4

This may be a dumb question, but how does symbolic link preserve permission?

$ls -ld /proc/1/exe
ls: cannot read symbolic link '/proc/1/exe': Permission denied

so I look up what the link point to with sudo:

$sudo readlink -f /proc/1/exe
/usr/lib/systemd/systemd
$ls -ld /usr/lib/systemd #check if r+x for the dir to traverse it
drwxr-xr-x 14 root root 4.0K May 18 19:34 /usr/lib/systemd/  #yes I do

So I do have rx permission for others, but with symbolic link /proc/1/exe I cannot read the dir (traverse it) without sudo. Why?

Hauke Laging
  • 90,279
Herdsman
  • 340
  • Related: https://unix.stackexchange.com/questions/197854/how-does-the-proc-pid-exe-symlink-differ-from-ordinary-symlinks – user4556274 May 24 '20 at 20:38
  • Well, then it could be marked as duplicated, but does not have to get downvote immediatelly – Herdsman May 24 '20 at 20:52
  • 1
    it's not an exact duplicate, hence suggesting as related, not duplicate. (not the downvoter). The core idea that procfs is it's own thing and doesn't necessarily follow all the rules expected from other filesystems still applies, but I haven't dug out the detail of where EACCES comes from here. – user4556274 May 24 '20 at 20:54

1 Answers1

1

There is no "good" (i.e. conforming to all the relevant standards) way of achieving what is desired here (showing only some but not all of the content (metadata) of a directory).

But the kernel does tell you that you have no permissions on this object if you ask it:

$ test -r /proc/2072/exe ; echo $?
1
$ test -w /proc/2072/exe ; echo $?
1
$ test -x /proc/2072/exe ; echo $?
1
Hauke Laging
  • 90,279
  • Ok, that is basically, what I have tried. But is there a explanation or rational behind this? (Why does procfs behaves differently compared to other filesystems mounted on the OS?) – Herdsman May 24 '20 at 23:20
  • @Herdsman Usually only the content of files is considered confidential. But it can be necessary to protect the names of files (in this case: the targets of symlinks). The location of these symlinks cannot be moved to a protected directory because they are expected there. The parent directory cannot get protected because then the access to files would be blocked which must not be blocked. – Hauke Laging May 24 '20 at 23:29