Security Implications for User namespaces #425
Labels
information_old
(Deprecated; use "doc-todo" or "needinfo" instead) Information was/is required
Comments
netblue30
added
the
information_old
|
User namespace is more like a baseball bat. Imperfect, with its own problems, but works very well in some cases. Firejail has support to disable various sandboxing features the user might find undesirable. You can do it at compile time (./configure --help) or at run time (man firejail-config). You can disable user namespaces, chroot, and a number of other features. So far I've heard complains about user namespace and networking. |
|
FWIW, user namespaces are not supported by Arch Linux, either, because of security considerations. |
|
Ah OK. You're aware of this topic: and discussed implications: #9 (comment) I'll search harder next time :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
User namespaces are described as a particularly risky kernel feature that has allowed privilege escalation in the past. I think its useful to keep around but its probably best avoided in supported profiles.
subgraph/oz#11
The text was updated successfully, but these errors were encountered: