On Tue, Aug 22, 2017 at 11:15:38AM +0200, Karel Zak wrote: > On Tue, Aug 22, 2017 at 10:40:11AM +0200, Renzo Davoli wrote: > > mount command does not seem to support the cap_sys_admin capability. > > > > In fact the command fails when the mount system call would succeeds > > for operation permitted to users (e.g. bind mounts in user-namespaces) > > > > For example using userbindmount > > https://github.com/rd235/userbindmount > > > > $ userbindmount -s -- > > $ mount --bind /tmp/resolv.conf /etc/resolv.conf > > mount: only root can use "--bind" option > > $ busybox mount --bind /tmp/resolv.conf /etc/resolv.conf > > $ > > > > As it can be seen from the example above, busybox mount > > succeeds on the same command where mount(8) fails. > > > > "Mount" erroneously checks that the effective user is root > > and returns an error prior to invoke the system call mount(2), > > forbidding in this way permitted operations. > > Well, historically mount(8) is not about mount(2) syscall only. It > also check filesystem type (read from devices), write userspace files > (/etc/mtab or /run/mount/utab), create loop devices, call btrfs > ioctls and execute mount helpers. > > We can improve libmount to accept capabilities for simple use-cases > like --bind, but the question is if it does make sense if for another > tasks it will be hard to use. > > Frankly, I have never tried it. Maybe it will not so big issue to try > it, test it and describe possible limitation in the man page. I'll add > this to our TODO list. This issue makes it impossible to use this libmount when you create a new container. I mean that once you create namespace you can't mount /proc, /sys, etc. Therefore, the parsing of the flags and checks you have to do manually, rather than use an existing library. -- Rgrds, legion -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
