diff options
| author | Lucas Werkmeister <mail@lucaswerkmeister.de> | 2017-11-05 20:04:51 +0100 |
|---|---|---|
| committer | Michael Kerrisk <mtk.manpages@gmail.com> | 2017-11-06 22:25:13 +0100 |
| commit | 81c8aeb64903ef6ae45e872bfd46814e6a11bdec (patch) | |
| tree | d2508aa32bb710f07bb43193d21ac69451b11784 /man5 | |
| parent | d6bd89f3e5ef19cc78f2e17e7ba0fed24ba44a61 (diff) | |
| download | man-pages-81c8aeb64903ef6ae45e872bfd46814e6a11bdec.tar.gz | |
proc.5: Clarify permissions in /proc/[pid]/fd/
Since the symbolic links for pipes and sockets do not refer to real
files in the file system tree, it can be hard to discover that they
still have mode and ownership information (revealed e.g. by `stat -L`),
so let's point this out in the manpage.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Diffstat (limited to 'man5')
| -rw-r--r-- | man5/proc.5 | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/man5/proc.5 b/man5/proc.5 index 01be634177..14beedd11d 100644 --- a/man5/proc.5 +++ b/man5/proc.5 @@ -684,6 +684,31 @@ the symbolic links in this directory is governed by a ptrace access mode .B PTRACE_MODE_READ_FSCREDS check; see .BR ptrace (2). +.IP +Note that for file descriptors referring to inodes (pipes and sockets, see above), +those inodes still have permission bits and ownership information +distinct from those of the +.I /proc/[pid]/fd +entry, +and that the owner may differ from the user and group IDs of the process. +An unprivileged process may lack permissions to open them, as in this example: +.IP +.in +4n +.EX +.RB "$" " echo test | sudo -u nobody cat" +test +.RB "$" " echo test | sudo -u nobody cat /proc/self/fd/0" +cat: /proc/self/fd/0: Permission denied +.EE +.in +.IP +File descriptor 0 refers to the pipe created by the shell +and owned by that shell's user, which is not +.IR nobody , +so +.B cat +does not have permission to create a new file descriptor to read from that inode, +even though it can still read from its existing file descriptor 0. .TP .IR /proc/[pid]/fdinfo/ " (since Linux 2.6.22)" This is a subdirectory containing one entry for each file which the |