Source: linux
Version: 5.17.11-1
Severity: normal
Tags: security


Some time ago, Debian decided to enable user namespaces per default.

Since then we've had numerous security holes which would have been
prevented when user namespaces were disabled.

I vaguely recall at least around 6-7 such holes, and a quick google
search seems to reveal that at least those would have been mitigated
by unprivileged user namespaces being disabled:
CVE-2022-1966 resp. CVE-2022-32250

And these are just the ones from more recent years.
A longer list can be found e.g.

It also doesn't look as if userns just needed some polishing and "now"
they'd be finally secure - it rather seems like just a matter of time
when one can read next, that some hole can be mitigated by disabling

It rather seems that this feature is only of special use, namely for
those people who use user namespaces with containers or similar - by
far no default on a average server or desktop.

Even "jailing" tools like bubblewrap do IMO not really justify this
being a default:
a) it's only used by certain programs, e.g. bubblewrap isn't a
standard tool found on every install
b) such tools could just ship a default sysctl config or rather ask a
debconf question whether such questionable functionality should be
c) there is anyway no such thing as a true "jail"  - software makers
should rather try to secure their code, than believing that some magic
tool would do the job for them, which use a feature which seems still
not stable from the security PoV.

So if the feature is anyway easily configurable - why choosing a
default which has proven insecure numerous times?
Why do all users - especially those who do not even use the feature -
have to suffer from it working out of the box, just for a few special
use cases (who could also just enable it)?

So please reconsider the previous choice, don't ship insecure defaults
and disable unprivileged userns per default, until at least some at
least 5-10 years no further hole is going to be found, which would
have been prevented with them being disabled.

Just my 2 cents,

PS: As for (d), it would be really bad if all programs who can make
use of userns now simply ship their own /etc/sysctl.d/foo.conf, making
it even more difficult for people who deliberately not want that
feature to keep it disabled for sure. There should be rather a
convention that such tools would enable it in a common file like

Reply via email to