Unprivileged User Namespaces enabled by default in kernel 5.1.8 ?

Toolybird · 2019-06-10 23:13:40

Unless I'm missing something, it appears Unprivileged User Namespaces have been enabled by default in latest kernel update.

# cat /proc/sys/kernel/unprivileged_userns_clone
1

Is this a change in Arch policy or was the change unintentional?

Just curious.

loqs · 2019-06-11 00:09:01

https://git.archlinux.org/linux.git/com … 87683e3e51

Toolybird · 2019-06-11 22:08:02

And still there in kernel 5.1.9 so this seems to be intentional and no accident.

It would appear the "general security concerns" mentioned in the wiki [1] are no longer considered an issue. Fair enough.

[1] https://wiki.archlinux.org/index.php/Li … (optional)

Last edited by Toolybird (2019-06-11 22:10:03)

Nickolas0 · 2019-06-12 11:17:42

Toolybird wrote:

It would appear the "general security concerns" mentioned in the wiki [1] are no longer considered an issue. Fair enough.
[1] https://wiki.archlinux.org/index.php/Li … (optional)

They are still considered an issue, just not by linux package mantainer.

Akusari · 2019-06-13 13:59:09

Toolybird wrote:

Unless I'm missing something, it appears Unprivileged User Namespaces have been enabled by default in latest kernel update.
# cat /proc/sys/kernel/unprivileged_userns_clone
1
Is this a change in Arch policy or was the change unintentional?
Just curious.

Yes, i think that's a bad thing anyway. Probably usability wins over security. :-(
Why not simply offer a special kernel for docker and co and leave it as it is ?
They are all bitches (in matter of lazyness)

On the other handy you can run your own PKGBUILD from Arch kernels and easy add this patch again. :-)

Regards

PS: i'm building my own kernels with Arch kernel sources always and my own patches ;-)

Last edited by Akusari (2019-06-13 14:05:00)

Omar007 · 2019-06-13 14:17:10

No need to go through the trouble of patching for this. Just do the reverse of the enable instructions to disable it instead; set sysctl kernel.unprivileged_userns_clone=0 instead of 1.

Akusari · 2019-06-13 14:40:15

Omar007 wrote:

No need to go through the trouble of patching for this. Just do the reverse of the enable instructions to disable it instead; set sysctl kernel.unprivileged_userns_clone=0 instead of 1.

Yes, that's possible of course and maybe the best way for folks out there. :-)

Well, It's always a matter of taste which way do you prefer and which "basic" compile-time setting should be enabled . ;-)

Just for example my kernel line looks like so: ".....pti=off spectre_v2=off spectre_v2_user=off spec_store_bypass_disable=off l1tf=off mds=off vga=792 audit=0 noresume"

WTF are doing this guy ??? Right, there are much better ways to handle that, specialy the new migration option. I have my reasons why i like it exactly this way!

Simply i prefer a kernel which is compile-time configured, expect meltdown and specture related staff. :-) It simply reduce the possibilities of configuration mistakes ;-)
And we are all humans ;-)

Last edited by Akusari (2019-06-13 14:49:33)

Arch Linux

#1 2019-06-10 23:13:40

Unprivileged User Namespaces enabled by default in kernel 5.1.8 ?

#2 2019-06-11 00:09:01

Re: Unprivileged User Namespaces enabled by default in kernel 5.1.8 ?

#3 2019-06-11 22:08:02

Re: Unprivileged User Namespaces enabled by default in kernel 5.1.8 ?

#4 2019-06-12 11:17:42

Re: Unprivileged User Namespaces enabled by default in kernel 5.1.8 ?

#5 2019-06-13 13:59:09

Re: Unprivileged User Namespaces enabled by default in kernel 5.1.8 ?

#6 2019-06-13 14:17:10

Re: Unprivileged User Namespaces enabled by default in kernel 5.1.8 ?

#7 2019-06-13 14:40:15

Re: Unprivileged User Namespaces enabled by default in kernel 5.1.8 ?

Board footer