search

lucabrunox / nix-user-chroot

Run nix in a lightweight chroot container
80 stars 17 forks source link

Mention the need for user namespaces in the README #4

Closed KellerFuchs closed 8 years ago

KellerFuchs commented 8 years ago

Hi,

It would be less confusing for users were the requirement for successfully running nix-user-chroot were stated in the README file. In particular, it isn't stated that user namespaces support is required, and many distros and shell providers do not support this due to the associated security issues.

matthewbauer commented 8 years ago

I believe all Linux versions since at least 3.8 support user namespaces. If you are a non-root user, you are in fact in a user namespace. The difference is whether "CAP_SYS_ADMIN" is set, which I would think is set unless you're inside of some sort of container.

KellerFuchs commented 8 years ago

@matthewbauer At least on Debian Jessie (even as of yesterday's point release), users do not have (by default) the right to create user namespaces:

% ./userns_child_exec -U
clone: Operation not permitted

(userns_child_exec is a demo program that attempts to create a namespace)

lucabrunox commented 8 years ago

@KellerFuchs confirming, wondering what debian is doing to forbid user namespaces... the jessie kernel has USER_NS=y

KellerFuchs commented 8 years ago

Yes. As I said, the support is there, but it's disabled (for security reasons, given user namespace's recent security history). Anyhow, thanks a lot for documenting that in the README.

lucabrunox commented 8 years ago

@KellerFuchs do you have any link about this debian decision?

KellerFuchs commented 8 years ago

Not out of hand, sorry.

marvin2k commented 7 years ago

To allow nix-user-chroot to run on a recent Debian (Kernel 4.8) do:

sudo sh -c "echo 1 > /proc/sys/kernel/unprivileged_userns_clone"

had this in my notes...

KellerFuchs commented 7 years ago

@marvin2k The issue is not “giving people a command to run to enable the feature”, but also explain why it is a terrible idea, in many cases, to do so.

marvin2k commented 7 years ago

What is a terrible idea? Executing copy-n-paste snippets from the Internet? My hope was that by giving the command plus a link I could create pointers for others to further improve the situation ;-)

KellerFuchs commented 7 years ago

@marvin2k Enabling unprivileged user namespaces: the reason why they are disabled by default, in Debian at least, is that there has repeatedly been security issue with those (as in, “run 3 commands in your shell to become root”)

marvin2k commented 7 years ago

Ah Ok. The simplicity from nix-user-chroot stems from the power of user namespaces, so...?