Enable user namespaces in Debian kernel

debian linux-kernel

Solution 1:

On Debian the ability to create or handle user namespaces from a non-privileged process (usually meaning non-root user) is disabled by default. There's a Debian-specific patch (from Ubuntu) to the kernel that adds the sysctl knob kernel.unprivileged_userns_clone (with a default value of 0 meaning disabled).

To enable it (until next reboot),

sudo sysctl -w kernel.unprivileged_userns_clone=1

For a permanent configuration, you can add a new entry in /etc/sysctl.d to enable the feature at boot:

echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf
service procps restart

This patch predates (by three years) the sysctl user.max_user_namespaces (initially userns.max_user_namespaces) which can be set to 0 to achieve the same result. It was probably kept around for (Debian) compatibility reasons: expecting the feature disabled by default.

From the initial commit message, it was created (in 2013) as a temporary measure when there were some doubts about the security implications related to using user namespaces:

add sysctl to disallow unprivileged CLONE_NEWUSER by default

This is a short-term patch. Unprivileged use of CLONE_NEWUSER is certainly an intended feature of user namespaces. However for at least saucy we want to make sure that, if any security issues are found, we have a fail-safe.

Related

Motherboard says PCIe 3.0, but chipset only supports PCIe 2.0. Who's right?
Is there a wildcard for setting up an Outlook 2007 rule?
remote desktop from mac to ubuntu?
How do I create a new snippet in TextMate 2?
Will reading data cause SSD's to wear out?
How do I check the current boot parameter list in Linux?
Which 5Ghz channel to use?
How do I install vim on OSX with Python 3 support?
Release/renew IP address via Terminal in OS X
What command to issue to find if my RAM is either DDR2 or DDR3
How to stop an unstoppable windows 7 service?
Which drive is \Device\Harddisk1\DR1?