[2023-10-08 19:33:52+0000] Xavier B.:
>As [StackExchange](https://security.stackexchange.com/questions/209529/what-does-enabling-kernel-unprivileged-userns-clone-do) explains it could enable several vulnerabilities.
>
>Can you modify the code in order to run without enable it? Can bwrap run without suid-root?
The annoying thing is as far as I know without the ability to have namespaces created by users means the inability to properly sandbox webkit's web-processes, so instead of having "maybe they can excape the sandbox" it would effectively be "there is no sandbox".
And in my opinion the right thing the Debian patch should have done isn't a toggle via sysctl but via fcaps (like how CAP_SYS_CHROOT is a thing), which would allow to specifically have bwrap able to use user-namespaces without the worse thing of becoming suid-root or in practice having to disable Debian's "security" patch.
Mmm... thanks a lot for your explanations. The CAP_SYS_CHROOT alternative sounds good to me.
I use artix with openrc. Do you know if I can do such thing in that distro?
Thanks in advance,
Xavier
On Mon, 9 Oct 2023 21:10:41 +0200
"Haelwenn (lanodan) Monnier" <contact+sr.ht@hacktivis.me> ha escrit:
> [2023-10-08 19:33:52+0000] Xavier B.:
> >As [StackExchange](https://security.stackexchange.com/questions/209529/what-does-enabling-kernel-unprivileged-userns-clone-do) explains it could enable several vulnerabilities.
> >
> >Can you modify the code in order to run without enable it? Can bwrap run without suid-root?
>
> The annoying thing is as far as I know without the ability to have namespaces created by users means the inability to properly sandbox webkit's web-processes, so instead of having "maybe they can excape the sandbox" it would effectively be "there is no sandbox".
>
> And in my opinion the right thing the Debian patch should have done isn't a toggle via sysctl but via fcaps (like how CAP_SYS_CHROOT is a thing), which would allow to specifically have bwrap able to use user-namespaces without the worse thing of becoming suid-root or in practice having to disable Debian's "security" patch.