Hi, On Tue, Oct 20, 2020 at 05:21:24PM +0100, Simon McVittie wrote: > On Thu, 16 Apr 2020 at 03:09:25 +0100, Ben Hutchings wrote: > > I don't think we should keep patching in > > kernel.unprivileged_userns_clone forever, so the documented way to > > disable user namespaces should be setting user.max_user_namespaces to > > 0. But then there's no good way to have a drop-in file that changes > > back to the upstream default, because that's dependent on system memory > > size. > > > > So I think we should do something like this: > > > > * Document user.max_user_namespaces in procps's shipped > > /etc/sysctl.conf > > * Set kernel.unprivileged_userns_clone to 1 by default, and deprecate > > it (log a warning if it's changed) > > * Document the change in bullseye release notes > > Is this something you intend to do before bullseye, or is it now going > to be after bullseye? > > If this is intended to happen before bullseye, I'd like enough time > before the freeze to put an as-graceful-as-possible transition in place > in the bubblewrap package. > > (I'm not sure what form that transition should take - suggestions welcome! > Ideally I'd like bubblewrap to be setuid root if and only if we are still > using a kernel where it needs to be.)
TBH, I think not having it enabled by default until now saved us a couple of time from needing to release urgent fixes. It is more a gut feeling and might not have enough weight: but having it still disabled in bullseye by default we would be still better of from security releases/DSA's perspectives. Regards, Salvatore