On 2001-09-12 17:30:22 you wrote:
>
> nosuid, noexec and nodev are made vfsmount flags (instead of
> superblock ones). Places that used to check them switched to checking
> vfsmount->mnt_flags. get_filesystem_info() updated, ditto for
> do_add_mount() and do_remount().
>
> As the result, these flags are per-mountpoint now. E.g. we can turn them
> on and off for arbitrary subtree:
>
> mount --bind /home/luser /home/luser
> mount -o remount,noexec /home/luser
>
> will turn noexec on for subtree at /hom/luser without affecting the rest
> /of home. Other obvious applications is mounting a filesystem nosuid for
> chroot jail and normally outside of it, yodda, yodda.
>
> Patch is completely straightforward. Works here and it had been in ac for
> -a month (i.e. since 2.4.8-ac2). Please, apply.
Ummh, is there a reason for this behaviour?
$ mount --bind -o noexec /bin /home/sftp/bin
$ mount
(...)
/bin on /home/sftp/bin type none (rw,noexec,bind)
$ cd /home/sftp/bin
$ ./uname -a
Linux babbage 2.4.10-ac10 #4 SMP Wed Oct 10 11:39:11 EEST 2001 i686 unknown
$ mount -o remount,noexec /home/sftp/bin
$ mount
(...)
/bin on /home/sftp/bin type none (rw,noexec,bind)
$ ./uname -a
zsh: permission denied: ./uname
That seems like a bug to me. At very least, mount shouldn't report noexec if
the mount point isn't. Or am I missing something?
Further:
$ mount --bind -o ro /bin /home/sftp/bin
$ mount -o remount,ro,nosuid /home/sftp/bin
$?mount: /home/sftp/bin is busy
$ mount
(...)
/bin on /home/sftp/bin type none (ro,bind)
$ cd /home/sftp/bin
$?touch asdakhsdhdh
$ ls asdakhsdhdh
asdakhsdhdh
So I suppose ro (umask, some others as well) is not supported for --bind
mounted mount points? Would it be possible to have mount to report error if
non-functional -o options are passed to it?
And btw, thanks. --bind is a damn cool feature to have.
-- v --
[email protected]
On Sun, 14 Oct 2001, Ville Herva wrote:
> Ummh, is there a reason for this behaviour?
>
> $ mount --bind -o noexec /bin /home/sftp/bin
Broken - mount --bind ignores flags. Create a binding, then remount it.
IOW, two mount(2) calls are needed.
On Sun, Oct 14, 2001 at 12:06:02PM -0400, you [Alexander Viro] claimed:
>
>
> On Sun, 14 Oct 2001, Ville Herva wrote:
>
> > Ummh, is there a reason for this behaviour?
> >
> > $ mount --bind -o noexec /bin /home/sftp/bin
>
> Broken - mount --bind ignores flags. Create a binding, then remount it.
> IOW, two mount(2) calls are needed.
Ok.
And -o ro does not work with --bind at all, am I correct?
BTW, I just managed get a mount process to unkillable (-9) state while
playing with --bind. You might be uninterested in details if I can figure
out how to reproduce it?
-- v --
[email protected]
On Sun, 14 Oct 2001, Ville Herva wrote:
> BTW, I just managed get a mount process to unkillable (-9) state while
> playing with --bind. You might be uninterested in details if I can figure
> out how to reproduce it?
I would be _very_ interested in details. A word of warning, though -
/proc/mounts is b0rken. If its output grows beyond 4Kb (no matter what
had caused that - lots of NFS mounts, many bindings, etc.) it silently
truncates the output. Result: deeply confused umount -a.
I'll post the fix as soon as I finish it. For now too many mountpoints
of any description == confused df and umount -a.
On Sun, Oct 14, 2001 at 12:06:02PM -0400, you [Alexander Viro] claimed:
>
>
> On Sun, 14 Oct 2001, Ville Herva wrote:
>
> > Ummh, is there a reason for this behaviour?
> >
> > $ mount --bind -o noexec /bin /home/sftp/bin
>
> Broken - mount --bind ignores flags. Create a binding, then remount it.
> IOW, two mount(2) calls are needed.
FYI, this causes the last mount process to hang in D state (kill -KILL does
not affect it):
$ mount --bind -o nosuid,noexec,ro /bin /tmp/test
$?mount --bind -o nosuid,noexec,ro /bin /tmp/test
$ mount --bind -o remount,nosuid,noexec,ro /tmp/test
This is 2.4.10-ac10.
-- v --
[email protected]
On Sun, 14 Oct 2001, Ville Herva wrote:
> FYI, this causes the last mount process to hang in D state (kill -KILL does
> not affect it):
>
> $ mount --bind -o nosuid,noexec,ro /bin /tmp/test
> $?mount --bind -o nosuid,noexec,ro /bin /tmp/test
> $ mount --bind -o remount,nosuid,noexec,ro /tmp/test
What version of mount(8)? Or, better yet, how about
strace -e trace=mount,umount
of the whole thing?
On Sun, Oct 14, 2001 at 12:20:34PM -0400, you [Alexander Viro] claimed:
>
>
> On Sun, 14 Oct 2001, Ville Herva wrote:
>
> > BTW, I just managed get a mount process to unkillable (-9) state while
> > playing with --bind. You might be uninterested in details if I can figure
> > out how to reproduce it?
>
> I would be _very_ interested in details. A word of warning, though -
> /proc/mounts is b0rken. If its output grows beyond 4Kb (no matter what
> had caused that - lots of NFS mounts, many bindings, etc.) it silently
> truncates the output. Result: deeply confused umount -a.
>
> I'll post the fix as soon as I finish it. For now too many mountpoints
> of any description == confused df and umount -a.
$ wc -c /proc/mounts
663 /proc/mounts
In this case the /proc/mounts seems not to be the problem. Also, mount out
put is sane and further mount commands succeed.
-- v --
[email protected]
On Sun, 14 Oct 2001, Ville Herva wrote:
>
> $ mount --bind -o nosuid,noexec,ro /bin /tmp/test
> $?mount --bind -o nosuid,noexec,ro /bin /tmp/test
> $ mount --bind -o remount,nosuid,noexec,ro /tmp/test
Ignore the that, sorry.
For simplicity's sake, I changed the dirs in the above example. In reality
the situation was more like this:
/mnt1 and /mnt2 are separate fs's.
/mnt2/test1 is symlink to /mnt1/directory
then
mount --bind -o ro /mnt2/test1 /mnt2/test2
mount --bind -o remount,ro /mnt2/test2
but it seems I'm longer able to duplicate that either. (The reason I was
able to duplicate it in the first place was propably that the first hanging
mount process kept /mnt2/test1 somehow busy and I retried with mount --bind
-o ro /mnt2/test1 /mnt2/test3.)
I'll drop you a note if I figure out how to reproduce it.
BTW: This should be reproducible (for what it's worth):
$ mount
(...)
/dev/hde1 on /mnt/ext2-2 type reiserfs (rw,noatime,nodiratime)
$?touch /mnt/ext2-2/a
$ rm /mnt/ext2-2/a
$?mount --bind -o ro /mnt/ext2-2 /tmp/test
$?mount --bind -o remount,ro /tmp/test
$ mount
(...)
/dev/hde1 on /mnt/ext2-2 type reiserfs (rw,noatime,nodiratime)
/mnt/ext2-2 on /tmp/test type none (ro,bind)
$ touch /mnt/ext2-2/a
touch: /mnt/ext2-2/a: Read-only file system
$ umount /tmp/test
$ mount
(...)
/dev/hde1 on /mnt/ext2-2 type reiserfs (rw,noatime,nodiratime)
$ touch /mnt/ext2-2/a
touch: /mnt/ext2-2/a: Read-only file system
$ mount -o remount,rw /mnt/ext2-2
$ touch /mnt/ext2-2/a
-- v --
[email protected]
On Sun, 14 Oct 2001, Ville Herva wrote:
> $?mount --bind -o ro /mnt/ext2-2 /tmp/test
i.e.
mount --bind /mnt/ext2-2 /tmp/test
> $?mount --bind -o remount,ro /tmp/test
i.e.
mount -o remount,ro /tmp/test
> $ mount
> (...)
> /dev/hde1 on /mnt/ext2-2 type reiserfs (rw,noatime,nodiratime)
> /mnt/ext2-2 on /tmp/test type none (ro,bind)
Confused mount(8) - apparently uses /etc/mtab and doesn't manage to deduce
the changes done by remounting (/etc/mtab is maintained by userland;
/proc/mounts is handled by kernel and is supposed to be accurate).
> $ touch /mnt/ext2-2/a
> touch: /mnt/ext2-2/a: Read-only file system
Sure, read-only is per-superblock right now. Change it on one instance
and you've changed it on all of them.
On Sun, Oct 14, 2001 at 12:29:58PM -0400, you [Alexander Viro] claimed:
>
>
> What version of mount(8)?
mount-2.11g
> Or, better yet, how about strace -e trace=mount,umount of the whole
> thing?
Sure, if only I can reproduce it. It seems it's not that easy, since I've
just about tried everything I can think of.
-- v --
[email protected]
In article <[email protected]> you wrote:
>> mount --bind /home/luser /home/luser
>> mount -o remount,noexec /home/luser
Thats nice! For example on Debian GNU/Linux one can mount /var with noexec
with the exceptin of /var/lib/dpkg/info/* because it contains all those
installation scripts. (Well actually, this design decision is not that nice,
but at least one can work around with your vfs mount option idea.
Greetings
Bernd
On Mon, 15 Oct 2001, Bernd Eckenfels wrote:
> In article <[email protected]> you wrote:
> >> mount --bind /home/luser /home/luser
> >> mount -o remount,noexec /home/luser
>
> Thats nice! For example on Debian GNU/Linux one can mount /var with noexec
> with the exceptin of /var/lib/dpkg/info/* because it contains all those
> installation scripts. (Well actually, this design decision is not that nice,
> but at least one can work around with your vfs mount option idea.
Same problem as with replacing /etc/alternatives symlink farms with
bindings - no support in Hurd. Considering somewhat erm... omnivorous
attitude of Hurd folks that may change at some point, but for now it's
a no-go.
> On Mon, 15 Oct 2001, Bernd Eckenfels wrote:
>
> > In article <[email protected]> you wrote:
> > >> mount --bind /home/luser /home/luser
> > >> mount -o remount,noexec /home/luser
> >
> > Thats nice! For example on Debian GNU/Linux one can mount /var with noexec
Yes, it is very useful, and I keep finding new uses for it all the time.
Sadly, userspace support for it is not perfect; for example cp/rsync
--one-filesystem does not see --bind mount point as a filesystem boundary.
-- v --
[email protected]