Your message dated Mon, 26 Jul 2021 19:55:18 +0200
with message-id <[email protected]>
and subject line Re: Bug#991426: release-notes: Recommend
user.max_user_namespaces over kernel.unprivileged_userns_clone?
has caused the Debian Bug report #991426,
regarding release-notes: Recommend user.max_user_namespaces over
kernel.unprivileged_userns_clone?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
991426: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991426
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release-notes
Severity: normal
Tags: patch moreinfo
X-Debbugs-Cc: [email protected]
If I understand correctly, user.max_user_namespaces is an upstream kernel
feature, but kernel.unprivileged_userns_clone comes from a Debian-specific
patch that might be removed in future releases. It seems better to recommend
the upstream version (also used in e.g. RHEL).
A possible patch is attached, but I'd prefer to get confirmation from
a kernel maintainer before applying this, hence tagged +moreinfo.
smcv
>From 4f306c09371023ff71f921e4e4adec09233325bd Mon Sep 17 00:00:00 2001
From: Simon McVittie <[email protected]>
Date: Fri, 23 Jul 2021 10:21:12 +0100
Subject: [PATCH] Recommend user.max_user_namespaces over
kernel.unprivileged_userns_clone
If I understand correctly, user.max_user_namespaces is an upstream kernel
feature, but kernel.unprivileged_userns_clone comes from a Debian-specific
patch that might be removed in future releases.
Signed-off-by: Simon McVittie <[email protected]>
---
en/issues.dbk | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/en/issues.dbk b/en/issues.dbk
index d0918474..ec8b75e8 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -307,7 +307,7 @@ password [success=1 default=ignore] pam_unix.so obscure yescrypt
If you prefer to keep this feature restricted, set the sysctl:
</para>
<programlisting>
-kernel.unprivileged_userns_clone = 0
+user.max_user_namespaces = 0
</programlisting>
<para>
Note that various desktop and container features will not work
@@ -315,6 +315,11 @@ kernel.unprivileged_userns_clone = 0
<literal>WebKitGTK</literal>, <literal>Flatpak</literal> and
<literal>GNOME</literal> thumbnailing.
</para>
+ <para>
+ The Debian-specific sysctl
+ <literal>kernel.unprivileged_userns_clone=0</literal>
+ has a similar effect, but is deprecated.
+ </para>
</section>
<section id="redmine">
--
2.32.0
--- End Message ---
--- Begin Message ---
Hi Simon,
On 23-07-2021 11:25, Simon McVittie wrote:
> If I understand correctly, user.max_user_namespaces is an upstream kernel
> feature, but kernel.unprivileged_userns_clone comes from a Debian-specific
> patch that might be removed in future releases. It seems better to recommend
> the upstream version (also used in e.g. RHEL).
>
> A possible patch is attached, but I'd prefer to get confirmation from
> a kernel maintainer before applying this, hence tagged +moreinfo.
Thanks, pushed after the confirmation by Ben.
Paul
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
