whyno dac check

layer 4: standard unix permission check with owner/group/other bits and root override

system rustpermissionslinuxsecurity

components

  • process check_dac(state)

    standard unix permission check with owner/group/other bits and root override

    generic_permissionmay_delete
  • decision operation?

    stat and metadata ops need no dac check, delete/create check parent, others check target

  • pass pass: no dac check needed

    stat and metadata operations bypass dac mode-bit checks entirely

  • process check_parent_dac

    delete and create require write+execute on the parent directory

  • process check_target_dac

    read, write, and execute check the corresponding mode bit on the target

  • decision stat available?

    checks if stat() succeeded for the target

  • degraded degraded

    stat returned unknown or inaccessible — cannot determine target permissions

  • decision subject class?

    determines which permission class applies: owner, group, or other

  • decision owner has needed bit?

    checks if the owner mode bits grant the requested permission

  • decision group has needed bit?

    checks if the group mode bits grant the requested permission

  • decision other has needed bit?

    checks if the other mode bits grant the requested permission

  • pass pass

    the subject's permission class grants the needed bit

  • fail fail

    the subject's permission class does not grant the needed bit

  • decision parent stat available?

    checks if stat() succeeded for the parent directory

  • degraded degraded

    cannot determine parent directory permissions

  • decision parent has w+x?

    parent must have both write and execute bits for the subject's class

  • fail fail: lacks w+x on parent

    subject's class does not have write+execute on the parent directory

  • decision delete?

    only delete operations need the sticky bit check — create stops here

  • pass pass: parent w+x

    create allowed — parent has write+execute for the subject

  • decision sticky bit set?

    checks if the parent directory has the sticky bit (mode 1000)

  • pass pass: no sticky bit

    no sticky bit — delete allowed with write+execute on parent

  • decision owns target or parent?

    sticky bit restricts deletion to the file owner or directory owner

  • pass pass: owns target/parent

    subject owns the target or parent — sticky bit does not block

  • fail fail: sticky bit blocks

    subject does not own the target or parent — sticky bit blocks deletion

  • process capability_modify()

    post-dac modifier — dispatches on capabilities probe: known checks cap_dac_override bit, unknown falls back to uid==0 heuristic, inaccessible leaves result unchanged

  • decision cap_dac_override?

    does the subject have cap_dac_override via bitmask or uid==0 heuristic?

  • fail final: fail

    subject lacks cap_dac_override — definitively blocked by dac

  • decision execute op?

    cap_dac_override has a special exception for execute

  • decision any class has +x?

    root can only execute if at least one class has +x set

  • pass pass: cap_dac_override

    root bypasses dac via cap_dac_override

  • fail fail: no +x anywhere

    root cannot execute a file with no execute bits (e.g. mode 0644)

  • decision delete + sticky?

    cap_dac_override also bypasses the sticky bit restriction

  • pass pass: cap_dac_override (sticky also bypassed)

    root bypasses both dac and sticky bit

  • pass pass: cap_dac_override

    root bypasses dac for non-execute, non-sticky operations