Why do I get permission denied when using unshare?net.ipv4.conf.all.mc_forwarding: why is my access denied?When does a new system call get added to Linux?Linux resume when using multiple swap partitionslinux-firmware_1.157.10 installation error: “cannot remove '/lib/firmware/brcm/brcmfmac43362-sdio.bin': Permission denied. ”When using setcap, where is the permission stored?Why does unshare based killing only work reliably with --fork?`umount -R` on bind mounts takes a non-neglible amount of time, why?Disabling/Re-enabling cores via kernel in Threadripper/EPYC systemsWith Linux user namespaces, why can clone() mount /proc, but unshare() cannot?Give root's permission to restricted user using PAM and Linux capabilities
Which models of the Boeing 737 are still in production?
The Clique vs. Independent Set Problem
Why not use SQL instead of GraphQL?
a relationship between local compactness and closure
Is it unprofessional to ask if a job posting on GlassDoor is real?
Modeling an IP Address
How does strength of boric acid solution increase in presence of salicylic acid?
What do the dots in this tr command do: tr .............A-Z A-ZA-Z <<< "JVPQBOV" (with 13 dots)
Why is Minecraft giving an OpenGL error?
Can an x86 CPU running in real mode be considered to be basically an 8086 CPU?
Is it possible to do 50 km distance without any previous training?
Why can't I see bouncing of a switch on an oscilloscope?
How can I make my BBEG immortal short of making them a Lich or Vampire?
How can I prevent hyper evolved versions of regular creatures from wiping out their cousins?
Why is consensus so controversial in Britain?
What are these boxed doors outside store fronts in New York?
What's the output of a record cartridge playing an out-of-speed record
Is it legal for company to use my work email to pretend I still work there?
Fully-Firstable Anagram Sets
Can I ask the recruiters in my resume to put the reason why I am rejected?
When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?
Today is the Center
How to calculate partition Start End Sector?
Is it important to consider tone, melody, and musical form while writing a song?
Why do I get permission denied when using unshare?
net.ipv4.conf.all.mc_forwarding: why is my access denied?When does a new system call get added to Linux?Linux resume when using multiple swap partitionslinux-firmware_1.157.10 installation error: “cannot remove '/lib/firmware/brcm/brcmfmac43362-sdio.bin': Permission denied. ”When using setcap, where is the permission stored?Why does unshare based killing only work reliably with --fork?`umount -R` on bind mounts takes a non-neglible amount of time, why?Disabling/Re-enabling cores via kernel in Threadripper/EPYC systemsWith Linux user namespaces, why can clone() mount /proc, but unshare() cannot?Give root's permission to restricted user using PAM and Linux capabilities
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I'm exploring the namespace feature of linux kernel, using Archlinux. But I got some message that I can't explain the reason, could anyone explain them to me?
xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
Could not get property: Access denied
root⚓⏺️~🤐mount -o remount,ro /
mount: /: permission denied.
Based on ArchWiki, I CAN create an user namespace using my normal account, and I do, but Why do I get the Could not get property: Access denied
message?
Based on manpage, Newly created bash process has full capability in the new namespace, so why do I get the "permission denied" message when I tried to do mount? Is there anything related with file capability? How can I check the current capabilities the current bash process have?
linux-kernel namespace capabilities
add a comment |
I'm exploring the namespace feature of linux kernel, using Archlinux. But I got some message that I can't explain the reason, could anyone explain them to me?
xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
Could not get property: Access denied
root⚓⏺️~🤐mount -o remount,ro /
mount: /: permission denied.
Based on ArchWiki, I CAN create an user namespace using my normal account, and I do, but Why do I get the Could not get property: Access denied
message?
Based on manpage, Newly created bash process has full capability in the new namespace, so why do I get the "permission denied" message when I tried to do mount? Is there anything related with file capability? How can I check the current capabilities the current bash process have?
linux-kernel namespace capabilities
add a comment |
I'm exploring the namespace feature of linux kernel, using Archlinux. But I got some message that I can't explain the reason, could anyone explain them to me?
xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
Could not get property: Access denied
root⚓⏺️~🤐mount -o remount,ro /
mount: /: permission denied.
Based on ArchWiki, I CAN create an user namespace using my normal account, and I do, but Why do I get the Could not get property: Access denied
message?
Based on manpage, Newly created bash process has full capability in the new namespace, so why do I get the "permission denied" message when I tried to do mount? Is there anything related with file capability? How can I check the current capabilities the current bash process have?
linux-kernel namespace capabilities
I'm exploring the namespace feature of linux kernel, using Archlinux. But I got some message that I can't explain the reason, could anyone explain them to me?
xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
Could not get property: Access denied
root⚓⏺️~🤐mount -o remount,ro /
mount: /: permission denied.
Based on ArchWiki, I CAN create an user namespace using my normal account, and I do, but Why do I get the Could not get property: Access denied
message?
Based on manpage, Newly created bash process has full capability in the new namespace, so why do I get the "permission denied" message when I tried to do mount? Is there anything related with file capability? How can I check the current capabilities the current bash process have?
linux-kernel namespace capabilities
linux-kernel namespace capabilities
edited Nov 20 '18 at 6:52
炸鱼薯条德里克
asked Nov 20 '18 at 6:42
炸鱼薯条德里克炸鱼薯条德里克
6021317
6021317
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.
You only want to change one specific mount, the mount inside the namespace. Use this command:
mount -o remount,bind,ro /
Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?
– 炸鱼薯条德里克
Mar 27 at 13:00
@炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option likejournal_dev=
work? Thero
option applies to the underlying filesystem, unlessbind
is passed in the same command.
– sourcejedi
Mar 27 at 13:27
I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?
– 炸鱼薯条德里克
Mar 27 at 13:31
Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?
– 炸鱼薯条德里克
Mar 27 at 13:33
@炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can doremount,bind,...
on any mount.
– sourcejedi
Mar 27 at 14:09
|
show 2 more comments
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482894%2fwhy-do-i-get-permission-denied-when-using-unshare%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.
You only want to change one specific mount, the mount inside the namespace. Use this command:
mount -o remount,bind,ro /
Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?
– 炸鱼薯条德里克
Mar 27 at 13:00
@炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option likejournal_dev=
work? Thero
option applies to the underlying filesystem, unlessbind
is passed in the same command.
– sourcejedi
Mar 27 at 13:27
I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?
– 炸鱼薯条德里克
Mar 27 at 13:31
Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?
– 炸鱼薯条德里克
Mar 27 at 13:33
@炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can doremount,bind,...
on any mount.
– sourcejedi
Mar 27 at 14:09
|
show 2 more comments
The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.
You only want to change one specific mount, the mount inside the namespace. Use this command:
mount -o remount,bind,ro /
Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?
– 炸鱼薯条德里克
Mar 27 at 13:00
@炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option likejournal_dev=
work? Thero
option applies to the underlying filesystem, unlessbind
is passed in the same command.
– sourcejedi
Mar 27 at 13:27
I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?
– 炸鱼薯条德里克
Mar 27 at 13:31
Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?
– 炸鱼薯条德里克
Mar 27 at 13:33
@炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can doremount,bind,...
on any mount.
– sourcejedi
Mar 27 at 14:09
|
show 2 more comments
The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.
You only want to change one specific mount, the mount inside the namespace. Use this command:
mount -o remount,bind,ro /
The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.
You only want to change one specific mount, the mount inside the namespace. Use this command:
mount -o remount,bind,ro /
edited Mar 27 at 15:59
answered Mar 27 at 10:45
sourcejedisourcejedi
25.7k445113
25.7k445113
Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?
– 炸鱼薯条德里克
Mar 27 at 13:00
@炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option likejournal_dev=
work? Thero
option applies to the underlying filesystem, unlessbind
is passed in the same command.
– sourcejedi
Mar 27 at 13:27
I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?
– 炸鱼薯条德里克
Mar 27 at 13:31
Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?
– 炸鱼薯条德里克
Mar 27 at 13:33
@炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can doremount,bind,...
on any mount.
– sourcejedi
Mar 27 at 14:09
|
show 2 more comments
Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?
– 炸鱼薯条德里克
Mar 27 at 13:00
@炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option likejournal_dev=
work? Thero
option applies to the underlying filesystem, unlessbind
is passed in the same command.
– sourcejedi
Mar 27 at 13:27
I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?
– 炸鱼薯条德里克
Mar 27 at 13:31
Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?
– 炸鱼薯条德里克
Mar 27 at 13:33
@炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can doremount,bind,...
on any mount.
– sourcejedi
Mar 27 at 14:09
Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?
– 炸鱼薯条德里克
Mar 27 at 13:00
Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?
– 炸鱼薯条德里克
Mar 27 at 13:00
@炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like
journal_dev=
work? The ro
option applies to the underlying filesystem, unless bind
is passed in the same command.– sourcejedi
Mar 27 at 13:27
@炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like
journal_dev=
work? The ro
option applies to the underlying filesystem, unless bind
is passed in the same command.– sourcejedi
Mar 27 at 13:27
I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?
– 炸鱼薯条德里克
Mar 27 at 13:31
I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?
– 炸鱼薯条德里克
Mar 27 at 13:31
Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?
– 炸鱼薯条德里克
Mar 27 at 13:33
Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?
– 炸鱼薯条德里克
Mar 27 at 13:33
@炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do
remount,bind,...
on any mount.– sourcejedi
Mar 27 at 14:09
@炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do
remount,bind,...
on any mount.– sourcejedi
Mar 27 at 14:09
|
show 2 more comments
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482894%2fwhy-do-i-get-permission-denied-when-using-unshare%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-capabilities, linux-kernel, namespace