How do I use the user namespace sandbox?

README from https://ungoogled-software.github.io/ungoogled-chromium-binaries/releases/linux_portable/64bit/ instructs me, before I run ungoogled-chromium, to setup my system by using the user namespace sandbox so that the browser’s sandboxing will work.
How do I go about this?

My environment: Ubuntu Desktop 22.04 LTS. Let’s say that the username of my admin-user is leo.

Asked By: John Smith

||

What is it?

That is a kernel feature that allows unprivileged users to create namespaces that can run isolated processes with elevated privileges on those contained/sandboxed namespaces like e.g. utilizing unshare:

$ whoami
ubuntu
$
$ unshare --map-root-user
#
# whoami
root
#

where, as an example, your current effective user and group IDs get mapped to the superuser UID and GID in the newly created user namespace which makes it possible to conveniently gain capabilities needed to manage various aspects of the newly created namespaces (such as configuring interfaces in the network namespace or mounting filesystems in the mount namespace) even when run unprivileged.

Oftentimes, you don’t need to set such user namespace yourself, but rather your application requiring that feature should do that automatically as needed.

How to use it?

It should be enabled by default on recent releases of Ubuntu … Check it with:

sysctl kernel.unprivileged_userns_clone

and if it prints:

kernel.unprivileged_userns_clone = 1

as it should, then you are good to go and your application set to make use of that feature will just run fine … And you can see this happening by listing the namespaces created/used after running the script ./chrome-wrapper from the extracted portable ungoogled-chromium archive you linked to in your question with e.g.:

lsns -o ns,pid,type,command | grep 'ungoogled-chromium'

If, however, it outputs:

kernel.unprivileged_userns_clone = 0

which means it’s disabled … Then, you can enable it until next reboot with:

sudo sysctl -w kernel.unprivileged_userns_clone=1

and you can make that change permanent by adding this line:

kernel.unprivileged_userns_clone=1

to the file /etc/sysctl.conf

Answered By: Raffa

First thing you need to do is check if your system already has user namespaces enabled. It’s a piece of cake, really. Pop open a terminal (you know, that black box where the magic happens) and run this command:

sysctl kernel.unprivileged_userns_clone

This bad boy will tell you if your system’s user namespaces are already enabled or not. If it returns kernel.unprivileged_userns_clone = 1, you’re in luck! Your system is all set and ready to go. If not, no worries, we’re gonna sort that out in the next steps.

Now, if it wasn’t enabled, we’re gonna have to do that manually. No biggie, really! It’s just like flicking a switch. We’ll create a config file to enable this feature on boot. Here’s how:

echo 'kernel.unprivileged_userns_clone=1' | sudo tee /etc/sysctl.d/00-local-userns.conf

After typing in this command, your system will ask for your password (since sudo means you’re asking it to do this as a superuser, a.k.a the boss). Punch in your password, press Enter, and boom! You’re golden.

Now, to make sure the changes stick (kind of like making sure the paint is dry), you need to load this config file:

sudo sysctl --system

And that’s pretty much it! You’re done, easy as pie. You’ve now set up user namespace sandboxing for ungoogled-chromium on your Ubuntu system. Now, you can run ungoogled-chromium with peace of mind, knowing that its sandboxing feature will work a-okay.

Remember, always be careful when running commands with sudo. With great power comes great responsibility. You’re the boss in sudo mode, so make sure you know what you’re doing!

Answered By: hmp
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.