Ttyjfyk

Which models of the Boeing 737 are still in production?

The Clique vs. Independent Set Problem

Why not use SQL instead of GraphQL?

a relationship between local compactness and closure

Is it unprofessional to ask if a job posting on GlassDoor is real?

Modeling an IP Address

How does strength of boric acid solution increase in presence of salicylic acid?

What do the dots in this tr command do: tr .............A-Z A-ZA-Z <<< "JVPQBOV" (with 13 dots)

Why is Minecraft giving an OpenGL error?

Can an x86 CPU running in real mode be considered to be basically an 8086 CPU?

Is it possible to do 50 km distance without any previous training?

Why can't I see bouncing of a switch on an oscilloscope?

How can I make my BBEG immortal short of making them a Lich or Vampire?

How can I prevent hyper evolved versions of regular creatures from wiping out their cousins?

Why is consensus so controversial in Britain?

What are these boxed doors outside store fronts in New York?

What's the output of a record cartridge playing an out-of-speed record

Is it legal for company to use my work email to pretend I still work there?

Fully-Firstable Anagram Sets

Can I ask the recruiters in my resume to put the reason why I am rejected?

When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?

Today is the Center

How to calculate partition Start End Sector?

Is it important to consider tone, melody, and musical form while writing a song?

Why do I get permission denied when using unshare?

net.ipv4.conf.all.mc_forwarding: why is my access denied?When does a new system call get added to Linux?Linux resume when using multiple swap partitionslinux-firmware_1.157.10 installation error: “cannot remove '/lib/firmware/brcm/brcmfmac43362-sdio.bin': Permission denied. ”When using setcap, where is the permission stored?Why does unshare based killing only work reliably with --fork?`umount -R` on bind mounts takes a non-neglible amount of time, why?Disabling/Re-enabling cores via kernel in Threadripper/EPYC systemsWith Linux user namespaces, why can clone() mount /proc, but unshare() cannot?Give root's permission to restricted user using PAM and Linux capabilities

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

1

I'm exploring the namespace feature of linux kernel, using Archlinux. But I got some message that I can't explain the reason, could anyone explain them to me?

xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
Could not get property: Access denied
root⚓⏺️~🤐mount -o remount,ro /
mount: /: permission denied.

Based on ArchWiki, I CAN create an user namespace using my normal account, and I do, but Why do I get the Could not get property: Access denied message?

Based on manpage, Newly created bash process has full capability in the new namespace, so why do I get the "permission denied" message when I tried to do mount? Is there anything related with file capability? How can I check the current capabilities the current bash process have?

linux-kernel namespace capabilities

share|improve this question

edited Nov 20 '18 at 6:52

炸鱼薯条德里克

asked Nov 20 '18 at 6:42

炸鱼薯条德里克炸鱼薯条德里克

6021317

add a comment | 

1

I'm exploring the namespace feature of linux kernel, using Archlinux. But I got some message that I can't explain the reason, could anyone explain them to me?

xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
Could not get property: Access denied
root⚓⏺️~🤐mount -o remount,ro /
mount: /: permission denied.

Based on ArchWiki, I CAN create an user namespace using my normal account, and I do, but Why do I get the Could not get property: Access denied message?

Based on manpage, Newly created bash process has full capability in the new namespace, so why do I get the "permission denied" message when I tried to do mount? Is there anything related with file capability? How can I check the current capabilities the current bash process have?

linux-kernel namespace capabilities

share|improve this question

edited Nov 20 '18 at 6:52

炸鱼薯条德里克

asked Nov 20 '18 at 6:42

炸鱼薯条德里克炸鱼薯条德里克

6021317

add a comment | 

I'm exploring the namespace feature of linux kernel, using Archlinux. But I got some message that I can't explain the reason, could anyone explain them to me?

xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
Could not get property: Access denied
root⚓⏺️~🤐mount -o remount,ro /
mount: /: permission denied.

Based on ArchWiki, I CAN create an user namespace using my normal account, and I do, but Why do I get the Could not get property: Access denied message?

Based on manpage, Newly created bash process has full capability in the new namespace, so why do I get the "permission denied" message when I tried to do mount? Is there anything related with file capability? How can I check the current capabilities the current bash process have?

linux-kernel namespace capabilities

share|improve this question

edited Nov 20 '18 at 6:52

炸鱼薯条德里克

asked Nov 20 '18 at 6:42

炸鱼薯条德里克炸鱼薯条德里克

6021317

xtricman⚓ArchVirtual⏺️~🤐export LANG=en_US.UTF-8
xtricman⚓ArchVirtual⏺️~🤐unshare --propagation private -r bash
Could not get property: Access denied
root⚓⏺️~🤐mount -o remount,ro /
mount: /: permission denied.

share|improve this question

edited Nov 20 '18 at 6:52

炸鱼薯条德里克

asked Nov 20 '18 at 6:42

炸鱼薯条德里克炸鱼薯条德里克

6021317

share|improve this question

edited Nov 20 '18 at 6:52

炸鱼薯条德里克

asked Nov 20 '18 at 6:42

炸鱼薯条德里克炸鱼薯条德里克

6021317

asked Nov 20 '18 at 6:42

炸鱼薯条德里克炸鱼薯条德里克

6021317

asked Nov 20 '18 at 6:42

炸鱼薯条德里克炸鱼薯条德里克

6021317

1 Answer
1

active

oldest

votes

1

The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.

You only want to change one specific mount, the mount inside the namespace. Use this command:

mount -o remount,bind,ro /

share|improve this answer

edited Mar 27 at 15:59

answered Mar 27 at 10:45

sourcejedisourcejedi

25.7k445113

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?
  
  – 炸鱼薯条德里克
  Mar 27 at 13:00
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like journal_dev= work? The ro option applies to the underlying filesystem, unless bind is passed in the same command.
  
  – sourcejedi
  Mar 27 at 13:27
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?
  
  – 炸鱼薯条德里克
  Mar 27 at 13:31
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?
  
  – 炸鱼薯条德里克
  Mar 27 at 13:33
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do remount,bind,... on any mount.
  
  – sourcejedi
  Mar 27 at 14:09
  

  
  
  
  

 | 
show 2 more comments

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f482894%2fwhy-do-i-get-permission-denied-when-using-unshare%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

1

The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.

You only want to change one specific mount, the mount inside the namespace. Use this command:

mount -o remount,bind,ro /

share|improve this answer

edited Mar 27 at 15:59

answered Mar 27 at 10:45

sourcejedisourcejedi

25.7k445113

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?
  
  – 炸鱼薯条德里克
  Mar 27 at 13:00
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like journal_dev= work? The ro option applies to the underlying filesystem, unless bind is passed in the same command.
  
  – sourcejedi
  Mar 27 at 13:27
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?
  
  – 炸鱼薯条德里克
  Mar 27 at 13:31
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?
  
  – 炸鱼薯条德里克
  Mar 27 at 13:33
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do remount,bind,... on any mount.
  
  – sourcejedi
  Mar 27 at 14:09
  

  
  
  
  

 | 
show 2 more comments

1

The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.

You only want to change one specific mount, the mount inside the namespace. Use this command:

mount -o remount,bind,ro /

share|improve this answer

edited Mar 27 at 15:59

answered Mar 27 at 10:45

sourcejedisourcejedi

25.7k445113

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Why? Shouldn't the new shell run in a separate mount namespace? What does the bind and remount in the same mount command in your answer mean?
  
  – 炸鱼薯条德里克
  Mar 27 at 13:00
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @炸鱼薯条德里克 there is only one instance of the filesystem. (This is sometimes referred to as a superblock). Otherwise, how would a mount option like journal_dev= work? The ro option applies to the underlying filesystem, unless bind is passed in the same command.
  
  – sourcejedi
  Mar 27 at 13:27
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I said, mount namespace, not filesystem, shouldn't it be completely another mount, although the mounted filesystem is the same one? Shouldn't read-only a property of a mount instead of a filesystem?
  
  – 炸鱼薯条德里克
  Mar 27 at 13:31
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Did you mean people are not able to create two mounts for the same filesystem, one is rw and another is ro?
  
  – 炸鱼薯条德里克
  Mar 27 at 13:33
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @炸鱼薯条德里克 the root mount inside the namespace is exactly equivalent to a bind mount of the root outside the namespace. And bind mounts can be made readonly without making the original readonly. But, also know that the kernel does not keep any track of which mount is a bind mount and which mount was "original". Hence you can do remount,bind,... on any mount.
  
  – sourcejedi
  Mar 27 at 14:09
  

  
  
  
  

 | 
show 2 more comments

The command you are trying to run would change the root filesystem to read-only. It would affect outside the namespace as well. So you do not have permission.

You only want to change one specific mount, the mount inside the namespace. Use this command:

mount -o remount,bind,ro /

share|improve this answer

edited Mar 27 at 15:59

answered Mar 27 at 10:45

sourcejedisourcejedi

25.7k445113

mount -o remount,bind,ro /

share|improve this answer

edited Mar 27 at 15:59

answered Mar 27 at 10:45

sourcejedisourcejedi

25.7k445113

answered Mar 27 at 10:45

sourcejedisourcejedi

25.7k445113

answered Mar 27 at 10:45

sourcejedisourcejedi

25.7k445113