On Thu, 2018-02-08 at 14:18 +0100, Peter Wienemann wrote: > Dear kernel experts, > > I've got some questions concerning the plans for user namespaces: > > 1. In stretch unprivileged user namespaces are enabled in the > compile-time configuration of the kernel but disabled in the run-time > configuration by default. As a consequence one needs to set > "kernel.unprivileged_userns_clone=1" before one can make use of them. > Are there any plans to change the default run-time configuration for buster?
No, this default mitigates a lot of security vulnerabilities.
> 2. If the answer to the first question is "no", what is the preferred
> behaviour upon installation of packages requiring the above feature?
>
> a) Warn the user and ask him/her to switch them on?
> b) Silently switch them on?
> c) Add instructions in README.Debian?
> d) Something else?
I think (a) and/or (c).
Ben.
--
Ben Hutchings
Lowery's Law:
If it jams, force it. If it breaks, it needed replacing anyway.
signature.asc
Description: This is a digitally signed message part
