Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751346AbcCHScV (ORCPT ); Tue, 8 Mar 2016 13:32:21 -0500 Received: from mail-oi0-f44.google.com ([209.85.218.44]:34633 "EHLO mail-oi0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751238AbcCHScK (ORCPT ); Tue, 8 Mar 2016 13:32:10 -0500 MIME-Version: 1.0 In-Reply-To: <20160308060657.GA3565@mail.hallyn.com> References: <20160308060657.GA3565@mail.hallyn.com> From: Andy Lutomirski Date: Tue, 8 Mar 2016 10:31:45 -0800 Message-ID: Subject: Re: Thoughts on tightening up user namespace creation To: Serge Hallyn Cc: Stephane Graber , Colin Walters , Kees Cook , Linux Containers , "Eric W. Biederman" , "linux-kernel@vger.kernel.org" , Seth Forshee , Alexander Larsson Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 841 Lines: 17 On Mar 7, 2016 10:06 PM, "Serge E. Hallyn" wrote: > > On Mon, Mar 07, 2016 at 09:15:25PM -0800, Andy Lutomirski wrote: > > - Ubuntu requires CAP_SYS_ADMIN > > No, it does not. It has temporarily re-added a sysctl which can enable > that behavior, but it's not set by default. The reason for providing it > is not a distrust of user namespaces in general, but because we're enabling > some bleeding edge patches which haven't been accepted upstream yet. Once > they're accepted upstream I expect that patch to be dropped again, unless > it has gone upstream. > > Debian does afaik still have a version of a patch I'd originally written > before user namespaces were upstream which defaulted unprivileged userns > cloning to off. Did you mean Debian here? I meant Ubuntu 14.04, which I tested, possibly poorly.