Hi, On Wed, Aug 13, 2014 at 06:44:39PM +0200, Thomas Bächler wrote: > Am 13.08.2014 um 17:29 schrieb Damjan Georgievski: > > On 13 August 2014 17:26, Damjan Georgievski <gdamjan@xxxxxxxxx> wrote: > >> yey > >> thanks for CONFIG_USER_NS=y > > > > ahh no, I'm stupid. > > Checked it on another machine and got excited before hand > > :/ > > > > anyway. is there a reason this is not enabled now? > > all the mainstream distros hae it enabled now Fedora, RHEL/CentOS 7, > > Ubuntu and Debian (at least on the backported kernel) > > I'd think about it, if the feature wasn't entirely useless. Despite the > lack of official documentation, I found a document that described how it > worked. After reading that document I concluded that the feature is a > huge potential security risk with no actual benefit. Interestinig. Could you please provide a link? > > If you give me a valid use case for USER_NS, I might reconsider, but > every use case I can imagine is crushed by the limitations of the > implementation. As you know, user_ns is a necesary prerequisite for unpriviileged containers: https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ . AFAIU, currently only Ubuntu 14.04 supports those. However, I agree with you that CONFIG_USER_NS is better left disabled in -ARCH kernels. After all, people using containers should be able to compile a custom kernel... Thanks, -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
Attachment:
pgpv7G3ZmggDr.pgp
Description: PGP signature