Not only --uts option but also disabling --hostname.

This is not really going to be an effective way of avoiding the issue. You would have to disable unprivileged user namespaces on the system entirely, and disallow --hostname through Singularity.

On most systems these days, unshare is available. A user can unshare -u -r to get a user namespace with UTS namespace outside of Singularity. They can then set the hostname directly with the hostname command.

$ whoami
dtrudg-sylabs
$ hostname
mini
$ unshare -u -r

$ whoami
root
$ hostname bob
$ hostname
bob

Disabling the user & UTS namespaces in singularity.conf is therefore not effective. It would have to be done for the whole system by disabling unprivileged user namespaces with a sysctl. Otherwise there are easy ways to work around the configuration.

In general we prefer to avoid adding configuration options that infer some kind of security-related restriction that can easily be bypassed. As we are moving toward unprivileged execution in our upcoming OCI mode, which will require unprivileged user namespaces, I'm not sure these configuration options make sense.

Are the vendors of the software aware of the ability to bypass purely with unshare and not containers?

We've already disabled user namespaces with sysctl to disable 'unshare -r'.

Other namespaces are also used by systemd on RHEL9(network, uts, etc.), so we want to keep them available.

But I don't want to be able to use it in singularity.

Are the vendors of the software aware of the ability to bypass purely with unshare and not containers?

I don't have any connection with Flexlm vendor...

Okay. I think we'd consider a PR contributing this, but it's not a high priority to develop unless it affects a broad range of users.