While messing around with unshare, I stumbled on the following behavior in an unprivileged shell:
foo@pc $ id foo
uid=1000(foo) gid=1000(foo) groups=1000(foo),27(video),97(input)
foo@pc $ unshare -r -m bash
root@pc # mkdir /tmp/somedir
root@pc # mount -t tmpfs -o size=50M none /tmp/somedir
root@pc # mount | grep somedir
none on /tmp/somedir type tmpfs (rw,relatime,size=51200k,uid=1000,gid=1000)
I was surprised that mount actually worked, since it has been run with a "faked" root user due to the -r
option of unshare
.
This seems to happen only for TMPFS, trying to mount anything else seems to properly fail.
Also if I remove the -m
option which preserves the parent's mount namespace, mounting fails as expected:
mount: /tmp/somedir: permission denied.
mount_namespaces(7) doesn't describe anything particular related to TMPFS.
Why was I able to mount that TMPFS while my real user id is an unprivileged one? Why does unsharing the mount namespace allows this mount?
This is on a x86_64 Gentoo, with a 4.19.27 Linux kernel.