On October 12, 2023, Canonical will be releasing Ubuntu 23.10. This new version of Ubuntu Linux is already looking good. One new security feature, however, hasn’t gotten much attention: Restricted unprivileged user namespaces, It should. This has the potential to significantly improve Linux desktop and container security.
But, what are “restricted unprivileged user namespaces,” you ask? Well, let me start by explaining what “unprivileged user namespaces” are. They’re a Linux kernel feature that was introduced in the Linux 3.8 kernel in 2019. The idea was to avoid the security problem caused by the Linux permission privilege model, which divides users into two groups: Normal users and superusers, aka root users. The problem is that when acting as a superuser, there’s nothing you can’t do. Burn the system to the ground? Sure! Go for it.
Also: The best VPN services (and how to choose the right one for you)
There are ways around this problem in this model, but the unprivileged user namespaces were an attempt to secure Linux by enabling administrators to set up sandboxes or containers where a normal user could act as a superuser inside a container to perform administrative tasks without being root on the master Linux system.
–>
But then if hackers obtained root privileges within the container, they could break out and wreak havoc in the host system. Whoops!
Unprivileged user namespaces have proven to be a double-edged sword. While they are instrumental in creating secure application sandboxes and replacing many uses of setuid and setguid programs, they expose kernel interfaces to unprivileged users, leading to potential security vulnerabilities. These namespaces have been implicated in several privilege escalation exploit chains.
Also: Newly discovered Android malware has infected thousands of devices
Ubuntu 23.10 is addressing this challenge head-on. The new release will feature restricted unprivileged user namespaces controlled and regulated by AppArmor policies. This selective approach ensures that only authorized applications can access and utilize these namespaces, significantly mitigating the associated security risks.
AppArmor is a Linux kernel security module. It enables system administrators to restrict programs’ capabilities by working with standard Unix/Linux Mandatory Access Control (MAC) permissions. AppArmor has been built into Ubuntu Linux since Ubuntu 7.10 appeared in 2007. It’s also used in the SUSE Linux family.
In this case, you can use AppArmor to allow and disallow unprivileged user namespaces selectively via an AppArmor policy on a per-application basis. Canonical will supply pre-built AppArmor policies for popular programs like Chrome, Firefox, and Thunderbird.
Also: 7 things even new Linux users can do to better secure the OS
As Canonical collects user feedback, it’ll build more AppArmor profiles for more apps. This enhanced security feature will initially be opt-in. You’ll be able to enable it via the shell.
To turn this feature on, use the following pair of commands from your shell:
$ sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=1$ sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=1
And if you want to disable it, run the following two commands:
$ sudo sysctl -w kernel.apparmor_restrict_unprivileged_unconfined=0$ sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
Ubuntu is particularly interested in gathering user feedback to refine and optimize this security measure before integrating it as a default feature in the operating system.
Also: 6 simple cybersecurity rules to live by
Then, once it’s perfected, this feature will be turned on by default on 23.10, through Stable Release Updates (SRU). It’s expected that once it’s working well, it will be on in all future Ubuntu versions.
This feature is exclusive to Ubuntu 23.10 and will not impact users of previous versions. It marks a significant step in Ubuntu’s ongoing efforts to future-proof the security of its operating system against evolving cybersecurity threats while ensuring that user experience remains at the forefront.