From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id IUaBKEenI2C+JQAA0tVLHw (envelope-from ) for ; Wed, 10 Feb 2021 09:28:39 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id EInoI0enI2D5RgAA1q6Kng (envelope-from ) for ; Wed, 10 Feb 2021 09:28:39 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0988F940415 for ; Wed, 10 Feb 2021 09:28:39 +0000 (UTC) Received: from localhost ([::1]:39182 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l9lnY-000327-Hx for larch@yhetil.org; Wed, 10 Feb 2021 04:28:36 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35172) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l9kWc-0008Nx-8t for bug-guix@gnu.org; Wed, 10 Feb 2021 03:07:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:43833) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1l9kWc-0003Gh-0l for bug-guix@gnu.org; Wed, 10 Feb 2021 03:07:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1l9kWb-0004RO-Pl for bug-guix@gnu.org; Wed, 10 Feb 2021 03:07:01 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#46292: more info References: <87h7ms8658.fsf@inria.fr> In-Reply-To: <87h7ms8658.fsf@inria.fr> Resent-From: Lucas Nussbaum Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 10 Feb 2021 08:07:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46292 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 46292@debbugs.gnu.org Received: via spool by 46292-submit@debbugs.gnu.org id=B46292.161294436517000 (code B ref 46292); Wed, 10 Feb 2021 08:07:01 +0000 Received: (at 46292) by debbugs.gnu.org; 10 Feb 2021 08:06:05 +0000 Received: from localhost ([127.0.0.1]:55379 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l9kVg-0004Q6-Cz for submit@debbugs.gnu.org; Wed, 10 Feb 2021 03:06:05 -0500 Received: from mail3-relais-sop.national.inria.fr ([192.134.164.104]:43478) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1l9ibl-0001Ix-Je for 46292@debbugs.gnu.org; Wed, 10 Feb 2021 01:04:15 -0500 X-IronPort-AV: E=Sophos;i="5.81,167,1610406000"; d="scan'208";a="372606394" Received: from xanadu.blop.info ([178.79.145.134]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Feb 2021 07:04:06 +0100 Date: Wed, 10 Feb 2021 07:04:03 +0100 From: Lucas Nussbaum Message-ID: <20210210060403.GA15175@xanadu.blop.info> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) X-Mailman-Approved-At: Wed, 10 Feb 2021 03:06:02 -0500 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Mailman-Approved-At: Wed, 10 Feb 2021 04:27:49 -0500 X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.36 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 0988F940415 X-Spam-Score: -2.36 X-Migadu-Scanner: scn0.migadu.com X-TUID: CJHmRSedAjJG Hi, This is not due to NFS, but due to the fact that the NFS mount is mounted nosuid (and nodev, probably). I can reproduce it on a local filesystem mounted nosuid. It seems that, when remounting a bind mount which is originally nosuid inside a mount ns, you need to specify explicitely the nosuid option, or else can_change_locked_flags()[1] will return false. [1] https://github.com/torvalds/linux/blame/master/fs/namespace.c#L2480 There's a concept of "locked mount flags" that cannot be cleared by a less privileged user (see [2]). Our call to 'mount -o remount' ignores the fact that the filesystem is mounted nosuid (and does not include this flag), so the remount call tries to remove nosuid, and fails. [2] https://github.com/torvalds/linux/commit/9566d6742852c527bf5af38af5cbb878dad75705 This probably needs to be fixed in Guix by fetching the current mount flags and including them in the bind+remount+readonly call. Unfortunately I did not find an easy way to convert mount flags in /proc/$$/mountinfo to flags for the mount syscall... Lucas