On Tue, Aug 22, 2017 at 10:40:11AM +0200, Renzo Davoli wrote: > mount command does not seem to support the cap_sys_admin capability. > > In fact the command fails when the mount system call would succeeds > for operation permitted to users (e.g. bind mounts in user-namespaces) > > For example using userbindmount > https://github.com/rd235/userbindmount > > $ userbindmount -s -- > $ mount --bind /tmp/resolv.conf /etc/resolv.conf > mount: only root can use "--bind" option > $ busybox mount --bind /tmp/resolv.conf /etc/resolv.conf > $ > > As it can be seen from the example above, busybox mount > succeeds on the same command where mount(8) fails. > > "Mount" erroneously checks that the effective user is root > and returns an error prior to invoke the system call mount(2), > forbidding in this way permitted operations. Well, historically mount(8) is not about mount(2) syscall only. It also check filesystem type (read from devices), write userspace files (/etc/mtab or /run/mount/utab), create loop devices, call btrfs ioctls and execute mount helpers. We can improve libmount to accept capabilities for simple use-cases like --bind, but the question is if it does make sense if for another tasks it will be hard to use. Frankly, I have never tried it. Maybe it will not so big issue to try it, test it and describe possible limitation in the man page. I'll add this to our TODO list. Karel -- Karel Zak <kzak@xxxxxxxxxx> http://karelzak.blogspot.com -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
