.\" and Copyright (C) 1993 Michael Haardt, Ian Jackson.
.\" and Copyright (C) 2004, 2006, 2007, 2014 Michael Kerrisk <mtk.manpages@gmail.com>
.\"
-.\" %%%LICENSE_START(VERBATIM)
-.\" Permission is granted to make and distribute verbatim copies of this
-.\" manual provided the copyright notice and this permission notice are
-.\" preserved on all copies.
-.\"
-.\" Permission is granted to copy and distribute modified versions of this
-.\" manual under the conditions for verbatim copying, provided that the
-.\" entire resulting derived work is distributed under the terms of a
-.\" permission notice identical to this one.
-.\"
-.\" Since the Linux kernel and libraries are constantly changing, this
-.\" manual page may be incorrect or out-of-date. The author(s) assume no
-.\" responsibility for errors or omissions, or for damages resulting from
-.\" the use of the information contained herein. The author(s) may not
-.\" have taken the same level of care in the production of this manual,
-.\" which is licensed free of charge, as they might when working
-.\" professionally.
-.\"
-.\" Formatted or processed versions of this manual, if unaccompanied by
-.\" the source, must acknowledge the copyright and authors of this work.
-.\" %%%LICENSE_END
+.\" SPDX-License-Identifier: Linux-man-pages-copyleft
.\"
.\" Modified 1993-07-21 Rik Faith (faith@cs.unc.edu)
.\" Modified 1994-08-21 by Michael Chastain (mec@shell.portal.com):
.\" Modified 2004-06-23 by Michael Kerrisk
.\" 2007-06-10, mtk, various parts rewritten, and added BUGS section.
.\"
-.TH ACCESS 2 2014-02-21 "Linux" "Linux Programmer's Manual"
+.TH ACCESS 2 2021-08-27 "Linux man-pages (unreleased)" "Linux Programmer's Manual"
.SH NAME
-access, faccessat \- check user's permissions for a file
+access, faccessat, faccessat2 \- check user's permissions for a file
+.SH LIBRARY
+Standard C library
+.RI ( libc ", " \-lc )
.SH SYNOPSIS
.nf
.B #include <unistd.h>
-.sp
+.PP
.BI "int access(const char *" pathname ", int " mode );
-
-.B #include <fcntl.h> /* Definition of AT_* constants */
+.PP
+.BR "#include <fcntl.h>" " /* Definition of " AT_* " constants */"
.B #include <unistd.h>
-.sp
+.PP
.BI "int faccessat(int " dirfd ", const char *" pathname ", int " \
mode ", int " flags );
+ /* But see C library/kernel differences, below */
+.PP
+.BR "#include <fcntl.h>" " /* Definition of " AT_* " constants */"
+.BR "#include <sys/syscall.h>" " /* Definition of " SYS_* " constants */"
+.B #include <unistd.h>
+.PP
+.B int syscall(SYS_faccessat2,
+.BI " int " dirfd ", const char *" pathname ", int " mode \
+", int " flags );
.fi
-.sp
-.in -4n
+.PP
+.RS -4
Feature Test Macro Requirements for glibc (see
.BR feature_test_macros (7)):
-.in
-.sp
-.BR faccessat ():
-.PD 0
-.ad l
-.RS 4
-.TP 4
-Since glibc 2.10:
-_XOPEN_SOURCE\ >=\ 700 || _POSIX_C_SOURCE\ >=\ 200809L
-.TP
-Before glibc 2.10:
-_ATFILE_SOURCE
.RE
-.ad
-.PD
+.PP
+.BR faccessat ():
+.nf
+ Since glibc 2.10:
+ _POSIX_C_SOURCE >= 200809L
+ Before glibc 2.10:
+ _ATFILE_SOURCE
.fi
.SH DESCRIPTION
.BR access ()
If
.I pathname
is a symbolic link, it is dereferenced.
-
+.PP
The
.I mode
specifies the accessibility check(s) to be performed,
.BR R_OK ", " W_OK ", and " X_OK
test whether the file exists and grants read, write, and
execute permissions, respectively.
-
+.PP
The check is done using the calling process's
.I real
UID and GID, rather than the effective IDs as is done when
actually attempting an operation (e.g.,
.BR open (2))
on the file.
-This allows set-user-ID programs to
-easily determine the invoking user's authority.
-
+Similarly, for the root user, the check uses the set of
+permitted capabilities rather than the set of effective
+capabilities; and for non-root users, the check uses an empty set
+of capabilities.
+.PP
+This allows set-user-ID programs and capability-endowed programs
+to easily determine the invoking user's authority.
+In other words,
+.BR access ()
+does not answer the "can I read/write/execute this file?" question.
+It answers a slightly different question:
+"(assuming I'm a setuid binary) can
+.I the user who invoked me
+read/write/execute this file?",
+which gives set-user-ID programs the possibility to
+prevent malicious users from causing them to read files
+which users shouldn't be able to read.
+.PP
If the calling process is privileged (i.e., its real UID is zero),
then an
.B X_OK
check is successful for a regular file if execute permission
is enabled for any of the file owner, group, or other.
-.SS faccessat ()
-The
+.SS faccessat()
.BR faccessat ()
-system call operates in exactly the same way as
-.BR access (2),
+operates in exactly the same way as
+.BR access (),
except for the differences described here.
-
+.PP
If the pathname given in
.I pathname
is relative, then it is interpreted relative to the directory
.I dirfd
(rather than relative to the current working directory of
the calling process, as is done by
-.BR access (2)
+.BR access ()
for a relative pathname).
-
+.PP
If
.I pathname
is relative and
.I pathname
is interpreted relative to the current working
directory of the calling process (like
-.BR access (2)).
-
+.BR access ()).
+.PP
If
.I pathname
is absolute, then
.I dirfd
is ignored.
-
+.PP
.I flags
is constructed by ORing together zero or more of the following values:
.TP
By default,
.BR faccessat ()
uses the real IDs (like
-.BR access (2)).
+.BR access ()).
.TP
.B AT_SYMLINK_NOFOLLOW
If
.I pathname
is a symbolic link, do not dereference it:
instead return information about the link itself.
-.SH "RETURN VALUE"
+.PP
+See
+.BR openat (2)
+for an explanation of the need for
+.BR faccessat ().
+.\"
+.SS faccessat2()
+The description of
+.BR faccessat ()
+given above corresponds to POSIX.1 and
+to the implementation provided by glibc.
+However, the glibc implementation was an imperfect emulation (see BUGS)
+that papered over the fact that the raw Linux
+.BR faccessat ()
+system call does not have a
+.I flags
+argument.
+To allow for a proper implementation, Linux 5.8 added the
+.BR faccessat2 ()
+system call, which supports the
+.I flags
+argument and allows a correct implementation of the
+.BR faccessat ()
+wrapper function.
+.SH RETURN VALUE
On success (all requested permissions granted, or
.I mode
is
and the file does not exist, or some other error occurred),
\-1 is returned, and
.I errno
-is set appropriately.
+is set to indicate the error.
.SH ERRORS
-.BR access ()
-and
-.BR faccessat ()
-shall fail if:
.TP
.B EACCES
The requested access would be denied to the file, or search permission
(See also
.BR path_resolution (7).)
.TP
+.B EBADF
+.RB ( faccessat ())
+.I pathname
+is relative but
+.I dirfd
+is neither
+.B AT_FDCWD
+.RB ( faccessat ())
+nor a valid file descriptor.
+.TP
+.B EFAULT
+.I pathname
+points outside your accessible address space.
+.TP
+.B EINVAL
+.I mode
+was incorrectly specified.
+.TP
+.B EINVAL
+.RB ( faccessat ())
+Invalid flag specified in
+.IR flags .
+.TP
+.B EIO
+An I/O error occurred.
+.TP
.B ELOOP
Too many symbolic links were encountered in resolving
.IR pathname .
.I pathname
does not exist or is a dangling symbolic link.
.TP
+.B ENOMEM
+Insufficient kernel memory was available.
+.TP
.B ENOTDIR
A component used as a directory in
.I pathname
is not, in fact, a directory.
.TP
-.B EROFS
-Write permission was requested for a file on a read-only filesystem.
-.PP
-.BR access ()
-and
-.BR faccessat ()
-may fail if:
-.TP
-.B EFAULT
+.B ENOTDIR
+.RB ( faccessat ())
.I pathname
-points outside your accessible address space.
-.TP
-.B EINVAL
-.I mode
-was incorrectly specified.
+is relative and
+.I dirfd
+is a file descriptor referring to a file other than a directory.
.TP
-.B EIO
-An I/O error occurred.
+.B EPERM
+Write permission was requested to a file that has the immutable flag set.
+See also
+.BR ioctl_iflags (2).
.TP
-.B ENOMEM
-Insufficient kernel memory was available.
+.B EROFS
+Write permission was requested for a file on a read-only filesystem.
.TP
.B ETXTBSY
Write access was requested to an executable which is being
executed.
-.PP
-The following additional errors can occur for
-.BR faccessat ():
-.TP
-.B EBADF
-.I dirfd
-is not a valid file descriptor.
-.TP
-.B EINVAL
-Invalid flag specified in
-.IR flags .
-.TP
-.B ENOTDIR
-.I pathname
-is relative and
-.I dirfd
-is a file descriptor referring to a file other than a directory.
.SH VERSIONS
.BR faccessat ()
was added to Linux in kernel 2.6.16;
library support was added to glibc in version 2.4.
-.SH "CONFORMING TO"
-.BR access (2):
+.PP
+.BR faccessat2 ()
+was added to Linux in version 5.8.
+.SH STANDARDS
+.BR access ():
SVr4, 4.3BSD, POSIX.1-2001, POSIX.1-2008.
-
-.BR faccessat (2):
+.PP
+.BR faccessat ():
POSIX.1-2008.
-.SH NOTES
.PP
+.BR faccessat2 ():
+Linux-specific.
+.SH NOTES
.BR Warning :
Using these calls to check if a user is authorized to, for example,
open a file before actually doing so using
.BR access ()
always dereferences symbolic links.
If you need to check the permissions on a symbolic link, use
-.BR faccessat (2)
+.BR faccessat ()
with the flag
.BR AT_SYMLINK_NOFOLLOW .
.PP
grant search (i.e., execute) access.
If any directory is inaccessible, then the
.BR access ()
-call will fail, regardless of the permissions on the file itself.
+call fails, regardless of the permissions on the file itself.
.PP
Only access bits are checked, not the file type or contents.
Therefore, if a directory is found to be writable,
it probably means that files can be created in the directory,
and not that the directory can be written as a file.
-Similarly, a DOS file may be found to be "executable," but the
+Similarly, a DOS file may be reported as executable, but the
.BR execve (2)
call will still fail.
.PP
These calls
may not work correctly on NFSv2 filesystems with UID mapping enabled,
because UID mapping is done on the server and hidden from the client,
-which checks permissions. (NFS versions 3 and higher perform the check on
-the server.)
+which checks permissions.
+(NFS versions 3 and higher perform the check on the server.)
Similar problems can occur to FUSE mounts.
-.\"
-.\"
-.SS faccessat ()
-See
-.BR openat (2)
-for an explanation of the need for
-.BR faccessat ().
-
-.IR Warning :
+.\"
+.\"
+.SS C library/kernel differences
+The raw
.BR faccessat ()
-is subject to the same kinds of races as
-.BR access (2)
-and
-.BR euidaccess (3).
-.SS Glibc notes
-The raw system call takes only the first three arguments.
+system call takes only the first three arguments.
The
.B AT_EACCESS
and
.BR faccessat ().
If either of these flags is specified, then the wrapper function employs
.BR fstatat (2)
-to determine access permissions.
+to determine access permissions, but see BUGS.
+.\"
+.SS Glibc notes
+On older kernels where
+.BR faccessat ()
+is unavailable (and when the
+.B AT_EACCESS
+and
+.B AT_SYMLINK_NOFOLLOW
+flags are not specified),
+the glibc wrapper function falls back to the use of
+.BR access ().
+When
+.I pathname
+is a relative pathname,
+glibc constructs a pathname based on the symbolic link in
+.I /proc/self/fd
+that corresponds to the
+.I dirfd
+argument.
.SH BUGS
+Because the Linux kernel's
+.BR faccessat ()
+system call does not support a
+.I flags
+argument, the glibc
+.BR faccessat ()
+wrapper function provided in glibc 2.32 and earlier
+emulates the required functionality using
+a combination of the
+.BR faccessat ()
+system call and
+.BR fstatat (2).
+However, this emulation does not take ACLs into account.
+Starting with glibc 2.33, the wrapper function avoids this bug
+by making use of the
+.BR faccessat2 ()
+system call where it is provided by the underlying kernel.
+.PP
In kernel 2.4 (and earlier) there is some strangeness in the handling of
.B X_OK
tests for superuser.
.\" This behavior appears to have been an implementation accident.
Early 2.6 kernels (up to and including 2.6.3)
also behaved in the same way as kernel 2.4.
-
+.PP
In kernels before 2.6.20,
these calls ignored the effect of the
.B MS_NOEXEC
the underlying filesystem.
Since kernel 2.6.20, the
.B MS_NOEXEC
-is honored
-.SH "SEE ALSO"
+flag is honored.
+.SH SEE ALSO
.BR chmod (2),
.BR chown (2),
.BR open (2),
projects / thirdparty / man-pages.git / blobdiff