From ea6bbc1d9c998e5585aaa0fd0a47ec6a912f1583 Mon Sep 17 00:00:00 2001
From: Johannes 'josch' Schauer <josch@mister-muffin.de>
Date: Sat, 9 Jan 2021 19:44:39 +0100
Subject: [PATCH] #898446 got closed and the default of
 kernel.unprivileged_userns_clone changed to 1

---
 mmdebstrap | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/mmdebstrap b/mmdebstrap
index f54645f..0f0d739 100755
--- a/mmdebstrap
+++ b/mmdebstrap
@@ -6109,9 +6109,10 @@ by the _apt user, then apt sandboxing will be automatically disabled.
 This mode uses Linux user namespaces to allow unprivileged use of chroot and
 creation of files that appear to be owned by the superuser inside the unshared
 namespace. A tarball created in this mode should be bit-by-bit identical to a
-tarball created with the B<root> mode.  This mode requires the sysctl
-C<kernel.unprivileged_userns_clone> being set to C<1>. B<SETTING THIS OPTION
-HAS SECURITY IMPLICATIONS>. Refer to
+tarball created with the B<root> mode. In Debian, this mode requires the sysctl
+C<kernel.unprivileged_userns_clone> being set to C<1>. The default used to be
+C<0> but was changed to C<1> with linux 5.10.1 or Debian 11 (Bullseye).
+B<SETTING THIS OPTION TO 1 HAS SECURITY IMPLICATIONS>. Refer to
 L<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898446>
 
 A directory chroot created with this mode will end up with wrong ownership