On Tue, 2020-10-20 at 17:21 +0100, Simon McVittie wrote: > On Thu, 16 Apr 2020 at 03:09:25 +0100, Ben Hutchings wrote: > > I don't think we should keep patching in > > kernel.unprivileged_userns_clone forever, so the documented way to > > disable user namespaces should be setting user.max_user_namespaces to > > 0. But then there's no good way to have a drop-in file that changes > > back to the upstream default, because that's dependent on system memory > > size. > > > > So I think we should do something like this: > > > > * Document user.max_user_namespaces in procps's shipped > > /etc/sysctl.conf > > * Set kernel.unprivileged_userns_clone to 1 by default, and deprecate > > it (log a warning if it's changed) > > * Document the change in bullseye release notes > > Is this something you intend to do before bullseye, or is it now going > to be after bullseye? I would like to do this for bullseye. However, this has to be a collective decision of the team. > If this is intended to happen before bullseye, I'd like enough time > before the freeze to put an as-graceful-as-possible transition in place > in the bubblewrap package. > > (I'm not sure what form that transition should take - suggestions welcome! > Ideally I'd like bubblewrap to be setuid root if and only if we are still > using a kernel where it needs to be.) The only way I see to do that properly is to run a program at boot that sets the setuid bit correctly for the running kernel. You can get close with a kernel postinst hook, but you'd be changing the bit before the new kernel is running, and for non-official kernel packages you won't know whether they allow unprivileged user-namespace creation. Ben. -- Ben Hutchings The world is coming to an end. Please log off.
Attachment:
signature.asc
Description: This is a digitally signed message part