man2/path_resolution.2

   1 .\" Copyright (C) 2003 Andries Brouwer (aeb@cwi.nl)
   2 .\"
   3 .\" Permission is granted to make and distribute verbatim copies of this
   4 .\" manual provided the copyright notice and this permission notice are
   5 .\" preserved on all copies.
   6 .\"
   7 .\" Permission is granted to copy and distribute modified versions of this
   8 .\" manual under the conditions for verbatim copying, provided that the
   9 .\" entire resulting derived work is distributed under the terms of a
  10 .\" permission notice identical to this one.
  11 .\"
  12 .\" Since the Linux kernel and libraries are constantly changing, this
  13 .\" manual page may be incorrect or out-of-date.  The author(s) assume no
  14 .\" responsibility for errors or omissions, or for damages resulting from
  15 .\" the use of the information contained herein.  The author(s) may not
  16 .\" have taken the same level of care in the production of this manual,
  17 .\" which is licensed free of charge, as they might when working
  18 .\" professionally.
  19 .\"
  20 .\" Formatted or processed versions of this manual, if unaccompanied by
  21 .\" the source, must acknowledge the copyright and authors of this work.
  22 .\"
  23 .TH PATH_RESOLUTION 2 2004-06-21 "Linux 2.6.7" "Linux Programmer's Manual"
  24 .SH NAME
  25 Unix/Linux path resolution \- find the file referred to by a filename
  26 .SH DESCRIPTION
  27 Some Unix/Linux system calls have as parameter one or more filenames.
  28 A filename (or pathname) is resolved as follows.
  29
  30 .SS "Step 1: Start of the resolution process"
  31 If the pathname starts with the '/' character, the starting lookup directory
  32 is the root directory of the current process. (A process inherits its
  33 root directory from its parent. Usually this will be the root directory
  34 of the file hierarchy. A process may get a different root directory
  35 by use of the
  36 .BR chroot (2)
  37 system call. A process may get an entirely private namespace in case
  38 it \(em or one of its ancestors \(em was started by an invocation of the
  39 .BR clone (2)
  40 system call that had the CLONE_NEWNS flag set.)
  41 This handles the '/' part of the pathname.
  42
  43 If the pathname does not start with the '/' character, the
  44 starting lookup directory of the resolution process is the current working
  45 directory of the process. (This is also inherited from the parent.
  46 It can be changed by use of the
  47 .BR chdir (2)
  48 system call.)
  49
  50 Pathnames starting with a '/' character are called absolute pathnames.
  51 Pathnames not starting with a '/' are called relative pathnames.
  52
  53 .SS "Step 2: Walk along the path"
  54 Set the current lookup directory to the starting lookup directory.
  55 Now, for each non-final component of the pathname, where a component
  56 is a substring delimited by '/' characters, this component is looked up
  57 in the current lookup directory.
  58
  59 If the process does not have search permission on the current lookup directory,
  60 an EACCES error is returned ("Permission denied").
  61
  62 If the component is not found, an ENOENT error is returned
  63 ("No such file or directory").
  64
  65 If the component is found, but is neither a directory nor a symbolic link,
  66 an ENOTDIR error is returned ("Not a directory").
  67
  68 If the component is found and is a directory, we set the
  69 current lookup directory to that directory, and go to the
  70 next component.
  71
  72 If the component is found and is a symbolic link (symlink), we first
  73 resolve this symbolic link (with the current lookup directory
  74 as starting lookup directory). Upon error, that error is returned.
  75 If the result is not a directory, an ENOTDIR error is returned.
  76 If the resolution of the symlink is successful and returns a directory,
  77 we set the current lookup directory to that directory, and go to
  78 the next component.
  79 Note that the resolution process here involves recursion.
  80 In order to protect the kernel against stack overflow, and also
  81 to protect against denial of service, there are limits on the
  82 maximum recursion depth, and on the maximum number of symlinks
  83 followed. An ELOOP error is returned when the maximum is
  84 exceeded ("Too many levels of symbolic links").
  85 .\"
  86 .\" presently: max recursion depth during symlink resolution: 5
  87 .\" max total number of symlinks followed: 40
  88 .\" _POSIX_SYMLOOP_MAX is 8
  89
  90 .SS "Step 3: Find the final entry"
  91 The lookup of the final component of the pathname goes just like
  92 that of all other components, as described in the previous step,
  93 with two differences: (i) the final component need not be a
  94 directory (at least as far as the path resolution process is concerned \-
  95 it may have to be a directory, or a non-directory, because of
  96 the requirements of the specific system call), and (ii) it
  97 is not necessarily an error if the component is not found \-
  98 maybe we are just creating it. The details on the treatment
  99 of the final entry are described in the manual pages of the specific
 100 system calls.
 101
 102 .SS ". and .."
 103 By convention, every directory has the entries "." and "..",
 104 which refer to the directory itself and to its parent directory,
 105 respectively.
 106
 107 The path resolution process will assume that these entries have
 108 their conventional meanings, regardless of whether they are
 109 actually present in the physical filesystem.
 110
 111 One cannot walk down past the root: "/.." is the same as "/".
 112
 113 .SS "Mount points"
 114 After a "mount dev path" command, the pathname "path" refers to
 115 the root of the filesystem hierarchy on the device "dev", and no
 116 longer to whatever it referred to earlier.
 117
 118 One can walk out of a mounted filesystem: "path/.." refers to
 119 the parent directory of "path",
 120 outside of the filesystem hierarchy on "dev".
 121
 122 .SS "Trailing slashes"
 123 If a pathname ends in a '/', that forces resolution of the preceding
 124 component as in Step 2: it has to exist and resolve to a directory.
 125 Otherwise a trailing '/' is ignored.
 126 (Or, equivalently, a pathname with a trailing '/' is equivalent to
 127 the pathname obtained by appending '.' to it.)
 128
 129 .SS "Final symlink"
 130 If the last component of a pathname is a symbolic link, then it
 131 depends on the system call whether the file referred to will be
 132 the symbolic link or the result of path resolution on its contents.
 133 For example, the system call
 134 .BR lstat (2)
 135 will operate on the symlink, while
 136 .BR stat (2)
 137 operates on the file pointed to by the symlink.
 138
 139 .SS "Length limit"
 140 There is a maximum length for pathnames. If the pathname (or some
 141 intermediate pathname obtained while resolving symbolic links)
 142 is too long, an ENAMETOOLONG error is returned ("File name too long").
 143
 144 .SS "Empty pathname"
 145 In the original Unix, the empty pathname referred to the current directory.
 146 Nowadays POSIX decrees that an empty pathname must not be resolved
 147 successfully. Linux returns ENOENT in this case.
 148
 149 .SS "Permissions"
 150 The permission bits of a file consist of three groups of three bits, cf.\&
 151 .BR chmod (1)
 152 and
 153 .BR stat (2).
 154 The first group of three is used when the effective user ID of
 155 the current process equals the owner ID of the file. The second group
 156 of three is used when the group ID of the file either equals the
 157 effective group ID of the current process, or is one of the
 158 supplementary group IDs of the current process (as set by
 159 .BR setgroups (2)).
 160 When neither holds, the third group is used.
 161
 162 Of the three bits used, the first bit determines read permission,
 163 the second write permission, and the last execute permission
 164 in case of ordinary files, or search permission in case of directories.
 165
 166 Linux uses the fsuid instead of the effective user ID in permission checks.
 167 Ordinarily the fsuid will equal the effective user ID, but the fsuid can be
 168 changed by the system call
 169 .BR setfsuid (2).
 170
 171 (Here "fsuid" stands for something like "file system user ID".
 172 The concept was required for the implementation of a user space
 173 NFS server at a time when processes could send a signal to a process
 174 with the same effective user ID. It is obsolete now. Nobody should use
 175 .BR setfsuid (2).)
 176
 177 Similarly, Linux uses the fsgid instead of the effective group ID. See
 178 .BR setfsgid (2).
 179
 180 .\" say sth on fs mounted read-only ?
 181
 182 .SS "Capabilities"
 183 If the permission bits of the file deny whatever is asked, permission
 184 can still be granted by the appropriate capabilities.
 185
 186 Traditional systems do not use capabilities and root (user ID 0) is
 187 all-powerful. Such systems are presently (2.6.7) handled by giving root
 188 all capabilities except for CAP_SETPCAP. More precisely, at exec time
 189 a process gets all capabilities except CAP_SETPCAP and the five capabilities
 190 CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID,
 191 in case it has zero euid, and it gets these last five capabilities
 192 in case it has zero fsuid, while all other processes get no capabilities.
 193
 194 The CAP_DAC_OVERRIDE capability overrides all permission checking,
 195 but will only grant execute permission when at least one
 196 of the three execute permission bits is set.
 197
 198 The CAP_DAC_READ_SEARCH capability will grant read and search permission
 199 on directories, and read permission on ordinary files.
 200
 201 .\" Is there a better place for this?
 202 The CAP_SYS_ADMIN capability will (e.g.) allow a process to violate
 203 the limit (visible in
 204 .IR /proc/sys/fs/file-max )
 205 on the maximum number of open files in the system, where a process
 206 lacking that capability would see an ENFILE error return.
 207
 208 .\" say sth on immutable files
 209
 210 .\" say sth on ACLs
 211
 212 .SH "SEE ALSO"
 213 .BR capabilities (7)