Interesting, I haven't changed it and it set setuid; exactly the same as
yours.
$ ls -l /usr/bin/bwrap
-rwsr-xr-x 1 root root 59680 Nov 28 22:14 /usr/bin/bwrap
There's no oddness in my mounts; / is just a plain old ext4 and doesn't
have suid or anything set
/dev/mapper/jj--vg-root / ext4 rw,relatime,errors=remount-ro 0 0
non-modified kernel
$ uname -a
Linux jj 5.4.0-4-amd64 #1 SMP Debian 5.4.19-1 (2020-02-13) x86_64 GNU/Linux
It's the clone that fails:
7836 stat("/proc/self/ns/cgroup", {st_mode=S_IFREG|0444, st_size=0, ...})
= 0
7836 eventfd2(0, EFD_CLOEXEC) = 5
7836 clone(child_stack=NULL,
flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET|SIGCHLD)
= -1 EPERM (Operation not permitted)
7836 write(2, "bwrap: ", 7) = 7
7836 write(2, "No permissions to creating new namespace, likely because
the kernel does not allow non-privileged user namespaces. On e.g. debian
this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.", 199
<unfinished ...>
On Thu, Mar 12, 2020 at 6:56 PM Simon McVittie <s...@debian.org> wrote:
> On Thu, 12 Mar 2020 at 17:14:12 +1100, Ian Wienand wrote:
> > 7836 write(2, "No permissions to creating new namespace, likely because
> the kernel does not allow non-privileged user namespaces. On e.g. debian
> this can be enabled with 'sysctl kernel.unprivileged_userns_clone=1'.", 199
> <unfinished ...>
> > ---
> >
> > Setting kernel.unprivileged_userns_clone = 1 made thumbnails work again.
>
> Is /usr/bin/bwrap setuid root? If you haven't changed it, its permissions
> should be something like this:
>
> $ ls -l /usr/bin/bwrap
> -rwsr-xr-x 1 root root 59680 Nov 28 11:14 /usr/bin/bwrap
>
> It's meant to work on Debian kernels if it is setuid root *or*
> if the kernel.unprivileged_userns_clone sysctl is set to 1.
>
> smcv
>
