On Thu, 2018-02-08 at 14:18 +0100, Peter Wienemann wrote: > Dear kernel experts, > > I've got some questions concerning the plans for user namespaces: > > 1. In stretch unprivileged user namespaces are enabled in the > compile-time configuration of the kernel but disabled in the run-time > configuration by default. As a consequence one needs to set > "kernel.unprivileged_userns_clone=1" before one can make use of them. > Are there any plans to change the default run-time configuration for buster?
No, this default mitigates a lot of security vulnerabilities. > 2. If the answer to the first question is "no", what is the preferred > behaviour upon installation of packages requiring the above feature? > > a) Warn the user and ask him/her to switch them on? > b) Silently switch them on? > c) Add instructions in README.Debian? > d) Something else? I think (a) and/or (c). Ben. -- Ben Hutchings Lowery's Law: If it jams, force it. If it breaks, it needed replacing anyway.
Description: This is a digitally signed message part