-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Thu, 2020-05-07 at 12:13 -0400, Aaron M. Ucko wrote: > Yves-Alexis Perez <cor...@debian.org> writes: > > > Yes but once a user namespace has been created (by root or a simple user), > > anyone on that namespace can in turn create new users namespace. > > Ah, I'd missed that. :-/ > > > I'm unsure what you mean here. Overriding it is a simple as adding a > > /etc/sysctl.d/10-hardening-override.conf with user.max_user_namespace=1 > > (or 2, > > 3 etc.). You don't have to provide anything else or copy any other setting > > from /usr/lib/sysctl.d/10-hardening.conf > > This point is, as noted, just a minor technicality. To clarify, though, > the original default appears to be a non-round machine-dependent number > that might plausibly vary across reboots, and 10-hardening.conf is under > /usr and therefore inappropriate to edit. As such, combining the two > would require either copying 10-hardening.conf to /etc/sysctl.d/ under > its original name, editing the copy, and keeping it in sync with > (historically infrequent) changes to the original, or else propagating > the original default to /etc/sysctl.conf or some non-shadowing file > under /etc/sysctl.d and somehow keeping that file up to date. > I think one of us missed something. I'm unsure what you mean about “non-round machine-dependent number”. You're free to use whatever version works for you, and for that you only need to put it in a sysctl file in /etc/sysctl.d like any other sysctl configuration. /etc overrides /usr so the local administrator can do whatever she wants. No need to keep anything up to date or in sync.
Regards, - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAl60NnIACgkQ3rYcyPpX RFtDXAgAs6DlPEANe3vKoaJld1IWJqj9Ieq/Q1PG6SjEvRJg+9q8JHfmsC/NNP8r Auz2qGQcnm2oTxj5fydv9HtBobqKJhTglYhdh2wwZ4kmZf7eqeiMd151pfZcaKZr Ca1DY4Z/5LFe+S6mclzVnqLL/F5Di+JzUCNDcNNEr290D+8pB+7Oy6ZHlNCjtc9H AyXnAM7qH/iHnz4ipp+ETPEDqMt108o8urK6fiDm4TOL5HYtUGvzy10YGX0CEx3g lb8KKSJH8oC6tO+xG/xGJukdDKPXSACnfJw2byDSmLjcPq43237HmUor8YDtSXvp /oelbMWlQX9+lMZ5+3QZxoEIrIhXfw== =4yF+ -----END PGP SIGNATURE-----
