From: Chris Webb <chris@arachsys.com>
Date: Mon, 15 Dec 2025 18:48:29 +0000 (+0000)
Subject: unshare: fix user namespace bind mounts
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f84322ecf618b9c84040e08e346341f2853a139;p=thirdparty%2Futil-linux.git

unshare: fix user namespace bind mounts

unshare --user=<file> always fails because we no longer have CAP_SYS_ADMIN
in the parent user namespace after unsharing to create the new one. As with
unshare --mount=<file>, fork a child to make the bind mount instead.

Signed-off-by: Chris Webb <chris@arachsys.com>
---

diff --git a/sys-utils/unshare.c b/sys-utils/unshare.c
index d9c4d403f..aeb8bf974 100644
--- a/sys-utils/unshare.c
+++ b/sys-utils/unshare.c
@@ -1075,7 +1075,7 @@ int main(int argc, char *argv[])
 	/* clear any inherited settings */
 	signal(SIGCHLD, SIG_DFL);
 
-	if (npersists && (unshare_flags & CLONE_NEWNS))
+	if (npersists && (unshare_flags & (CLONE_NEWNS | CLONE_NEWUSER)))
 		pid_bind = bind_ns_files_from_child(&fd_bind);
 
 	if (usermap || groupmap)
@@ -1130,7 +1130,7 @@ int main(int argc, char *argv[])
 
 	if (npersists && (pid || !forkit)) {
 		/* run in parent */
-		if (pid_bind && (unshare_flags & CLONE_NEWNS))
+		if (pid_bind && (unshare_flags & (CLONE_NEWNS | CLONE_NEWUSER)))
 			sync_with_child(pid_bind, fd_bind);
 		else
 			/* simple way, just bind */