CachyOS
Unprivleged User Namespaces
https://github.com/CachyOS/CachyOS-Settings/blob/master/usr/lib/sysctl.d/99-cachyos-settings.conf#L33
kernel.unprivileged_userns_clone = 1 is known to significantly increase security vulnerabilities.
What is the rationale behind forcing it to enabled (1) ?
Archlinux is enablig this OOB: https://github.com/archlinux/linux/commit/725a838e59cc2456fe484583b563705351ccad2e
Since its handled directly via the kernel, we could remove it from that config. Were following archlinux there.
Yes, Arch has it enabled by default on 'regular' kernels, though also warns about it all over the wiki.
Note: The user namespace configuration item CONFIG_USER_NS is currently enabled in linux, linux-lts, linux-zen and linux-hardened. Lack of it may prevent certain sandboxing features from being made available to applications. Warning: Unprivileged user namespace usage (CONFIG_USER_NS_UNPRIVILEGED) is enabled by default in linux, linux-lts and linux-zen, which greatly increases the attack surface for local privilege escalation (see AppArmor's Wiki and FS#36969).
https://wiki.archlinux.org/title/Security#Sandboxing_applications
I was both referring to the excess of setting an already-present option as well as possibly considering a safer set for the option (0).
This cannot be disabled at the present time without breaking a couple of things. Disabling it on my system, I get warnings from Firefox that without this feature, sandboxing will not work correctly. Steam just refuses to open without unprivileged userns. AFAIK flatpak also needs this to be enabled, and while not "supported" (for lack of better word), there are still users that use flatpak in CachyOS and we can't really break that.
I suppose so long as the redundant line is removed and the sysctl nob continues to exist then that is good enough. 👍