Re: Plans for user namespaces

To: debian-kernel@lists.debian.org
Subject: Re: Plans for user namespaces
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 09 Feb 2018 16:30:32 +0000
Message-id: <[🔎] 1518193832.2617.19.camel@decadent.org.uk>
In-reply-to: <[🔎] 7902e84f-fa1d-4ebd-d963-90469e63afbb@physik.uni-bonn.de>
References: <[🔎] 7902e84f-fa1d-4ebd-d963-90469e63afbb@physik.uni-bonn.de>

On Thu, 2018-02-08 at 14:18 +0100, Peter Wienemann wrote:
> Dear kernel experts,
> 
> I've got some questions concerning the plans for user namespaces:
> 
> 1. In stretch unprivileged user namespaces are enabled in the
> compile-time configuration of the kernel but disabled in the run-time
> configuration by default. As a consequence one needs to set
> "kernel.unprivileged_userns_clone=1" before one can make use of them.
> Are there any plans to change the default run-time configuration for buster?

No, this default mitigates a lot of security vulnerabilities.

> 2. If the answer to the first question is "no", what is the preferred
> behaviour upon installation of packages requiring the above feature?
> 
>    a) Warn the user and ask him/her to switch them on?
>    b) Silently switch them on?
>    c) Add instructions in README.Debian?
>    d) Something else?

I think (a) and/or (c).

Ben.

-- 
Ben Hutchings
Lowery's Law:
        If it jams, force it. If it breaks, it needed replacing anyway.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Plans for user namespaces
  - From: Peter Wienemann <wienemann@physik.uni-bonn.de>

Prev by Date: Processing of linux_4.9.80-2_source.changes
Next by Date: linux_4.9.80-2_source.changes ACCEPTED into proposed-updates->stable-new
Previous by thread: Plans for user namespaces
Next by thread: Bug#886156: src:linux: Additional information as stack trace match
Index(es):
- Date
- Thread