Package: release-notes
Severity: normal
Tags: patch moreinfo
X-Debbugs-Cc: debian-kernel@lists.debian.org
If I understand correctly, user.max_user_namespaces is an upstream kernel
feature, but kernel.unprivileged_userns_clone comes from a Debian-specific
patch that might be removed in future releases. It seems better to recommend
the upstream version (also used in e.g. RHEL).
A possible patch is attached, but I'd prefer to get confirmation from
a kernel maintainer before applying this, hence tagged +moreinfo.
smcv
>From 4f306c09371023ff71f921e4e4adec09233325bd Mon Sep 17 00:00:00 2001
From: Simon McVittie <s...@debian.org>
Date: Fri, 23 Jul 2021 10:21:12 +0100
Subject: [PATCH] Recommend user.max_user_namespaces over
kernel.unprivileged_userns_clone
If I understand correctly, user.max_user_namespaces is an upstream kernel
feature, but kernel.unprivileged_userns_clone comes from a Debian-specific
patch that might be removed in future releases.
Signed-off-by: Simon McVittie <s...@debian.org>
---
en/issues.dbk | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/en/issues.dbk b/en/issues.dbk
index d0918474..ec8b75e8 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -307,7 +307,7 @@ password [success=1 default=ignore] pam_unix.so obscure yescrypt
If you prefer to keep this feature restricted, set the sysctl:
</para>
<programlisting>
-kernel.unprivileged_userns_clone = 0
+user.max_user_namespaces = 0
</programlisting>
<para>
Note that various desktop and container features will not work
@@ -315,6 +315,11 @@ kernel.unprivileged_userns_clone = 0
<literal>WebKitGTK</literal>, <literal>Flatpak</literal> and
<literal>GNOME</literal> thumbnailing.
</para>
+ <para>
+ The Debian-specific sysctl
+ <literal>kernel.unprivileged_userns_clone=0</literal>
+ has a similar effect, but is deprecated.
+ </para>
</section>
<section id="redmine">
--
2.32.0
