Enable user namespaces in Debian kernel

On Debian the ability to create or handle user namespaces from a non-privileged process (usually meaning non-root user) is disabled by default. There's a Debian-specific patch (from Ubuntu) to the kernel that adds the sysctl knob kernel.unprivileged_userns_clone (with a default value of 0 meaning disabled).

To enable it (until next reboot),

sudo sysctl -w kernel.unprivileged_userns_clone=1

For a permanent configuration, you can add a new entry in /etc/sysctl.d to enable the feature at boot:

echo 'kernel.unprivileged_userns_clone=1' > /etc/sysctl.d/00-local-userns.conf
service procps restart

---

This patch predates (by three years) the sysctl user.max_user_namespaces (initially userns.max_user_namespaces) which can be set to 0 to achieve the same result. It was probably kept around for (Debian) compatibility reasons: expecting the feature disabled by default.

From the initial commit message, it was created (in 2013) as a temporary measure when there were some doubts about the security implications related to using user namespaces:

add sysctl to disallow unprivileged CLONE_NEWUSER by default

This is a short-term patch. Unprivileged use of CLONE_NEWUSER is certainly an intended feature of user namespaces. However for at least saucy we want to make sure that, if any security issues are found, we have a fail-safe.