Package: release-notes
Severity: normal
Tags: patch moreinfo
X-Debbugs-Cc: debian-ker...@lists.debian.org

If I understand correctly, user.max_user_namespaces is an upstream kernel
feature, but kernel.unprivileged_userns_clone comes from a Debian-specific
patch that might be removed in future releases. It seems better to recommend
the upstream version (also used in e.g. RHEL).

A possible patch is attached, but I'd prefer to get confirmation from
a kernel maintainer before applying this, hence tagged +moreinfo.

    smcv
>From 4f306c09371023ff71f921e4e4adec09233325bd Mon Sep 17 00:00:00 2001
From: Simon McVittie <s...@debian.org>
Date: Fri, 23 Jul 2021 10:21:12 +0100
Subject: [PATCH] Recommend user.max_user_namespaces over
 kernel.unprivileged_userns_clone

If I understand correctly, user.max_user_namespaces is an upstream kernel
feature, but kernel.unprivileged_userns_clone comes from a Debian-specific
patch that might be removed in future releases.

Signed-off-by: Simon McVittie <s...@debian.org>
---
 en/issues.dbk | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/en/issues.dbk b/en/issues.dbk
index d0918474..ec8b75e8 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -307,7 +307,7 @@ password [success=1 default=ignore] pam_unix.so obscure yescrypt
         If you prefer to keep this feature restricted, set the sysctl:
       </para>
       <programlisting>
-kernel.unprivileged_userns_clone = 0
+user.max_user_namespaces = 0
       </programlisting>
       <para>
 	Note that various desktop and container features will not work
@@ -315,6 +315,11 @@ kernel.unprivileged_userns_clone = 0
 	<literal>WebKitGTK</literal>, <literal>Flatpak</literal> and
 	<literal>GNOME</literal> thumbnailing.
       </para>
+      <para>
+        The Debian-specific sysctl
+        <literal>kernel.unprivileged_userns_clone=0</literal>
+        has a similar effect, but is deprecated.
+      </para>
     </section>
 
     <section id="redmine">
-- 
2.32.0

Reply via email to