15

I want to run the command sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 at startup to make etcher work.

How to run such a command with sudo during startup, without entering the password?

Archisman Panigrahi
  • 38,814

1 Answers1

25

Summary: Run the following two commands one by one.

echo 'kernel.apparmor_restrict_unprivileged_userns = 0' | 
  sudo tee /etc/sysctl.d/20-apparmor-donotrestrict.conf

and

sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0

The sudo command is really intended for elevating privileges in an interactive session - in particular, it expects to read the authenticating user's password via a tty (or other interactive mechanism specified via SUDO_ASKPASS). Any time you want to run a command with elevated privileges non-interactively, there's usually a better way to do so - for example

  • via a root crontab entry
  • via a systemd system service

In the case of sysctl, there's an even better option: via a drop-in configuration file. From man sysctl.d:

DESCRIPTION
   At boot, systemd-sysctl.service(8) reads configuration files from the
   above directories to configure sysctl(8) kernel parameters.

So you can simply create a file in /etc/sysctl.d and add the name = value there - either with your favorite text editor, or for example using

echo 'kernel.apparmor_restrict_unprivileged_userns = 0' | 
  sudo tee /etc/sysctl.d/20-apparmor-donotrestrict.conf

(aside from the .conf suffix, the filename is arbitrary - I suggest you choose something that is meaningful to you).

Reboot.

My current kernel (5.15.0-105-generic) doesn't appear to have the kernel.apparmor_restrict_unprivileged_userns parameter, so I tested with kernel.unprivileged_userns_apparmor_policy instead.

About potential security concerns: It may seem that this may opens up a lot of security issues, but that is really not the case because a malware which gains administrative privileges can revert such restriction and do anything. And a malware with administrative privileges can basically do anything. The only way you can increase security is to stick to the official repositories and not install untrusted apps at all, and not give your password to them. Other distributions like Mint and Solus are reverting this change in apparmor. Other distributions like Debian, Fedora, or Arch don't have this restriction at all. Also, Ubuntu 22.04 and prior versions did not have this apparmor policy, and your system would be no more insecure than Ubuntu 22.04. However, you are at your own risk if you decide to follow this method (the point of this note is, you are always at your own risk when you use GNU/Linux. You have to cautiously decide what to install).

Archisman Panigrahi
  • 38,814
steeldriver
  • 142,475