It turns out that the Debian kernel is set up to disable unprivileged users from unsharing the user namespace by default. This can be worked around using:
sudo su -c 'echo 1> /proc/sys/kernel/unprivileged_userns_clone'
So unsharing works on Debian provided that you are willing to fiddle with
/proc/sys and/or wrap your commands in something to undo the toggle.
Perhaps it may be a good idea to patch util-linux to document this as part of
unshare?
