You also need setuid, that's were I hit the root requirement, the bind mount itself can indeed be created.