whyno traversal check

layer 3: checks execute permission on every ancestor from / to parent directory

system rustpermissionslinuxsecurity

components

  • process check_traversal(state)

    checks execute permission on every ancestor from / to parent directory

    link_path_walkmay_lookup
  • decision any ancestors?

    checks if the path has ancestor directories to traverse

  • pass pass: single component

    path is a single component (e.g. /), no directory traversal needed

  • process for each ancestor (/ → parent)

    iterates every directory from / to the parent, checking execute permission on each

  • decision stat available?

    checks if stat() succeeded for this ancestor component

  • degraded degraded

    stat returned unknown or inaccessible — cannot determine permissions for this ancestor

  • decision uid == 0?

    root bypasses all directory traversal checks via cap_dac_read_search

  • pass pass: root bypasses

    root always has traverse permission regardless of mode bits or acls

  • decision extended acl?

    checks if this ancestor has posix.1e extended acl entries beyond base

  • process acl execute eval

    evaluates execute permission using the full posix.1e acl algorithm

  • process mode-bit execute eval

    evaluates execute permission using standard owner/group/other mode bits

  • decision owner match?

    checks if the subject's uid matches the directory owner

  • decision owner +x?

    checks if the owner class has execute permission on this directory

  • pass pass

    subject has execute permission to traverse this ancestor

  • fail fail: no traverse

    subject lacks execute permission on an ancestor — path traversal blocked

  • decision group match?

    checks if the subject's gid or supplementary groups match the directory group

  • decision group +x?

    checks if the group class has execute permission on this directory

  • decision other +x?

    checks if the other class has execute permission on this directory

  • decision userobj match?

    checks if the subject matches the acl userobj entry (file owner)

  • decision userobj +x?

    checks if the userobj acl entry grants execute

  • decision named user match?

    checks if the subject matches any named user acl entry

  • decision effective +x?

    checks if the named user entry grants execute after masking

  • decision any group match?

    checks owning group and all named group entries in the acl

  • decision best group effective +x?

    uses the most permissive matching group entry, masked with acl mask

  • decision other +x?

    checks if the acl other entry grants execute