Why do I get permission denied when using unshare?net.ipv4.conf.all.mc_forwarding: why is my access denied?When does a new system call get added to Linux?Linux resume when using multiple swap partitionslinux-firmware_1.157.10 installation error: “cannot remove '/lib/firmware/brcm/brcmfmac43362-sdio.bin': Permission denied. ”When using setcap, where is the permission stored?Why does unshare based killing only work reliably with --fork?`umount -R` on bind mounts takes a non-neglible amount of time, why?Disabling/Re-enabling cores via kernel in Threadripper/EPYC systemsWith Linux user namespaces, why can clone() mount /proc, but unshare() cannot?Give root's permission to restricted user using PAM and Linux capabilities

Which models of the Boeing 737 are still in production?

The Clique vs. Independent Set Problem

Why not use SQL instead of GraphQL?

a relationship between local compactness and closure

Is it unprofessional to ask if a job posting on GlassDoor is real?

Modeling an IP Address

How does strength of boric acid solution increase in presence of salicylic acid?

What do the dots in this tr command do: tr .............A-Z A-ZA-Z <<< "JVPQBOV" (with 13 dots)

Why is Minecraft giving an OpenGL error?

Can an x86 CPU running in real mode be considered to be basically an 8086 CPU?

Is it possible to do 50 km distance without any previous training?

Why can't I see bouncing of a switch on an oscilloscope?

How can I make my BBEG immortal short of making them a Lich or Vampire?

How can I prevent hyper evolved versions of regular creatures from wiping out their cousins?

Why is consensus so controversial in Britain?

What are these boxed doors outside store fronts in New York?

What's the output of a record cartridge playing an out-of-speed record

Is it legal for company to use my work email to pretend I still work there?

Fully-Firstable Anagram Sets

Can I ask the recruiters in my resume to put the reason why I am rejected?

When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?

Today is the Center

How to calculate partition Start End Sector?

Is it important to consider tone, melody, and musical form while writing a song?



Why do I get permission denied when using unshare?


net.ipv4.conf.all.mc_forwarding: why is my access denied?When does a new system call get added to Linux?Linux resume when using multiple swap partitionslinux-firmware_1.157.10 installation error: “cannot remove '/lib/firmware/brcm/brcmfmac43362-sdio.bin': Permission denied. ”When using setcap, where is the permission stored?Why does unshare based killing only work reliably with --fork?`umount -R` on bind mounts takes a non-neglible amount of time, why?Disabling/Re-enabling cores via kernel in Threadripper/EPYC systemsWith Linux user namespaces, why can clone() mount /proc, but unshare() cannot?Give root's permission to restricted user using PAM and Linux capabilities






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















I'm exploring the namespace feature of linux kernel, using Archlinux. But I got some message that I can't explain the reason, could anyone explain them to me?



xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
Could not get property: Access denied
root⚓⏺️~🤐mount -o remount,ro /
mount: /: permission denied.


Based on ArchWiki, I CAN create an user namespace using my normal account, and I do, but Why do I get the Could not get property: Access denied message?



Based on manpage, Newly created bash process has full capability in the new namespace, so why do I get the "permission denied" message when I tried to do mount? Is there anything related with file capability? How can I check the current capabilities the current bash process have?










share|improve this question






























    1















    I'm exploring the namespace feature of linux kernel, using Archlinux. But I got some message that I can't explain the reason, could anyone explain them to me?



    xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
    xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
    Could not get property: Access denied
    root⚓⏺️~🤐mount -o remount,ro /
    mount: /: permission denied.


    Based on ArchWiki, I CAN create an user namespace using my normal account, and I do, but Why do I get the Could not get property: Access denied message?



    Based on manpage, Newly created bash process has full capability in the new namespace, so why do I get the "permission denied" message when I tried to do mount? Is there anything related with file capability? How can I check the current capabilities the current bash process have?










    share|improve this question


























      1












      1








      1








      I'm exploring the namespace feature of linux kernel, using Archlinux. But I got some message that I can't explain the reason, could anyone explain them to me?



      xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
      xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
      Could not get property: Access denied
      root⚓⏺️~🤐mount -o remount,ro /
      mount: /: permission denied.


      Based on ArchWiki, I CAN create an user namespace using my normal account, and I do, but Why do I get the Could not get property: Access denied message?



      Based on manpage, Newly created bash process has full capability in the new namespace, so why do I get the "permission denied" message when I tried to do mount? Is there anything related with file capability? How can I check the current capabilities the current bash process have?










      share|improve this question
















      I'm exploring the namespace feature of linux kernel, using Archlinux. But I got some message that I can't explain the reason, could anyone explain them to me?



      xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
      xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
      Could not get property: Access denied
      root⚓⏺️~🤐mount -o remount,ro /
      mount: /: permission denied.


      Based on ArchWiki, I CAN create an user namespace using my normal account, and I do, but Why do I get the Could not get property: Access denied message?



      Based on manpage, Newly created bash process has full capability in the new namespace, so why do I get the "permission denied" message when I tried to do mount? Is there anything related with file capability? How can I check the current capabilities the current bash process have?







      linux-kernel namespace capabilities






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 20 '18 at 6:52







      炸鱼薯条德里克

















      asked Nov 20 '18 at 6:42









      炸鱼薯条德里克炸鱼薯条德里克

      6021317




      6021317




















          1 Answer
          1






          active

          oldest

          votes


















          1














          The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.



          You only want to change one specific mount, the mount inside the namespace. Use this command:



          mount -o remount,bind,ro /





          share|improve this answer

























          • Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?

            – 炸鱼薯条德里克
            Mar 27 at 13:00











          • @炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like journal_dev= work? The ro option applies to the underlying filesystem, unless bind is passed in the same command.

            – sourcejedi
            Mar 27 at 13:27












          • I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?

            – 炸鱼薯条德里克
            Mar 27 at 13:31











          • Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?

            – 炸鱼薯条德里克
            Mar 27 at 13:33











          • @炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do remount,bind,... on any mount.

            – sourcejedi
            Mar 27 at 14:09











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482894%2fwhy-do-i-get-permission-denied-when-using-unshare%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.



          You only want to change one specific mount, the mount inside the namespace. Use this command:



          mount -o remount,bind,ro /





          share|improve this answer

























          • Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?

            – 炸鱼薯条德里克
            Mar 27 at 13:00











          • @炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like journal_dev= work? The ro option applies to the underlying filesystem, unless bind is passed in the same command.

            – sourcejedi
            Mar 27 at 13:27












          • I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?

            – 炸鱼薯条德里克
            Mar 27 at 13:31











          • Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?

            – 炸鱼薯条德里克
            Mar 27 at 13:33











          • @炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do remount,bind,... on any mount.

            – sourcejedi
            Mar 27 at 14:09















          1














          The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.



          You only want to change one specific mount, the mount inside the namespace. Use this command:



          mount -o remount,bind,ro /





          share|improve this answer

























          • Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?

            – 炸鱼薯条德里克
            Mar 27 at 13:00











          • @炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like journal_dev= work? The ro option applies to the underlying filesystem, unless bind is passed in the same command.

            – sourcejedi
            Mar 27 at 13:27












          • I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?

            – 炸鱼薯条德里克
            Mar 27 at 13:31











          • Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?

            – 炸鱼薯条德里克
            Mar 27 at 13:33











          • @炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do remount,bind,... on any mount.

            – sourcejedi
            Mar 27 at 14:09













          1












          1








          1







          The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.



          You only want to change one specific mount, the mount inside the namespace. Use this command:



          mount -o remount,bind,ro /





          share|improve this answer















          The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.



          You only want to change one specific mount, the mount inside the namespace. Use this command:



          mount -o remount,bind,ro /






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Mar 27 at 15:59

























          answered Mar 27 at 10:45









          sourcejedisourcejedi

          25.7k445113




          25.7k445113












          • Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?

            – 炸鱼薯条德里克
            Mar 27 at 13:00











          • @炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like journal_dev= work? The ro option applies to the underlying filesystem, unless bind is passed in the same command.

            – sourcejedi
            Mar 27 at 13:27












          • I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?

            – 炸鱼薯条德里克
            Mar 27 at 13:31











          • Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?

            – 炸鱼薯条德里克
            Mar 27 at 13:33











          • @炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do remount,bind,... on any mount.

            – sourcejedi
            Mar 27 at 14:09

















          • Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?

            – 炸鱼薯条德里克
            Mar 27 at 13:00











          • @炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like journal_dev= work? The ro option applies to the underlying filesystem, unless bind is passed in the same command.

            – sourcejedi
            Mar 27 at 13:27












          • I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?

            – 炸鱼薯条德里克
            Mar 27 at 13:31











          • Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?

            – 炸鱼薯条德里克
            Mar 27 at 13:33











          • @炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do remount,bind,... on any mount.

            – sourcejedi
            Mar 27 at 14:09
















          Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?

          – 炸鱼薯条德里克
          Mar 27 at 13:00





          Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?

          – 炸鱼薯条德里克
          Mar 27 at 13:00













          @炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like journal_dev= work? The ro option applies to the underlying filesystem, unless bind is passed in the same command.

          – sourcejedi
          Mar 27 at 13:27






          @炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like journal_dev= work? The ro option applies to the underlying filesystem, unless bind is passed in the same command.

          – sourcejedi
          Mar 27 at 13:27














          I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?

          – 炸鱼薯条德里克
          Mar 27 at 13:31





          I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?

          – 炸鱼薯条德里克
          Mar 27 at 13:31













          Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?

          – 炸鱼薯条德里克
          Mar 27 at 13:33





          Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?

          – 炸鱼薯条德里克
          Mar 27 at 13:33













          @炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do remount,bind,... on any mount.

          – sourcejedi
          Mar 27 at 14:09





          @炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do remount,bind,... on any mount.

          – sourcejedi
          Mar 27 at 14:09

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482894%2fwhy-do-i-get-permission-denied-when-using-unshare%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -capabilities, linux-kernel, namespace

          Popular posts from this blog

          Frič See also Navigation menuinternal link

          Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

          fontconfig warning: “/etc/fonts/fonts.conf”, line 100: unknown “element blank” The 2019 Stack Overflow Developer Survey Results Are In“tar: unrecognized option --warning” during 'apt-get install'How to fix Fontconfig errorHow do I figure out which font file is chosen for a system generic font alias?Why are some apt-get-installed fonts being ignored by fc-list, xfontsel, etc?Reload settings in /etc/fonts/conf.dTaking 30 seconds longer to boot after upgrade from jessie to stretchHow to match multiple font names with a single <match> element?Adding a custom font to fontconfigRemoving fonts from fontconfig <match> resultsBroken fonts after upgrading Firefox ESR to latest Firefox