Hi Lucas, Lucas Nussbaum skribis: > This is not due to NFS, but due to the fact that the NFS mount is > mounted nosuid (and nodev, probably). I can reproduce it on a local > filesystem mounted nosuid. > > It seems that, when remounting a bind mount which is originally nosuid > inside a mount ns, you need to specify explicitely the nosuid option, or > else can_change_locked_flags()[1] will return false. > > [1] https://github.com/torvalds/linux/blame/master/fs/namespace.c#L2480 > > There's a concept of "locked mount flags" that cannot be cleared by a > less privileged user (see [2]). Our call to 'mount -o remount' ignores the > fact that the filesystem is mounted nosuid (and does not include this > flag), so the remount call tries to remove nosuid, and fails. > > [2] https://github.com/torvalds/linux/commit/9566d6742852c527bf5af38af5cbb878dad75705 Ooh, thanks for investigating! > This probably needs to be fixed in Guix by fetching the current mount > flags and including them in the bind+remount+readonly call. > Unfortunately I did not find an easy way to convert mount flags in > /proc/$$/mountinfo to flags for the mount syscall... I tried grabbing mount options from there and reapplying them to the MS_REMOUNT call (patch below). However, that still doesn’t work: --8<---------------cut here---------------start------------->8--- 14273 mount("/gnu/store/mmhimfwmmidf09jw1plw3aw1g1zn2nkh-bash-static-5.0.16", "/tmp/guix-directory.Plgkgt//gnu/store/mmhimfwmmidf09jw1plw3aw1g1zn2nkh-bash-static-5.0.16", 0x236a4b0, MS_RDONLY|MS_REMOUNT|MS_BIND, "rw,nosuid,nodev,relatime") = -1 EPERM (Operation not permitted) --8<---------------cut here---------------end--------------->8--- Interestingly, the ‘mount’ command does not attempt to re-apply the original mount options (“nosuid” & co.): --8<---------------cut here---------------start------------->8--- # strace -e mount mount --bind -o ro t m mount("/home/lcourtes/t", "/home/lcourtes/m", 0x564dde270cb0, MS_RDONLY|MS_BIND, NULL) = 0 mount("none", "/home/lcourtes/m", NULL, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = -1 EPERM (Operation not permitted) mount: /home/lcourtes/m: filesystem was mounted, but any subsequent operation failed: Unknown error 5005. +++ exited with 32 +++ # mount --version mount from util-linux 2.33.1 (libmount 2.33.1: selinux, smack, btrfs, namespaces, assert, debug) --8<---------------cut here---------------end--------------->8--- To be continued… Ludo’.