[Pkg-utopia-maintainers] Bug#823535: requires manual setup to get required capabilities
Simon McVittie
smcv at debian.org
Thu May 5 19:41:17 UTC 2016
Control: retitle 823535 requires manual setup to get required capabilities
On Thu, 05 May 2016 at 21:17:35 +0200, antistress wrote:
> No permissions to creating new namespace, likely because the kernel does not
> allow non-privileged user namespaces. On e.g. debian this can be enabled
> with 'sysctl kernel.unprivileged_userns_clone=1'."
>
> Then I had to manually key "sysctl kernel.unprivileged_userns_clone=1"
See xdg-app's README.Debian for other possible solutions to getting the
required privileges. I should probably patch this message to point
users to the README.Debian instead of giving a specific command.
> I don't think that user should be bother with that.
No, they shouldn't, but none of the possible solutions is unambiguously
correct: they all lead to additional security exposure. This is one of
the reasons why xdg-app is only available in the experimental suite
at the moment.
If you are not able to make informed decisions about the security
implications of code that you run as root, I would recommend not using
packages from experimental. xdg-app would be in unstable if I thought
it was ready; right now, it isn't.
I'm hoping that bubblewrap, which was recently spun out from xdg-app
(<https://blogs.gnome.org/alexl/2016/04/29/using-bubblewrap-in-xdg-app/>),
will improve on this by being a self-contained and easy-to-audit version
of the part of xdg-app that requires privileges (and in fact I was just
about to file the ITP for it).
(bubblewrap is very similar to the solution involving making
/usr/bin/xdg-app-helper setuid root.)
S
More information about the Pkg-utopia-maintainers
mailing list