My Linux kernel must have been configured with user_namespaces when built, but their use is restricted after boot and has to be explicitly enabled. Which sysctl should I use?
(If this was turned on, this would allow to run an isolation command like unshare --user --map-root-user --mount-proc --pid --fork, and then perform chroot without being root--a much anticipated feature of Linux.)
Debian (and hence probably Ubuntu, too) has been known to ship a kernel with such a restriction of user_namespaces, and there the way to enable it was/is:
sysctl -w kernel.unprivileged_userns_clone=1
(Source: https://blog.mister-muffin.de/2015/10/25/unshare-without-superuser-privileges/.)
Since kernel 5.10 (Debian 11/bullseye), Debian enables unprivileged user namespaces by default; if you find they're still disabled, also check the sysctl user.max_user_namespaces (which, unlike kernel.unprivileged_userns_clone, is not Debian-specific).
ALT has such a restriction in kernel-image-std-def, too. Differently from Debian, it's called kernel.userns_restrict.
Normally, it is 1 (i.e., "restricted"):
$ cat /proc/sys/kernel/userns_restrict
1
To enable this, echo 0 > /proc/sys/kernel/userns_restrict (or use sysctl as above, of course).
echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/userns.conf
– josch
Jun 10 '18 at 08:32
1 to enable the unpriviledged use of it; in ALT, it's 0 not to restrict its use.
– imz -- Ivan Zakharyaschev
Nov 10 '19 at 01:02
kernel.unprivileged_userns_clone=1
– Evan Carroll
Aug 01 '20 at 19:02