-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, 2020-05-06 at 10:43 -0400, Aaron M. Ucko wrote: > Package: hardening-runtime > Version: 2 > Severity: normal > > systemd services specifying PrivateUsers=yes (upower for a while, now > also uuidd from uuid-runtime) have been failing with > > Failed to set up user namespacing: No space left on device > > which I eventually tracked down to this package's specification of > > user.max_user_namespaces = 0 > > in /usr/lib/sysctl.d/10-hardening.conf. Could you please consider > lifting this restriction, or at least blocking user namespaces only > for unprivileged users via an explicit > > kernel.unprivileged_userns_clone = 0 > Hi Aaron, thanks for the bug report. Note that kernel.unprivileged_userns_clone is already set to 0 by default so it's not really needed here.
I'm not a fan of lifting the max_user_namespace restriction here since it's there as runtime hardening. I can understand the pain with PrivateUsers but I still don't think exposing root-designed kernel code to unprivileged users is a good idea. hardening-runtime is not installed by default so admins installing it are supposed to understand what they do. They can also locally override the restriction if needed (for example set it to 1 or 2). In the end I leave the bug open for now but I'm not really inclined to change it. Regards, - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAl6y51MACgkQ3rYcyPpX RFuiUQgAvVnPtCPIGNEbDDUm31GkLmNmzbkBIokzIcVBFCnpyGcq0PhfYpFDSwvQ A5QpbO1/OWbnXjJwW9tqebSm0e/lic2Jgbluk1I7Fv+kPJVCLrSvRmJ+d/FtEAC/ J4ciaWC2dGn/TUK2YSjcivuN89TvMCwPwOJEVS5ARMcgQHAOFV4M4xu8EENYYxY6 HHYPomZ0em6oivBrbTMj48TABB/o7j/0dGfLR3SEnTyWs/8abq31wM0FjurvoK7v h7zpnpKoPo8f4mSsUO25RCCAuFD8tWgnwHLIe9GJR7qtvbFXXJHOtoClWCCasfgw /4Hqqh3Z8AsApQJubSSKSgCAMv/gbA== =PhJf -----END PGP SIGNATURE-----
