileged_userns_clone = 0 +user.max_user_namespaces = 0 </programlisting> <para> Note that various desktop and container features will not work @@ -315,6 +315,11 @@ kernel.unprivileged_userns_clone = 0 <literal>WebKitGTK</literal>, <literal>Flatpak</literal> and <literal>GNOME</literal> thumbnailing. </para> + <para> + The Debian-specific sysctl + <literal>kernel.unprivileged_userns_clone=0</literal> + has a similar effect, but is deprecated. + </para> </section> <section id="redmine"> -- 2.32.0
--- End Message ---
--- Begin Message ---
- To: Simon McVittie <smcv@debian.org>, 991426-done@bugs.debian.org
- Subject: Re: Bug#991426: release-notes: Recommend user.max_user_namespaces over kernel.unprivileged_userns_clone?
- From: Paul Gevers <elbrus@debian.org>
- Date: Mon, 26 Jul 2021 19:55:18 +0200
- Message-id: <899d18c9-003b-3d0f-1314-eeb5ed28c9a1@debian.org>
- In-reply-to: <[🔎] YPqK87YpYGF90x6E@momentum.pseudorandom.co.uk>
- References: <[🔎] YPqK87YpYGF90x6E@momentum.pseudorandom.co.uk>
Hi Simon, On 23-07-2021 11:25, Simon McVittie wrote: > If I understand correctly, user.max_user_namespaces is an upstream kernel > feature, but kernel.unprivileged_userns_clone comes from a Debian-specific > patch that might be removed in future releases. It seems better to recommend > the upstream version (also used in e.g. RHEL). > > A possible patch is attached, but I'd prefer to get confirmation from > a kernel maintainer before applying this, hence tagged +moreinfo. Thanks, pushed after the confirmation by Ben. PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---