man2/path_resolution.2

   1 .\" Copyright (C) 2003 Andries Brouwer (aeb@cwi.nl)
   2 .\"
   3 .\" Permission is granted to make and distribute verbatim copies of this
   4 .\" manual provided the copyright notice and this permission notice are
   5 .\" preserved on all copies.
   6 .\"
   7 .\" Permission is granted to copy and distribute modified versions of this
   8 .\" manual under the conditions for verbatim copying, provided that the
   9 .\" entire resulting derived work is distributed under the terms of a
  10 .\" permission notice identical to this one.
  11 .\"
  12 .\" Since the Linux kernel and libraries are constantly changing, this
  13 .\" manual page may be incorrect or out-of-date.  The author(s) assume no
  14 .\" responsibility for errors or omissions, or for damages resulting from
  15 .\" the use of the information contained herein.  The author(s) may not
  16 .\" have taken the same level of care in the production of this manual,
  17 .\" which is licensed free of charge, as they might when working
  18 .\" professionally.
  19 .\"
  20 .\" Formatted or processed versions of this manual, if unaccompanied by
  21 .\" the source, must acknowledge the copyright and authors of this work.
  22 .\"
  23 .TH PATH_RESOLUTION 2 2004-06-21 "Linux 2.6.7" "Linux Programmer's Manual"
  24 .SH NAME
  25 Unix/Linux path resolution \- find the file referred to by a filename
  26 .SH DESCRIPTION
  27 Some Unix/Linux system calls have as parameter one or more filenames.
  28 A filename (or pathname) is resolved as follows.
  29 .SS "Step 1: Start of the resolution process"
  30 If the pathname starts with the '/' character, the starting lookup directory
  31 is the root directory of the current process.
  32 (A process inherits its
  33 root directory from its parent.
  34 Usually this will be the root directory
  35 of the file hierarchy.
  36 A process may get a different root directory
  37 by use of the
  38 .BR chroot (2)
  39 system call.
  40 A process may get an entirely private namespace in case
  41 it \(em or one of its ancestors \(em was started by an invocation of the
  42 .BR clone (2)
  43 system call that had the CLONE_NEWNS flag set.)
  44 This handles the '/' part of the pathname.
  45
  46 If the pathname does not start with the '/' character, the
  47 starting lookup directory of the resolution process is the current working
  48 directory of the process.
  49 (This is also inherited from the parent.
  50 It can be changed by use of the
  51 .BR chdir (2)
  52 system call.)
  53
  54 Pathnames starting with a '/' character are called absolute pathnames.
  55 Pathnames not starting with a '/' are called relative pathnames.
  56 .SS "Step 2: Walk along the path"
  57 Set the current lookup directory to the starting lookup directory.
  58 Now, for each non-final component of the pathname, where a component
  59 is a substring delimited by '/' characters, this component is looked up
  60 in the current lookup directory.
  61
  62 If the process does not have search permission on
  63 the current lookup directory,
  64 an EACCES error is returned ("Permission denied").
  65
  66 If the component is not found, an ENOENT error is returned
  67 ("No such file or directory").
  68
  69 If the component is found, but is neither a directory nor a symbolic link,
  70 an ENOTDIR error is returned ("Not a directory").
  71
  72 If the component is found and is a directory, we set the
  73 current lookup directory to that directory, and go to the
  74 next component.
  75
  76 If the component is found and is a symbolic link (symlink), we first
  77 resolve this symbolic link (with the current lookup directory
  78 as starting lookup directory).
  79 Upon error, that error is returned.
  80 If the result is not a directory, an ENOTDIR error is returned.
  81 If the resolution of the symlink is successful and returns a directory,
  82 we set the current lookup directory to that directory, and go to
  83 the next component.
  84 Note that the resolution process here involves recursion.
  85 In order to protect the kernel against stack overflow, and also
  86 to protect against denial of service, there are limits on the
  87 maximum recursion depth, and on the maximum number of symlinks
  88 followed.
  89 An ELOOP error is returned when the maximum is
  90 exceeded ("Too many levels of symbolic links").
  91 .\"
  92 .\" presently: max recursion depth during symlink resolution: 5
  93 .\" max total number of symlinks followed: 40
  94 .\" _POSIX_SYMLOOP_MAX is 8
  95 .SS "Step 3: Find the final entry"
  96 The lookup of the final component of the pathname goes just like
  97 that of all other components, as described in the previous step,
  98 with two differences: (i) the final component need not be a
  99 directory (at least as far as the path resolution process is concerned \(em
 100 it may have to be a directory, or a non-directory, because of
 101 the requirements of the specific system call), and (ii) it
 102 is not necessarily an error if the component is not found \(em
 103 maybe we are just creating it.
 104 The details on the treatment
 105 of the final entry are described in the manual pages of the specific
 106 system calls.
 107 .SS ". and .."
 108 By convention, every directory has the entries "." and "..",
 109 which refer to the directory itself and to its parent directory,
 110 respectively.
 111
 112 The path resolution process will assume that these entries have
 113 their conventional meanings, regardless of whether they are
 114 actually present in the physical filesystem.
 115
 116 One cannot walk down past the root: "/.." is the same as "/".
 117 .SS "Mount points"
 118 After a "mount dev path" command, the pathname "path" refers to
 119 the root of the filesystem hierarchy on the device "dev", and no
 120 longer to whatever it referred to earlier.
 121
 122 One can walk out of a mounted filesystem: "path/.." refers to
 123 the parent directory of "path",
 124 outside of the filesystem hierarchy on "dev".
 125 .SS "Trailing slashes"
 126 If a pathname ends in a '/', that forces resolution of the preceding
 127 component as in Step 2: it has to exist and resolve to a directory.
 128 Otherwise a trailing '/' is ignored.
 129 (Or, equivalently, a pathname with a trailing '/' is equivalent to
 130 the pathname obtained by appending '.' to it.)
 131 .SS "Final symlink"
 132 If the last component of a pathname is a symbolic link, then it
 133 depends on the system call whether the file referred to will be
 134 the symbolic link or the result of path resolution on its contents.
 135 For example, the system call
 136 .BR lstat (2)
 137 will operate on the symlink, while
 138 .BR stat (2)
 139 operates on the file pointed to by the symlink.
 140 .SS "Length limit"
 141 There is a maximum length for pathnames.
 142 If the pathname (or some
 143 intermediate pathname obtained while resolving symbolic links)
 144 is too long, an ENAMETOOLONG error is returned ("File name too long").
 145 .SS "Empty pathname"
 146 In the original Unix, the empty pathname referred to the current directory.
 147 Nowadays POSIX decrees that an empty pathname must not be resolved
 148 successfully.
 149 Linux returns ENOENT in this case.
 150 .SS "Permissions"
 151 The permission bits of a file consist of three groups of three bits, cf.\&
 152 .BR chmod (1)
 153 and
 154 .BR stat (2).
 155 The first group of three is used when the effective user ID of
 156 the current process equals the owner ID of the file.
 157 The second group
 158 of three is used when the group ID of the file either equals the
 159 effective group ID of the current process, or is one of the
 160 supplementary group IDs of the current process (as set by
 161 .BR setgroups (2)).
 162 When neither holds, the third group is used.
 163
 164 Of the three bits used, the first bit determines read permission,
 165 the second write permission, and the last execute permission
 166 in case of ordinary files, or search permission in case of directories.
 167
 168 Linux uses the fsuid instead of the effective user ID in permission checks.
 169 Ordinarily the fsuid will equal the effective user ID, but the fsuid can be
 170 changed by the system call
 171 .BR setfsuid (2).
 172
 173 (Here "fsuid" stands for something like "file system user ID".
 174 The concept was required for the implementation of a user space
 175 NFS server at a time when processes could send a signal to a process
 176 with the same effective user ID.
 177 It is obsolete now.
 178 Nobody should use
 179 .BR setfsuid (2).)
 180
 181 Similarly, Linux uses the fsgid ("file system group ID")
 182 instead of the effective group ID.
 183 See
 184 .BR setfsgid (2).
 185 .\" FIXME say something about filesystem mounted read-only ?
 186 .SS "Bypassing permission checks: superuser and capabilities"
 187 On a traditional Unix system, the superuser
 188 .RI ( root ,
 189 user ID 0) is all-powerful, and bypasses all permissions restrictions
 190 when accessing files.
 191 .\" (but for exec at least one x bit must be set) -- AEB
 192 .\" but there is variation across systems on this point: for
 193 .\" example, HP-UX and Tru64 are as described by AEB.  However,
 194 .\" on some implementations (e.g., Solaris, FreeBSD),
 195 .\" access(X_OK) by superuser will report success, regardless
 196 .\" of the file's execute permission bits. -- MTK (Oct 05)
 197
 198 On Linux, superuser privileges are divided into capabilities (see
 199 .BR capabilities (7)).
 200 Two capabilities are relevant for file permissions checks:
 201 CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH.
 202 (A process has these capabilities if its fsuid is 0.)
 203
 204 The CAP_DAC_OVERRIDE capability overrides all permission checking,
 205 but only grants execute permission when at least one
 206 of the file's three execute permission bits is set.
 207
 208 The CAP_DAC_READ_SEARCH capability grants read and search permission
 209 on directories, and read permission on ordinary files.
 210 .\" FIXME say something about immutable files
 211 .\" FIXME say something about ACLs
 212 .SH "SEE ALSO"
 213 .BR capabilities (7)