On Sat, Nov 17, 2018 at 11:15:28AM +0000, Simon McVittie wrote: > On Fri, 16 Nov 2018 at 14:19:16 -0800, Josh Triplett wrote: > > On Fri, 16 Nov 2018 10:20:07 +0100 Bastian Blank <wa...@debian.org> wrote: > > > Debian does not support unprivileged user namespaces, so chromium needs > > > to depend on -sandbox to get a working package. > > > > Should we, perhaps, support unprivileged user namespaces? Or, at least, > > a means of granting targeted permission to use such namespaces without > > being full root? > > We have this mode available. Sysadmins can select it with: > > sysctl -w kernel.unprivileged_userns_clone=1 > > which leads to the same behaviour as upstream kernels, Fedora, and > recent Ubuntu releases. (Or use /etc/sysctl.d to change this in a > persistent way.) > > However, Debian's kernel maintainer has indicated that he doesn't consider > this mechanism to be completely safe (I'm not sure to what extent this is > still true), hence the current default. Setting up a user namespace gives > you all capabilities in the namespace (including CAP_SYS_ADMIN, which is > required if you want to protect part or all of the host system directory > tree from the namespaced process by playing with mount namespaces and > bind-mounts, like Flatpak does), so if you suspect the kernel still has > flaws in which capabilities in non-init user namespaces can be abused > to get privileged access to the overall system, you can't allow it.
I'm aware of this. And I'm not *necessarily* advocating a change to the kernel to allow this by default. But perhaps chromium-sandbox could have some lesser privilege (not full setuid root) that allows it to create an unprivileged user namespace? bubblewrap and others could do the same. > Sysadmins who have set kernel.unprivileged_userns_clone=1 can use > dpkg-statoverride to make bwrap non-setuid, as it is on recent Ubuntu > systems (the same compiled binary can work either way, since it detects > which mode to work in at runtime). We *might* also consider having a configuration package that drops a unprivileged_userns_clone.conf file into /usr/lib/sysctl.d/ , and letting packages like chromium depend on unprivileged-userns-clone | chromium-sandbox.