top | item 35881919

(no title)

veonik | 2 years ago

Yikes... are other popular distros shipping with unprivileged user namespaces enabled by default?

discuss

Most, I think Debian has patch to be disabled at runtime via sysctl. The reason is that most containers or sandboxing techniques are root only unless you mix it with user namescapes. So most container or sandbox software use suid(firejail) , root daemon(docker) or user namescapes (podman and flatpak). Looking at the cves, user namespaces is probably the safer option

galangalalgol|2 years ago

That is part of enabling rootless containers on rhel or similar.

waynesonfire|2 years ago

should have re-written it in rust.

failsecure|2 years ago

Yes and this decision haunts distros like Ubuntu over and over again. There's no easy win though.

touisteur|2 years ago

Do you need a user namespace? I'd expect a network namespace to be enough. Am I missing something?

Edit: should've read better, this seems to need CLONE_NEWUSER.

jwilk|2 years ago

You need CAP_SYS_ADMIN to create a new network namespace.