[Pkg-utopia-maintainers] Bug#977841: bubblewrap: needs transition to non-setuid to accompany linux/5.10.x
Moritz Mühlenhoff
jmm at inutil.org
Sat Dec 26 18:43:22 GMT 2020
Am Mon, Dec 21, 2020 at 06:55:36PM +0000 schrieb Simon McVittie:
> Package: bubblewrap
> Version: 0.4.1-1
> Severity: important
> Tags: security
> X-Debbugs-Cc: debian-kernel at lists.debian.org, team at security.debian.org
> The simplest and most robust thing would be for bubblewrap to depend on
> procps, and ship a file /usr/lib/sysctl.d/50-bubblewrap.conf containing:
>
> kernel.unprivileged_userns_clone=1
Why is this needed, given that anyone running a default bullseye kernel will have
that setting by default? Is this for the upgrade case before someone has rebooted
into the new kernel?
I would keep it simple: Make bubblewrap unconditionally depend on
unprivileged_userns_clone=1 and bail out with an error message if that's not the case.
There's a fair number of non-server use cases where it makes sense to disable
unprivileged user namespaces, but it seems like a fair tradeoff for bubblewrap
to simply depend on them being available.
Cheers,
Moritz
More information about the Pkg-utopia-maintainers
mailing list