Why can't I bind-mount “/†inside a user namespace?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
12
down vote
favorite
Why doesn't this work?
$ unshare -rm mount --bind / /mnt
mount: /mnt: wrong fs type, bad option, bad superblock on /, missing codepage or helper program, or other error.
These work ok:
$ unshare -rm mount --bind /tmp /mnt
$ unshare -rm mount --bind /root /mnt
$
$ uname -r # Linux kernel version
4.17.3-200.fc28.x86_64
mount namespace bind-mount userns
asked Jul 18 at 22:22
sourcejedi
18k22375
add a comment |Â
up vote
12
down vote
favorite
Why doesn't this work?
$ unshare -rm mount --bind / /mnt
mount: /mnt: wrong fs type, bad option, bad superblock on /, missing codepage or helper program, or other error.
These work ok:
$ unshare -rm mount --bind /tmp /mnt
$ unshare -rm mount --bind /root /mnt
$
$ uname -r # Linux kernel version
4.17.3-200.fc28.x86_64
mount namespace bind-mount userns
asked Jul 18 at 22:22
sourcejedi
18k22375
add a comment |Â
up vote
12
down vote
favorite
up vote
12
down vote
favorite
Why doesn't this work?
$ unshare -rm mount --bind / /mnt
mount: /mnt: wrong fs type, bad option, bad superblock on /, missing codepage or helper program, or other error.
These work ok:
$ unshare -rm mount --bind /tmp /mnt
$ unshare -rm mount --bind /root /mnt
$
$ uname -r # Linux kernel version
4.17.3-200.fc28.x86_64
mount namespace bind-mount userns
asked Jul 18 at 22:22
sourcejedi
18k22375
Why doesn't this work?
$ unshare -rm mount --bind / /mnt
mount: /mnt: wrong fs type, bad option, bad superblock on /, missing codepage or helper program, or other error.
These work ok:
$ unshare -rm mount --bind /tmp /mnt
$ unshare -rm mount --bind /root /mnt
$
$ uname -r # Linux kernel version
4.17.3-200.fc28.x86_64
mount namespace bind-mount userns
asked Jul 18 at 22:22
sourcejedi
18k22375
edited Jul 18 at 22:31
asked Jul 18 at 22:22
sourcejedi
18k22375
asked Jul 18 at 22:22
sourcejedi
18k22375
asked Jul 18 at 22:22
sourcejedi
18k22375
18k22375
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
15
down vote
accepted
The difference is that / has child mounts. Inside a user namespace, you are not allowed to separate inherited mounts from their child mounts. A more obvious example is that you are not allowed to umount /proc. Otherwise, it could suddenly grant you access to files that were hidden underneath other mounts. Overmounts are sometimes used deliberately as a security measure.
You are allowed to create a recursive bind mount instead, which preserves all the sub-mounts:
$ unshare -rm mount --rbind / /mnt
answered Jul 18 at 22:26
sourcejedi
18k22375
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
15
down vote
accepted
The difference is that / has child mounts. Inside a user namespace, you are not allowed to separate inherited mounts from their child mounts. A more obvious example is that you are not allowed to umount /proc. Otherwise, it could suddenly grant you access to files that were hidden underneath other mounts. Overmounts are sometimes used deliberately as a security measure.
You are allowed to create a recursive bind mount instead, which preserves all the sub-mounts:
$ unshare -rm mount --rbind / /mnt
answered Jul 18 at 22:26
sourcejedi
18k22375
add a comment |Â
up vote
15
down vote
accepted
The difference is that / has child mounts. Inside a user namespace, you are not allowed to separate inherited mounts from their child mounts. A more obvious example is that you are not allowed to umount /proc. Otherwise, it could suddenly grant you access to files that were hidden underneath other mounts. Overmounts are sometimes used deliberately as a security measure.
You are allowed to create a recursive bind mount instead, which preserves all the sub-mounts:
$ unshare -rm mount --rbind / /mnt
answered Jul 18 at 22:26
sourcejedi
18k22375
add a comment |Â
up vote
15
down vote
accepted
up vote
15
down vote
accepted
The difference is that / has child mounts. Inside a user namespace, you are not allowed to separate inherited mounts from their child mounts. A more obvious example is that you are not allowed to umount /proc. Otherwise, it could suddenly grant you access to files that were hidden underneath other mounts. Overmounts are sometimes used deliberately as a security measure.
You are allowed to create a recursive bind mount instead, which preserves all the sub-mounts:
$ unshare -rm mount --rbind / /mnt
answered Jul 18 at 22:26
sourcejedi
18k22375
The difference is that / has child mounts. Inside a user namespace, you are not allowed to separate inherited mounts from their child mounts. A more obvious example is that you are not allowed to umount /proc. Otherwise, it could suddenly grant you access to files that were hidden underneath other mounts. Overmounts are sometimes used deliberately as a security measure.
You are allowed to create a recursive bind mount instead, which preserves all the sub-mounts:
$ unshare -rm mount --rbind / /mnt
answered Jul 18 at 22:26
sourcejedi
18k22375
answered Jul 18 at 22:26
sourcejedi
18k22375
answered Jul 18 at 22:26
sourcejedi
18k22375
answered Jul 18 at 22:26
sourcejedi
18k22375
18k22375
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f457100%2fwhy-cant-i-bind-mount-inside-a-user-namespace%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
