[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991426: marked as done (release-notes: Recommend user.max_user_namespaces over kernel.unprivileged_userns_clone?)

Your message dated Mon, 26 Jul 2021 19:55:18 +0200
with message-id <899d18c9-003b-3d0f-1314-eeb5ed28c9a1@debian.org>
and subject line Re: Bug#991426: release-notes: Recommend user.max_user_namespaces over kernel.unprivileged_userns_clone?
has caused the Debian Bug report #991426,
regarding release-notes: Recommend user.max_user_namespaces over kernel.unprivileged_userns_clone?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991426: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991426
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release-notes
Severity: normal
Tags: patch moreinfo
X-Debbugs-Cc: debian-kernel@lists.debian.org

If I understand correctly, user.max_user_namespaces is an upstream kernel
feature, but kernel.unprivileged_userns_clone comes from a Debian-specific
patch that might be removed in future releases. It seems better to recommend
the upstream version (also used in e.g. RHEL).

A possible patch is attached, but I'd prefer to get confirmation from
a kernel maintainer before applying this, hence tagged +moreinfo.

    smcv

>From 4f306c09371023ff71f921e4e4adec09233325bd Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Fri, 23 Jul 2021 10:21:12 +0100
Subject: [PATCH] Recommend user.max_user_namespaces over
 kernel.unprivileged_userns_clone

If I understand correctly, user.max_user_namespaces is an upstream kernel
feature, but kernel.unprivileged_userns_clone comes from a Debian-specific
patch that might be removed in future releases.

Signed-off-by: Simon McVittie <smcv@debian.org>
---
 en/issues.dbk | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/en/issues.dbk b/en/issues.dbk
index d0918474..ec8b75e8 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -307,7 +307,7 @@ password [success=1 default=ignore] pam_unix.so obscure yescrypt
         If you prefer to keep this feature restricted, set the sysctl:
       </para>
       <programlisting>
-kernel.unprivileged_userns_clone = 0
+user.max_user_namespaces = 0
       </programlisting>
       <para>
 	Note that various desktop and container features will not work
@@ -315,6 +315,11 @@ kernel.unprivileged_userns_clone = 0
 	<literal>WebKitGTK</literal>, <literal>Flatpak</literal> and
 	<literal>GNOME</literal> thumbnailing.
       </para>
+      <para>
+        The Debian-specific sysctl
+        <literal>kernel.unprivileged_userns_clone=0</literal>
+        has a similar effect, but is deprecated.
+      </para>
     </section>
 
     <section id="redmine">
-- 
2.32.0

--- End Message ---
--- Begin Message --- 
Hi Simon,

On 23-07-2021 11:25, Simon McVittie wrote:
> If I understand correctly, user.max_user_namespaces is an upstream kernel
> feature, but kernel.unprivileged_userns_clone comes from a Debian-specific
> patch that might be removed in future releases. It seems better to recommend
> the upstream version (also used in e.g. RHEL).
> 
> A possible patch is attached, but I'd prefer to get confirmation from
> a kernel maintainer before applying this, hence tagged +moreinfo.

Thanks, pushed after the confirmation by Ben.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: