1PATH_RESOLUTION(7) Linux Programmer's Manual PATH_RESOLUTION(7)
2
3
4
6 path_resolution - how a pathname is resolved to a file
7
9 Some Unix/Linux system calls have as parameter one or more filenames.
10 A filename (or pathname) is resolved as follows.
11
12 Step 1: Start of the resolution process
13 If the pathname starts with the '/' character, the starting lookup
14 directory is the root directory of the calling process. (A process
15 inherits its root directory from its parent. Usually this will be the
16 root directory of the file hierarchy. A process may get a different
17 root directory by use of the chroot(2) system call. A process may get
18 an entirely private mount namespace in case it — or one of its ances‐
19 tors — was started by an invocation of the clone(2) system call that
20 had the CLONE_NEWNS flag set.) This handles the '/' part of the path‐
21 name.
22
23 If the pathname does not start with the '/' character, the starting
24 lookup directory of the resolution process is the current working
25 directory of the process. (This is also inherited from the parent. It
26 can be changed by use of the chdir(2) system call.)
27
28 Pathnames starting with a '/' character are called absolute pathnames.
29 Pathnames not starting with a '/' are called relative pathnames.
30
31 Step 2: Walk along the path
32 Set the current lookup directory to the starting lookup directory.
33 Now, for each nonfinal component of the pathname, where a component is
34 a substring delimited by '/' characters, this component is looked up in
35 the current lookup directory.
36
37 If the process does not have search permission on the current lookup
38 directory, an EACCES error is returned ("Permission denied").
39
40 If the component is not found, an ENOENT error is returned ("No such
41 file or directory").
42
43 If the component is found, but is neither a directory nor a symbolic
44 link, an ENOTDIR error is returned ("Not a directory").
45
46 If the component is found and is a directory, we set the current lookup
47 directory to that directory, and go to the next component.
48
49 If the component is found and is a symbolic link (symlink), we first
50 resolve this symbolic link (with the current lookup directory as start‐
51 ing lookup directory). Upon error, that error is returned. If the
52 result is not a directory, an ENOTDIR error is returned. If the reso‐
53 lution of the symlink is successful and returns a directory, we set the
54 current lookup directory to that directory, and go to the next compo‐
55 nent. Note that the resolution process here involves recursion. In
56 order to protect the kernel against stack overflow, and also to protect
57 against denial of service, there are limits on the maximum recursion
58 depth, and on the maximum number of symbolic links followed. An ELOOP
59 error is returned when the maximum is exceeded ("Too many levels of
60 symbolic links").
61
62 Step 3: Find the final entry
63 The lookup of the final component of the pathname goes just like that
64 of all other components, as described in the previous step, with two
65 differences: (i) the final component need not be a directory (at least
66 as far as the path resolution process is concerned — it may have to be
67 a directory, or a nondirectory, because of the requirements of the spe‐
68 cific system call), and (ii) it is not necessarily an error if the com‐
69 ponent is not found — maybe we are just creating it. The details on
70 the treatment of the final entry are described in the manual pages of
71 the specific system calls.
72
73 . and ..
74 By convention, every directory has the entries "." and "..", which
75 refer to the directory itself and to its parent directory, respec‐
76 tively.
77
78 The path resolution process will assume that these entries have their
79 conventional meanings, regardless of whether they are actually present
80 in the physical file system.
81
82 One cannot walk down past the root: "/.." is the same as "/".
83
84 Mount points
85 After a "mount dev path" command, the pathname "path" refers to the
86 root of the file system hierarchy on the device "dev", and no longer to
87 whatever it referred to earlier.
88
89 One can walk out of a mounted file system: "path/.." refers to the par‐
90 ent directory of "path", outside of the file system hierarchy on "dev".
91
92 Trailing slashes
93 If a pathname ends in a '/', that forces resolution of the preceding
94 component as in Step 2: it has to exist and resolve to a directory.
95 Otherwise a trailing '/' is ignored. (Or, equivalently, a pathname
96 with a trailing '/' is equivalent to the pathname obtained by appending
97 '.' to it.)
98
99 Final symlink
100 If the last component of a pathname is a symbolic link, then it depends
101 on the system call whether the file referred to will be the symbolic
102 link or the result of path resolution on its contents. For example,
103 the system call lstat(2) will operate on the symlink, while stat(2)
104 operates on the file pointed to by the symlink.
105
106 Length limit
107 There is a maximum length for pathnames. If the pathname (or some
108 intermediate pathname obtained while resolving symbolic links) is too
109 long, an ENAMETOOLONG error is returned ("File name too long").
110
111 Empty pathname
112 In the original Unix, the empty pathname referred to the current direc‐
113 tory. Nowadays POSIX decrees that an empty pathname must not be
114 resolved successfully. Linux returns ENOENT in this case.
115
116 Permissions
117 The permission bits of a file consist of three groups of three bits,
118 cf. chmod(1) and stat(2). The first group of three is used when the
119 effective user ID of the calling process equals the owner ID of the
120 file. The second group of three is used when the group ID of the file
121 either equals the effective group ID of the calling process, or is one
122 of the supplementary group IDs of the calling process (as set by set‐
123 groups(2)). When neither holds, the third group is used.
124
125 Of the three bits used, the first bit determines read permission, the
126 second write permission, and the last execute permission in case of
127 ordinary files, or search permission in case of directories.
128
129 Linux uses the fsuid instead of the effective user ID in permission
130 checks. Ordinarily the fsuid will equal the effective user ID, but the
131 fsuid can be changed by the system call setfsuid(2).
132
133 (Here "fsuid" stands for something like "file system user ID". The
134 concept was required for the implementation of a user space NFS server
135 at a time when processes could send a signal to a process with the same
136 effective user ID. It is obsolete now. Nobody should use setf‐
137 suid(2).)
138
139 Similarly, Linux uses the fsgid ("file system group ID") instead of the
140 effective group ID. See setfsgid(2).
141
142 Bypassing permission checks: superuser and capabilities
143 On a traditional Unix system, the superuser (root, user ID 0) is all-
144 powerful, and bypasses all permissions restrictions when accessing
145 files.
146
147 On Linux, superuser privileges are divided into capabilities (see capa‐
148 bilities(7)). Two capabilities are relevant for file permissions
149 checks: CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH. (A process has these
150 capabilities if its fsuid is 0.)
151
152 The CAP_DAC_OVERRIDE capability overrides all permission checking, but
153 only grants execute permission when at least one of the file's three
154 execute permission bits is set.
155
156 The CAP_DAC_READ_SEARCH capability grants read and search permission on
157 directories, and read permission on ordinary files.
158
160 readlink(2), capabilities(7), credentials(7), symlink(7)
161
163 This page is part of release 3.25 of the Linux man-pages project. A
164 description of the project, and information about reporting bugs, can
165 be found at http://www.kernel.org/doc/man-pages/.
166
167
168
169Linux 2009-12-05 PATH_RESOLUTION(7)