解决Portable 设备中Continer里无法使用sudo的问题

环境

使用nspawn 部署的Archlinux. Container本身通过移动设备Mount到Host.

出错现象

执行sudo命令,提示:sudo: effective uid is not 0, is /usr/bin/sudo on a file system with. the 'nosuid' option set or an NFS file system without root privileges?

原因

sudo works with a mechanism that is called setuid (Set User ID, or also called suid). If that bit is set on an executable file (like sudo), then the application is executed under the permissions of the user, who is the owner of that file (in case of sudo, the owner is the root user).

That means, sudo is executed as root. So far so good. But, now nothing prevents you from inserting an USB-drive with a shell on it, that has the setuid bit set. You have full root access! That’s why normally USB-drives are mounted with the mount option noexec, to prevent executing binary/scripts on such a device. Another mount option, if you still want to execute files, is the one that is mentioned in the error message in your question: nosuid.
See that excerpt of the mount manual page:
[…]
nosuid Do not allow set-user-identifier or set-group-identifier bits to take effect.
[…]

解决方案

重新mount移动设备, 去掉nosuid参数,使用suid参数.例如 mount -t ext4 -o ro,suid,dev,exec,auto,nouser,async /dev/sdb /mnt