#898446 got closed and the default of kernel.unprivileged_userns_clone changed to 1

This commit is contained in:
Johannes 'josch' Schauer 2021-01-09 19:44:39 +01:00
parent 62bcf3261e
commit ea6bbc1d9c
Signed by: josch
GPG key ID: F2CBA5C78FBD83E1

View file

@ -6109,9 +6109,10 @@ by the _apt user, then apt sandboxing will be automatically disabled.
This mode uses Linux user namespaces to allow unprivileged use of chroot and
creation of files that appear to be owned by the superuser inside the unshared
namespace. A tarball created in this mode should be bit-by-bit identical to a
tarball created with the B<root> mode. This mode requires the sysctl
C<kernel.unprivileged_userns_clone> being set to C<1>. B<SETTING THIS OPTION
HAS SECURITY IMPLICATIONS>. Refer to
tarball created with the B<root> mode. In Debian, this mode requires the sysctl
C<kernel.unprivileged_userns_clone> being set to C<1>. The default used to be
C<0> but was changed to C<1> with linux 5.10.1 or Debian 11 (Bullseye).
B<SETTING THIS OPTION TO 1 HAS SECURITY IMPLICATIONS>. Refer to
L<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446>
A directory chroot created with this mode will end up with wrong ownership