git.ipfire.org Git - thirdparty/systemd.git/commit

author	Daan De Meyer <daan@amutable.com>
	Wed, 3 Jun 2026 13:54:13 +0000 (13:54 +0000)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Wed, 3 Jun 2026 19:21:54 +0000 (20:21 +0100)
commit	b77be9f072d5ee7cfaa80d385f714d4f1b0caea0
tree	8ab63f80e23bf5c8c147e685bfe707eb6d2964b1	tree \| snapshot
parent	c280a16ab71b5b5e78c119c91f447832a08b0dc6	commit \| diff

fstab-generator: clear nosuid/nodev/noexec for root=bind: mounts

A bind mount inherits the mount flags of the file system the source
directory resides on. For root=bind: the source typically lives below
/run/ (e.g. a freshly unpacked tar image in /run/machines/), which is
mounted nosuid,nodev, so those flags propagated to /sysroot and broke
suid binaries (e.g. sudo) and device nodes on the booted system.

Default bind root mounts to dev,suid,exec instead, unless the user
overrides this via rootflags=.

Fixes: https://github.com/systemd/systemd/issues/41352
Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com>

man/systemd-fstab-generator.xml		diff \| blob \| blame \| history
src/fstab-generator/fstab-generator.c		diff \| blob \| blame \| history
test/test-fstab-generator/test-22-bind.expected/initrd-root-fs.target.requires/sysroot.mount	[new symlink]	blob
test/test-fstab-generator/test-22-bind.expected/initrd-usr-fs.target.requires/sysroot.mount	[new symlink]	blob
test/test-fstab-generator/test-22-bind.expected/sysroot.mount	[new file with mode: 0644]	blob
test/test-fstab-generator/test-22-bind.input	[new file with mode: 0644]	blob