From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id SLciKSttzl8ZPwAA0tVLHw (envelope-from ) for ; Mon, 07 Dec 2020 17:58:03 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id OJ/5JCttzl+bCwAAB5/wlQ (envelope-from ) for ; Mon, 07 Dec 2020 17:58:03 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0C3019404CE for ; Mon, 7 Dec 2020 17:58:02 +0000 (UTC) Received: from localhost ([::1]:58560 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kmKls-0001EJ-AU for larch@yhetil.org; Mon, 07 Dec 2020 12:58:00 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:57008) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kmKjy-00011x-T1 for guix-devel@gnu.org; Mon, 07 Dec 2020 12:56:04 -0500 Received: from cascadia.aikidev.net ([2600:3c01:e000:267:0:a171:de7:c]:43922) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kmKjw-0003Uk-P6; Mon, 07 Dec 2020 12:56:02 -0500 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:21:21:0:100b]) (Authenticated sender: vagrant@cascadia.debian.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id 5B0A11AA41; Mon, 7 Dec 2020 09:55:53 -0800 (PST) From: Vagrant Cascadian To: zimoun , Ludovic =?utf-8?Q?Court=C3=A8s?= , Marius Bakke Subject: Re: bug#45069: Guix System: unprivileged user cannot create user namespaces? In-Reply-To: <86ft4h5xjz.fsf@gmail.com> References: <20201204185537.qhapfbyaq7cr5lkr@thebird.nl> <4556420c9440a6c34df93213e3934176e214483f.camel@yasuaki.com> <86eek2an53.fsf@gmail.com> <87wnxtx1yx.fsf@ambrevar.xyz> <1f56aef4d7b707826f34413672408e33385bbc6a.camel@tourbillion-technology.com> <87tusxwncj.fsf@ambrevar.xyz> <86ft4h5xjz.fsf@gmail.com> Date: Mon, 07 Dec 2020 09:55:31 -0800 Message-ID: <87eek1sdpo.fsf@yucca> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: none client-ip=2600:3c01:e000:267:0:a171:de7:c; envelope-from=vagrant@debian.org; helo=cascadia.aikidev.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Guix Devel , 45069@debbugs.gnu.org, Paul Garlick , Jesse Dowell Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -1.40 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 0C3019404CE X-Spam-Score: -1.40 X-Migadu-Scanner: ns3122888.ip-94-23-21.eu X-TUID: /ocY3f/w9/Op --=-=-= Content-Type: text/plain On 2020-12-07, zimoun wrote: > On Mon, 07 Dec 2020 at 18:13, Pierre Neidhardt wrote: > >>> Can you try, as root on Guix System: >>> >>> $ echo 1 > /proc/sys/kernel/unprivileged_userns_clone >> >> # echo 1 > /proc/sys/kernel/unprivileged_userns_clone >> -bash: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory > > In gnu/build/linux-container.scm, it reads: > > --8<---------------cut here---------------start------------->8--- > (define (unprivileged-user-namespace-supported?) > "Return #t if user namespaces can be created by unprivileged users." > (let ((userns-file "/proc/sys/kernel/unprivileged_userns_clone")) > (if (file-exists? userns-file) > (eqv? #\1 (call-with-input-file userns-file read-char)) > #t))) > --8<---------------cut here---------------end--------------->8--- > > Does it mean that the Linux kernel on Guix System does not support > namespaces by unprivileged users? > Turning #t to #f should work on Guix System and it appears to me a > severe bug if not. What do I miss? Please could someone fill my gap? :-) The /proc/sys/kernel_unprivileged_userns_clone file is specific to Debian and Ubuntu packaged linux kernel; it is a patchset not applied upstream, as far as I am aware. I'm not sure if other distros support disabling and enabling this feature using this mechanism. https://salsa.debian.org/kernel-team/linux/-/blob/master/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCX85skwAKCRDcUY/If5cW qjKwAQCi56PPZBXpy8NH6ZJYqb7K6RxUH/SyLScMEStmiFeu5gD/ajGLuZN4JWc2 dbw9E2xb+tdc3MyBXewv9HrJTA8P5A8= =jFFd -----END PGP SIGNATURE----- --=-=-=--