Control: tag -1 moreinfo
On Fri, 2018-05-11 at 20:44 +0200, Laurent Bigonville wrote:
> Source: linux
> Version: 4.16.5-1
> Severity: normal
>
> Hi,
>
> Firefox (and probably other applications) are using user namespaces these
> days to enhance the security.
Can you provide some information about this?
> Debian is disabling these since 2013, the original patch states it's a
> short term solution, but we are here 5 years later and they are still
> disabled.
And this still mitigates a significant fraction of the security issues
found in the kernel.
> Apparently debian (and ubuntu) and arch are the only distributions
> disabling the user namespaces.
>
> Is there a list of remaining issues with the user namespaces? IIRC the
> only discussion I've seen were about adding upstream the option to
> disable them at runtime, nothing else.
>
> Is it a possibility to reenable these for buster?
User namespaces *are* enabled - but by default, they can only be
created by root. It is still possible to change that with a sysctl.
Ben.
--
Ben Hutchings
The most exhausting thing in life is being insincere.
- Anne Morrow Lindberg
Attachment:
signature.asc
Description: This is a digitally signed message part