undefined | Better HN

0 pointsveonik2y ago0 comments

Yikes... are other popular distros shipping with unprivileged user namespaces enabled by default?

0 comments

Most, I think Debian has patch to be disabled at runtime via sysctl. The reason is that most containers or sandboxing techniques are root only unless you mix it with user namescapes. So most container or sandbox software use suid(firejail) , root daemon(docker) or user namescapes (podman and flatpak). Looking at the cves, user namespaces is probably the safer option

galangalalgol2y ago

That is part of enabling rootless containers on rhel or similar.

waynesonfire2y ago

should have re-written it in rust.

yjftsjthsd-h2y ago

Rewritten what? The container runtime will need the same access regardless of what it's written in, and rewriting all of Linux (the kernel) would be... ambitious, although it is adopting rust incrementally.

1 more reply

failsecure2y ago

Yes and this decision haunts distros like Ubuntu over and over again. There's no easy win though.

touisteur2y ago

Do you need a user namespace? I'd expect a network namespace to be enough. Am I missing something?

Edit: should've read better, this seems to need CLONE_NEWUSER.

jwilk2y ago

You need CAP_SYS_ADMIN to create a new network namespace.

j / k navigate · click thread line to collapse