Hi, On Wed, Aug 13, 2014 at 06:44:39PM +0200, Thomas Bächler wrote:
Am 13.08.2014 um 17:29 schrieb Damjan Georgievski:
On 13 August 2014 17:26, Damjan Georgievski <gdamjan@gmail.com> wrote:
yey thanks for CONFIG_USER_NS=y
ahh no, I'm stupid. Checked it on another machine and got excited before hand :/
anyway. is there a reason this is not enabled now? all the mainstream distros hae it enabled now Fedora, RHEL/CentOS 7, Ubuntu and Debian (at least on the backported kernel)
I'd think about it, if the feature wasn't entirely useless. Despite the lack of official documentation, I found a document that described how it worked. After reading that document I concluded that the feature is a huge potential security risk with no actual benefit.
Interestinig. Could you please provide a link?
If you give me a valid use case for USER_NS, I might reconsider, but every use case I can imagine is crushed by the limitations of the implementation.
As you know, user_ns is a necesary prerequisite for unpriviileged containers: https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ . AFAIU, currently only Ubuntu 14.04 supports those. However, I agree with you that CONFIG_USER_NS is better left disabled in -ARCH kernels. After all, people using containers should be able to compile a custom kernel... Thanks, -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D