32

I'm trying to figure out how to enable user namespaces capability in my kernel (I think CAP_SYS_USER_NS). I'm using Debian Stretch, kernel 4.6.0-1-amd64.

My assumption is there is a way to turn on user namespaces and recompile the kernel. After some hours searching, I can find a post of doing this in Ubuntu (https://blog.tutum.co/2013/12/14/enabling-the-user-namespace-in-ubuntu-13-10-saucy/) but not Debian (problem may be I'm on the wrong track and so my searches are off base).

My end game is to enable these in order to keep up with Docker and Google sandboxing which apparently require user namespaces to be enabled in the kernel (e.g., my Chrome containers no longer work).

A.B
  • 5,338
  • 1
  • 17
  • 20
Senrabdet
  • 321
  • 1
  • 3
  • 4

1 Answers1

46

On Debian the ability to create or handle user namespaces from a non-privileged process (usually meaning non-root user) is disabled by default. There's a Debian-specific patch (from Ubuntu) to the kernel that adds the sysctl knob kernel.unprivileged_userns_clone (with a default value of 0 meaning disabled).

To enable it (until next reboot),

sudo sysctl -w kernel.unprivileged_userns_clone=1

For a permanent configuration, you can add a new entry in /etc/sysctl.d to enable the feature at boot:

echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf
service procps restart

This patch predates (by three years) the sysctl user.max_user_namespaces (initially userns.max_user_namespaces) which can be set to 0 to achieve the same result. It was probably kept around for (Debian) compatibility reasons: expecting the feature disabled by default.

From the initial commit message, it was created (in 2013) as a temporary measure when there were some doubts about the security implications related to using user namespaces:

add sysctl to disallow unprivileged CLONE_NEWUSER by default

This is a short-term patch. Unprivileged use of CLONE_NEWUSER is certainly an intended feature of user namespaces. However for at least saucy we want to make sure that, if any security issues are found, we have a fail-safe.

Evan Carroll
  • 8,863
  • 17
  • 76
  • 129
A.B
  • 5,338
  • 1
  • 17
  • 20
  • 1
    This still works on Stretch, kernel `4.9.0-1-amd64 #1 SMP Debian 4.9.6-3 (2017-01-28) x86_64 GNU/Linux`. – Reid Mar 08 '17 at 18:16
  • 3
    Is there a reason why it's disabled by default in Debian? – Melroy van den Berg Mar 20 '18 at 13:56
  • 2
    Historically the security of user namespace was uncertain. eg: https://lwn.net/Articles/673597/ . If a user, as root inside her own namespace can trick the kernel into allowing an operation on the real host, there's privilege escalation. Usual non-user namespaces require explicit root (so admin) permission and so run what the admin chose: that's a known risk. A later mechanism was added in vanilla kernel: user.max_user_namespaces . When set to 0 user namespaces are disabled. The Debian (actually from Ubuntu) patch is still around, even if probably obsolete. Maybe for compatibility reasons – A.B Mar 20 '18 at 14:30
  • `/proc/sys/kernel/unprivileged_userns_clone` doesn't exist on my Debian testing/buster install. What kernel config does this require? I'm on kernel 4.18.3. – nnyby Aug 21 '18 at 23:54
  • 1
    Kernel 4.18.3 hasn't been released on Debian yet, so your kernel is not a Debian testing's kernel. You can ignore this parameter entirely (until you install an actual kernel from Debian). Also look at my previous comment about user.max_user_namespaces – A.B Aug 21 '18 at 23:57
  • I'm compiling my own kernel - that's why it's newer than Debian's release. Also, I found the kernel config option, it's called `CONFIG_USER_NS`. – nnyby Aug 22 '18 at 00:28
  • 1
    This fix works for manjaro/arch with kernel 4.14 – stalet Sep 14 '18 at 09:10
  • 1
    Indeed the same patch is applied by Manjaro ( https://gitlab.manjaro.org/packages/core/linux414/blob/master/0001-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by.patch ) – A.B Sep 14 '18 at 11:46
  • 5
    Or simply : `sudo sysctl -w kernel.unprivileged_userns_clone=1`. – Skippy le Grand Gourou Apr 19 '19 at 09:47
  • @SkippyleGrandGourou nice but where do you add this to as a default startup parameter. I'm running MX Linux. maybe I'd better check their docs – naim5am Aug 09 '19 at 23:00
  • 1
    @Slabo well... it's written in my answer ("permanent solution"). SkippyleGrandGourou wrote the equivalent command involved when the configuration file is read, which is better than echo (avoids shell problems with sudo) – A.B Aug 10 '19 at 08:26
  • 1
    As for ALT Linux distros (there, it's different from Debian), see https://unix.stackexchange.com/a/303214/4319 ; it's: `sysctl -w kernel.userns_restrict=0` – imz -- Ivan Zakharyaschev Oct 23 '19 at 22:12