[arch-general] user namespaces
Leonid Isaev
leonid.isaev at jila.colorado.edu
Wed Feb 1 20:16:12 UTC 2017
On Wed, Feb 01, 2017 at 07:51:49PM +0100, sivmu wrote:
> The people responsible for linux distributions like debian, red hat and
> pretty much all other distros, as well as many developers of sandboxing
> applications including the tails and chromium people all believe this
> feature is a useful tool to provide unprivileged sandbox applications
> worth the risk.
But you see, sandboxing apps is by itself is a misleading security feature. Why
do I need to sandbox my browser if it is written properly and allows me to
disable the unnecessary (for me) features?
In the end, every sandbox uses DAC protection, no? And I already proposed a
sandbox which is far better than firejail or the one used in chrome, and
doesn't use userns.
>
> Without any real prove of the claims you made in your post, it seems you
> rather have a personal grudge against this feature while at the same
> time saying you know better then all these people.
> Sorry but that is pretty rich.
The issue is this: either enable userns fully, i.e. unprivileged users are
able to create user namespaecs, or don't enable them at all. The way Fedora
does things, for example, is worse that the latter (of course, if you used
Fedora you know that it sucks in general).
> Don’t get me wrong I would love to discuss with you about this all day
> long but I would like to ask you to reconsider your tone, as you sound
> incredibly arrogant when you put yourself above all those voices/people
> without providing real prove for your arguments.
So, why don't you just build your own kernel? It takes only 20 mins...
Cheers,
--
Leonid Isaev
More information about the arch-general
mailing list