Bug#898446: Please reconsider enabling the user namespaces by default
On Wed, 15 Apr 2020 at 02:52:11 +0100, Ben Hutchings wrote:
> I think you've made a good case that user namespaces are likely to be a
> net positive for security on Debian desktop systems.
>
> This might not be true yet for servers that aren't container hosts.
Perhaps Debian's kernel should continue to disable unprivileged creation
of user namespaces for now, but we should have a package that installs
a /etc/sysctl.d/*.conf fragment that will enable them, and packages
that benefit from them (bubblewrap, web browsers, sbuild) should have
a Depends or Recommends on that package instead of shipping a setuid-root
namespace-creation helper?
During the transition from "usually disabled" to "usually enabled", such
a package would also provide a useful way to document that the dependent
package won't work (optimally, or at all) without that feature.
I would prefer not to ship that file from src:bubblewrap, since bubblewrap
isn't the only user of that feature. Perhaps src:linux would be a better
home for it? And then it could go away (or be replaced by a Provides
from the kernel image) if/when a future kernel supports unprivileged
creation of user namespaces unconditionally.
smcv
Reply to: