Package: release-notes
Severity: normal
Tags: patch moreinfo
X-Debbugs-Cc: debian-ker...@lists.debian.org
If I understand correctly, user.max_user_namespaces is an upstream kernel
feature, but kernel.unprivileged_userns_clone comes from a Debian-specific
patch that might be removed in future releases. It seems better to recommend
the upstream version (also used in e.g. RHEL).
A possible patch is attached, but I'd prefer to get confirmation from
a kernel maintainer before applying this, hence tagged +moreinfo.
smcv
>From 4f306c09371023ff71f921e4e4adec09233325bd Mon Sep 17 00:00:00 2001
From: Simon McVittie
Date: Fri, 23 Jul 2021 10:21:12 +0100
Subject: [PATCH] Recommend user.max_user_namespaces over
kernel.unprivileged_userns_clone
If I understand correctly, user.max_user_namespaces is an upstream kernel
feature, but kernel.unprivileged_userns_clone comes from a Debian-specific
patch that might be removed in future releases.
Signed-off-by: Simon McVittie
---
en/issues.dbk | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/en/issues.dbk b/en/issues.dbk
index d0918474..ec8b75e8 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -307,7 +307,7 @@ password [success=1 default=ignore] pam_unix.so obscure yescrypt
If you prefer to keep this feature restricted, set the sysctl:
-kernel.unprivileged_userns_clone = 0
+user.max_user_namespaces = 0
Note that various desktop and container features will not work
@@ -315,6 +315,11 @@ kernel.unprivileged_userns_clone = 0
WebKitGTK, Flatpak and
GNOME thumbnailing.
+
+The Debian-specific sysctl
+kernel.unprivileged_userns_clone=0
+has a similar effect, but is deprecated.
+
--
2.32.0
