TransWikia.com

Enable user namespaces in Debian kernel

Super User Asked by Senrabdet on February 15, 2021

I’m trying to figure out how to enable user namespaces capability in my kernel (I think CAP_SYS_USER_NS). I’m using Debian Stretch, kernel 4.6.0-1-amd64.

My assumption is there is a way to turn on user namespaces and recompile the kernel. After some hours searching, I can find a post of doing this in Ubuntu (https://blog.tutum.co/2013/12/14/enabling-the-user-namespace-in-ubuntu-13-10-saucy/) but not Debian (problem may be I’m on the wrong track and so my searches are off base).

My end game is to enable these in order to keep up with Docker and Google sandboxing which apparently require user namespaces to be enabled in the kernel (e.g., my Chrome containers no longer work).

One Answer

On Debian the ability to create or handle user namespaces from a non-privileged process (usually meaning non-root user) is disabled by default. There's a Debian-specific patch (from Ubuntu) to the kernel that adds the sysctl knob kernel.unprivileged_userns_clone (with a default value of 0 meaning disabled).

To enable it (until next reboot),

sudo sysctl -w kernel.unprivileged_userns_clone=1

For a permanent configuration, you can add a new entry in /etc/sysctl.d to enable the feature at boot:

echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf
service procps restart

This patch predates (by three years) the sysctl user.max_user_namespaces (initially userns.max_user_namespaces) which can be set to 0 to achieve the same result. It was probably kept around for (Debian) compatibility reasons: expecting the feature disabled by default.

From the initial commit message, it was created (in 2013) as a temporary measure when there were some doubts about the security implications related to using user namespaces:

add sysctl to disallow unprivileged CLONE_NEWUSER by default

This is a short-term patch. Unprivileged use of CLONE_NEWUSER is certainly an intended feature of user namespaces. However for at least saucy we want to make sure that, if any security issues are found, we have a fail-safe.

Answered by A.B on February 15, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP