How safe is it to enable unprivileged user namespace: unprivileged_userns_clone

Asked Jun 10 '19 at 11:25

Active Jul 29 '19 at 21:48

Viewed 1,743 times

Linux user namespaces are special, as they play the role of the owner of the other namespaces.

Distributions (Debian, Ubuntu, Arch, ...) seem to ship with unprivileged user namespaces disabled.

For example, when podman is run as non-root user and unprivileged user namespaces are disabled, one gets a notice like this:

user namespaces are not enabled in /proc/sys/kernel/unprivileged_userns_clone

It is easy to enable unprivileged user namespaces.

In which context it would be safe to enable them?

edited Jul 29 '19 at 21:48

asked Jun 10 '19 at 11:25

miku

Your premise disagrees with my Ubuntu 18.04 installation. `$ cat /proc/sys/kernel/unprivileged_userns_clone 1 `. I can create a user namespace: `$ unshare -Ur #` – domen Jun 10 '19 at 15:27
Confirmed, it seems the defaults have changes [over time](https://unix.stackexchange.com/a/303214/376). – miku Jun 10 '19 at 18:52
1

Very unsafe... Unprivileged userns is a boon for exploits. – forest Jul 30 '19 at 01:09

0 Answers0