Attempt to run `zoom` result in this console output: [0110/121009.112150:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/zoom/cef/chrome-sandbox is owned by root and has mode 4755. It also output "zoom started.", but it is not. `sudo chmod 4755 /opt/zoom/cef/chrome-sandbox` fixes this. Looks like we need to add USE=suid for this package (to automate this on package updates)?
The SUID sandbox is meant as a fallback for when the kernel does not support user namespaces. You should really enable the following kernel options: USER_NS PID_NS NET_NS SECCOMP_FILTER
(In reply to Mike Gilbert from comment #1) > The SUID sandbox is meant as a fallback for when the kernel does not support > user namespaces. > > You should really enable the following kernel options: > > USER_NS > PID_NS > NET_NS > SECCOMP_FILTER I've all of these: # zgrep _NS= /proc/config.gz CONFIG_UTS_NS=y CONFIG_TIME_NS=y CONFIG_IPC_NS=y CONFIG_USER_NS=y CONFIG_PID_NS=y CONFIG_NET_NS=y CONFIG_NF_CONNTRACK_NETBIOS_NS=y CONFIG_GENERIC_VDSO_TIME_NS=y # zgrep SECCOMP_FILTER= /proc/config.gz CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0126c3deefdfe8d76f5878ca2825f092be38de0 commit e0126c3deefdfe8d76f5878ca2825f092be38de0 Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2023-01-11 09:05:16 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2023-01-11 09:07:07 +0000 net-im/zoom: Make chrome-sandbox executable Bug: https://bugs.gentoo.org/890336 Signed-off-by: Ulrich Müller <ulm@gentoo.org> net-im/zoom/{zoom-5.13.3.651.ebuild => zoom-5.13.3.651-r1.ebuild} | 1 + 1 file changed, 1 insertion(+)
chrome-sandbox should at least be executable, which it wasn't. Please try if -r1 fixes the problem for you. (What Mike said in comment #1 is right though, chrome-sandbox should normally not be needed.)
(In reply to Ulrich Müller from comment #4) > chrome-sandbox should at least be executable, which it wasn't. Please try if > -r1 fixes the problem for you. > > (What Mike said in comment #1 is right though, chrome-sandbox should > normally not be needed.) Cool, but then real issue is somewhere else: $ ls -l /opt/zoom/cef/chrome-sandbox -rwxr-xr-x 1 root root 1597080 Jan 4 16:23 /opt/zoom/cef/chrome-sandbox $ zoom sh: line 1: pactl: command not found Class App Lib Possible Culprit Flags resip::Connection 648 648 resip::Data 36 36 resip::DnsResult 1080 1080 resip::Headers 1 1 resip::MsgHeaderScanner 40 40 resip::SipMessage 5208 5208 resip::TransportSelector 864 864 resip::Tuple 128 128 resip::UdpTransport 1144 1144 resip::GenericIPAddress 28 28 zoom started. [0111/144945.085587:FATAL:setuid_sandbox_host.cc(158)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/zoom/cef/chrome-sandbox is owned by root and has mode 4755. [1] 9523 trace trap zoom sh: line 1: pactl: command not found Class App Lib Possible Culprit Flags resip::Connection 648 648 resip::Data 36 36 resip::DnsResult 1080 1080 resip::Headers 1 1 resip::MsgHeaderScanner 40 40 resip::SipMessage 5208 5208 resip::TransportSelector 864 864 resip::Tuple 128 128 resip::UdpTransport 1144 1144 resip::GenericIPAddress 28 28 $ zoom started. (No, it wasn't actually "started".) Also, I get this in kernel log (only without using SUID, when it doesn't start): kern.info: traps: zoom[8757] trap int3 ip:7ff762786145 sp:7ffeee5bdfe0 error:0 in libcef.so[7ff75f6f4000+8417000]
By any chance, is this with an NVIDIA GPU? What happens if you start Zoom with "zoom --disable-gpu-sandbox"?
(In reply to Ulrich Müller from comment #6) > By any chance, is this with an NVIDIA GPU? Yes, it's NVIDIA, using x11-drivers/nvidia-drivers-525.60.13. > What happens if you start Zoom with "zoom --disable-gpu-sandbox"? Exactly same thing as without this option - doesn't work, trap int3 in kernel log.
Other Electron stuff already marks it suid. While it might be undesirable, it is what it is, and it's how CEF works.
I was able to run it as `zoom --no-sandbox`! No idea is this more/less secure than using SUID. :-/ BTW, on a side note, to use slack I have to use `slack --no-sandbox --disable-seccomp-filter-sandbox`. No idea is it related.
(In reply to Sam James from comment #8) > Other Electron stuff already marks it suid. While it might be undesirable, > it is what it is, and it's how CEF works. I would rather last-rite the package than install a closed-source binary suid.
(In reply to Ulrich Müller from comment #10) > (In reply to Sam James from comment #8) > > Other Electron stuff already marks it suid. While it might be undesirable, > > it is what it is, and it's how CEF works. > > I would rather last-rite the package than install a closed-source binary > suid. Last rite all CEF applications then? Users can use suidctl if they want.
(In reply to Ulrich Müller from comment #10) > I would rather last-rite the package than install a closed-source binary > suid. As a paranoid I'm wholeheartedly agree! But the sad truth is people (including myself) won't stop using zoom because of this. I hate zoom, but when it's usage enforced by my employer there is little I can do to avoid using it. So, from security view point, all we can do is provide a way to install it as secure as possible. And if it's still not safe - output warning about this, maybe require extra USE-flag or so.
(In reply to Alex Efros from comment #12) > So, from security view point, all we can do is provide a way to install it > as secure as possible. And if it's still not safe - output warning about > this, maybe require extra USE-flag or so. Well, at the moment we don't know why the problem happens for your configuration, but apparently not for most other users. Displaying a warning or installing a fix is less than ideal when it is based on pure guesswork. It would be much preferable if we knew what exact problem we're fixing (or working around).
(In reply to Ulrich Müller from comment #13) > Well, at the moment we don't know why the problem happens for your > configuration, but apparently not for most other users. BTW, please post "emerge --info" output.
(In reply to Sam James from comment #11) > (In reply to Ulrich Müller from comment #10) > > (In reply to Sam James from comment #8) > > > Other Electron stuff already marks it suid. While it might be undesirable, > > > it is what it is, and it's how CEF works. > > > > I would rather last-rite the package than install a closed-source binary > > suid. > > Last rite all CEF applications then? Users can use suidctl if they want. I'm sorry, this was a bit flippant. My point was that consistent UX and "things working when we need them" for proprietary apps is important. Now, wrt debugging this, does chromium install the sandbox? Does chromium start up without hacks or do you need to pass flags?
Portage 3.0.41 (python 3.10.9-final-0, default/linux/amd64/17.1/hardened, gcc-11, glibc-2.36-r5, 5.15.80-gentoo x86_64) ================================================================= System uname: Linux-5.15.80-gentoo-x86_64-AMD_Ryzen_9_5900X_12-Core_Processor-with-glibc2.36 KiB Mem: 32813216 total, 19846432 free KiB Swap: 16776896 total, 16776896 free Timestamp of repository gentoo: Mon, 09 Jan 2023 10:30:01 +0000 Head commit of repository gentoo: 8525e47cfd61d2035f28a790bce4f39b3697a379 sh bash 5.1_p16-r2 ld GNU ld (Gentoo 2.39 p5) 2.39.0 ccache version 4.7.4 [enabled] app-misc/pax-utils: 1.3.5::gentoo app-shells/bash: 5.1_p16-r2::gentoo dev-java/java-config: 2.3.1::gentoo dev-lang/perl: 5.36.0-r1::gentoo dev-lang/python: 3.9.16::gentoo, 3.10.9::gentoo, 3.11.1::gentoo dev-lang/rust: 1.65.0::gentoo dev-util/ccache: 4.7.4::gentoo dev-util/cmake: 3.24.3::gentoo dev-util/meson: 0.64.1::gentoo sys-apps/baselayout: 2.9::gentoo sys-apps/sandbox: 2.29::gentoo sys-devel/autoconf: 2.13-r7::gentoo, 2.71-r5::gentoo sys-devel/automake: 1.16.5::gentoo sys-devel/binutils: 2.39-r4::gentoo sys-devel/binutils-config: 5.4.1::gentoo sys-devel/clang: 15.0.6-r1::gentoo sys-devel/gcc: 11.3.1_p20221209::gentoo sys-devel/gcc-config: 2.8::gentoo sys-devel/libtool: 2.4.7::gentoo sys-devel/lld: 15.0.6::gentoo sys-devel/llvm: 15.0.6-r1::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.15-r3::gentoo (virtual/os-headers) sys-libs/glibc: 2.36-r5::gentoo sys-libs/libselinux: 3.4::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-jobs: 1 sync-rsync-verify-max-age: 24 sync-rsync-verify-metamanifest: yes local location: /usr/local/portage masters: gentoo priority: 0 powerman location: /home/powerman/proj/gentoo/powerman-overlay masters: gentoo priority: 50 steam-overlay location: /var/lib/layman/steam-overlay sync-type: laymansync sync-uri: https://github.com/anyc/steam-overlay.git masters: gentoo priority: 50 torbrowser location: /var/lib/layman/torbrowser sync-type: laymansync sync-uri: https://github.com/MeisterP/torbrowser-overlay.git masters: gentoo priority: 50 Installed sets: @esteam ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /service /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /usr/share/i2p/scripts /usr/share/maven-bin-3.8/conf /var/log" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage-distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps=y --autounmask --autounmask-write --alert=y" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME" FCFLAGS="-march=native -O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg-live ccache clean-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict strict-keepdir unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=native -O2 -pipe" GENTOO_MIRRORS="http://mirror.leaseweb.com/gentoo/ http://mirrors.aliyun.com/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo" LANG="ru_RU.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LEX="flex" LINGUAS="en ru ru_RU" MAKEOPTS="-j24" PKGDIR="/usr/portage-packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" SHELL="/bin/zsh" USE="X a52 aac acl acpi aes alac alsa amd64 avx avx2 bash-completion bluetooth branding bzip2 cairo caps cdda cddb cdr chm cli crypt cups dbus dcron dga djvu dri dts dvb dvd dvdr egl eglfs elogind emboss encode exif f16c fam ffmpeg flac fma3 fontconfig fortran gallium gdbm gif gpg gtk hardened heif iconv icu id3tag idn ipv6 jpeg jpeg2k lcms libglvnd libnotify libtirpc mac mad matroska mmx mmxext mng mp3 mp4 mpeg mtp multilib musepack ncurses network-cron nls nptl nsplugin ogg opengl openmp opus pam pango pclmul pcre pdf perl pie png policykit popcnt ppds qt5 rdrand readline rtc sdl seccomp sha spell split-usr sse sse2 sse3 sse4_1 sse4_2 sse4a ssl ssp ssse3 startup-notification svg tcpd test-rust theora tiff truetype udev udisks unicode upower usb vaapi vdpau vim-syntax vorbis wavpack wxwidgets x264 x265 xattr xcb xml xscreensaver xtpax xv xvid xvmc zlib" ABI_X86="64" ADA_TARGET="gnat_2021" APACHE2_MODULES="log_config vhost_alias autoindex alias rewrite dir deflate filter mime negotiation auth_basic authn_file authz_host authz_user authz_groupfile cgi actions headers env setenvif authn_core authz_core unixd socache_shmcb access_compat" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="evdev" KERNEL="linux" L10N="en ru" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" NGINX_MODULES_HTTP="access auth_basic autoindex browser charset empty_gif fastcgi geo gzip limit_conn limit_req map memcached proxy referer rewrite scgi split_clients ssi upstream_ip_hash userid uwsgi addition fancyindex" NGINX_MODULES_STREAM="ssl_preread map" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_9" PYTHON_TARGETS="python3_10 python3_9" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby27" USERLAND="GNU" VIDEO_CARDS="nvidia nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
(In reply to Sam James from comment #15) > Now, wrt debugging this, does chromium install the sandbox? Does chromium > start up without hacks or do you need to pass flags? I don't use chromium (too long compile time, AFAIR that's the reason why I've unmerged it). But I've google chrome installed (just for last resort testing websites which refuse to work in both Firefox and Vivaldi), and it does contains SUID chrome-sandbox binary.
(In reply to Alex Efros from comment #17) > (In reply to Sam James from comment #15) > > Now, wrt debugging this, does chromium install the sandbox? Does chromium > > start up without hacks or do you need to pass flags? > > I don't use chromium (too long compile time, AFAIR that's the reason why > I've unmerged it). > > But I've google chrome installed (just for last resort testing websites > which refuse to work in both Firefox and Vivaldi), and it does contains SUID > chrome-sandbox binary. Is it marked suid on your machine? If so, if you unmark it, does Google-chrome work ok?
(In reply to Sam James from comment #18) > Is it marked suid on your machine? Yes: $ ls -l /opt/google/chrome/chrome-sandbox -rws--x--x 1 root root 219568 Dec 12 22:36 /opt/google/chrome/chrome-sandbox > If so, if you unmark it, does Google-chrome work ok? No: $ sudo chmod u-s /opt/google/chrome/chrome-sandbox $ ls -l /opt/google/chrome/chrome-sandbox -rwx--x--x 1 root root 219568 Dec 12 22:36 /opt/google/chrome/chrome-sandbox $ google-chrome-stable [17486:17486:0111/203112.267352:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/google/chrome/chrome-sandbox is owned by root and has mode 4755. [1] 17486 trace trap google-chrome-stable [17500:17500:0100/000000.292553:ERROR:zygote_linux.cc(661)] write: Broken pipe (32) $
Does running the following program work (compile, and run as root)? https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/linux/pid_namespace_support.md If yes, does it still work if you replace the third argument of the clone call by CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET? Another idea would be to run zoom under strace and look for any clone and clone3 calls that have failed (i.e. return value -1).
(In reply to Ulrich Müller from comment #20) > Does running the following program work (compile, and run as root)? > https://chromium.googlesource.com/chromium/src/+/refs/heads/main/docs/linux/ > pid_namespace_support.md Yes: $ $ sudo ./pid_ns PID namespaces are working > If yes, does it still work if you replace the third argument of the clone > call by CLONE_NEWUSER|CLONE_NEWPID|CLONE_NEWNET? No: $ sudo ./pid_ns clone: No space left on device Clone failed. PID namespaces ARE NOT supported > Another idea would be to run zoom under strace and look for any clone and > clone3 calls that have failed (i.e. return value -1). $ strace -f -e clone,clone3 -o zoom-strace.txt zoom $ cat zoom-strace.txt 26695 clone3({flags=CLONE_VM|CLONE_VFORK, exit_signal=SIGCHLD, stack=0x7f6b82faf000, stack_size=0x9000}, 88) = 26696 26696 +++ exited with 127 +++ 26695 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=26696, si_uid=1000, si_status=127, si_utime=0, si_stime=0} --- 26695 clone3({flags=CLONE_VM|CLONE_VFORK, exit_signal=SIGCHLD, stack=0x7f6b82faf000, stack_size=0x9000}, 88) = 26697 26697 +++ exited with 0 +++ 26695 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=26697, si_uid=1000, si_status=0, si_utime=0, si_stime=0} --- 26695 clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f6b7acd2990, parent_tid=0x7f6b7acd2990, exit_signal=0, stack=0x7f6b7a4d2000, stack_size=0x7ffc80, tls=0x7f6b7acd26c0} => {parent_tid=[26698]}, 88) = 26698 26695 clone(child_stack=0x7fffb3f77190, flags=CLONE_NEWUSER|SIGCHLD) = -1 ENOSPC (No space left on device) 26695 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f6b7f88cd10) = 26699 26695 --- SIGTRAP {si_signo=SIGTRAP, si_code=SI_KERNEL, si_addr=NULL} --- 26698 +++ killed by SIGTRAP +++ 26695 +++ killed by SIGTRAP +++ 26699 clone3({flags=CLONE_VM|CLONE_VFORK, exit_signal=SIGCHLD, stack=0x7f701b13c000, stack_size=0x9000}, 88) = 26703 26703 +++ exited with 127 +++ 26699 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=26703, si_uid=1000, si_status=127, si_utime=0, si_stime=0} --- 26699 clone3({flags=CLONE_VM|CLONE_VFORK, exit_signal=SIGCHLD, stack=0x7f701b13c000, stack_size=0x9000}, 88) = 26704 26704 +++ exited with 0 +++ 26699 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=26704, si_uid=1000, si_status=0, si_utime=0, si_stime=0} --- 26699 +++ exited with 0 +++
> 26695 clone(child_stack=0x7fffb3f77190, flags=CLONE_NEWUSER|SIGCHLD) = -1 ENOSPC (No space left on device) This appears to be the failure point. According to the clone(2) manpage, there are two scenarios in which clone(CLONE_NEWUSER) may fail with ENOSPC: ENOSPC (since Linux 4.9; beforehand EUSERS) CLONE_NEWUSER was specified in the flags mask, and the call would cause the limit on the number of nested user namespaces to be exceeded. See user_namespaces(7). From Linux 3.11 to Linux 4.8, the error diagnosed in this case was EUSERS. ENOSPC (since Linux 4.9) One of the values in the flags mask specified the creation of a new user namespace, but doing so would have caused the limit defined by the corresponding file in /proc/sys/user to be exceeded. For further details, see namespaces(7). What value does /proc/sys/user/max_user_namespaces contain on your system?
(In reply to Mike Gilbert from comment #22) > What value does /proc/sys/user/max_user_namespaces contain on your system? Thanks for helping me tracking it down! # cat /proc/sys/user/max_user_namespaces 0 I've looked in /etc/sysctl.conf and found this paragraph, which I've added many years ago: ### http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 I've tested it: after `sysctl -w user.max_user_namespaces=1024` zoom starts without SUID. And Slack also starts without `--no-sandbox --disable-seccomp-filter-sandbox`. I've just checked mentioned above url, and looks like this recommendation is still there… so… while "a large attack surface to unprivileged users" is a bit unclear, it still sounds more scary than even running chrome-sandbox SUID.
(In reply to Alex Efros from comment #23) > I've looked in /etc/sysctl.conf and found this paragraph, which I've added > many years ago: > [...] > user.max_user_namespaces = 0 The ebuild checks CONFIG_USER_NS (which option is also set by CONFIG_GENTOO_LINUX_PORTAGE in gentoo-sources). I'd say that enabling the option in the kernel but disabling it at runtime is not a supported configuration. > I've tested it: after `sysctl -w user.max_user_namespaces=1024` zoom starts > without SUID. Closing.
