Yves-Alexis Perez <cor...@debian.org> writes: > Yes but once a user namespace has been created (by root or a simple user), > anyone on that namespace can in turn create new users namespace.
Ah, I'd missed that. :-/ > I'm unsure what you mean here. Overriding it is a simple as adding a > /etc/sysctl.d/10-hardening-override.conf with user.max_user_namespace=1 (or 2, > 3 etc.). You don't have to provide anything else or copy any other setting > from /usr/lib/sysctl.d/10-hardening.conf This point is, as noted, just a minor technicality. To clarify, though, the original default appears to be a non-round machine-dependent number that might plausibly vary across reboots, and 10-hardening.conf is under /usr and therefore inappropriate to edit. As such, combining the two would require either copying 10-hardening.conf to /etc/sysctl.d/ under its original name, editing the copy, and keeping it in sync with (historically infrequent) changes to the original, or else propagating the original default to /etc/sysctl.conf or some non-shadowing file under /etc/sysctl.d and somehow keeping that file up to date. That said, I appreciate the merits of keeping 10-hardening.conf under /usr, and agree that there's no need for the limit to be so high anyway, so it may be just as well that it's not so easy to reinstate fully. > Actually no, it's not. kernel.unprivileged_userns_clone comes from a Debian > specific patch which is not mainline: Never mind, then. -- Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org) http://www.mit.edu/~amu/ | http://stuff.mit.edu/cgi/finger/?a...@monk.mit.edu
