On Tue, 13 Aug 2024 at 13:01:45 +0200, Stéphane Glondu wrote: > BTW, IIUC, it is be possible with namespaces to give root privileges (or > enough to install packages) to anybody inside a container. [1] could be a > way, but it needs unprivileged user namespaces.
See also https://salsa.debian.org/debian/grow-your-ideas/-/issues/40 (sorry, I have not had the time/energy to bring this up with the sysadmin team or otherwise promote it). unshare and rootless podman have essentially the same requirements: they use the same parts of the Linux kernel. > But I understood that DSA > was reluctant to enable unprivileged user namespaces on Debian machines > because of security concerns... Couldn't an exception be made for > porterboxes? After all, these are dedicated to porting and nothing sensitive > should be done there. The security concern that I'm aware of is mentioned in the issue I linked, but it's a trade-off: allowing rootless unshare/podman would make us vulnerable to some kernel vulnerabilities that are currently mitigated by disabling user namespaces, but conversely, setuid-root things like schroot and having chroots containing setuid binaries owned by "real root" makes us vulnerable to some attacks that rootless unshare/podman would protect us from. smcv
