1.\" 2.\" Sun Microsystems, Inc. gratefully acknowledges The Open Group for 3.\" permission to reproduce portions of its copyrighted documentation. 4.\" Original documentation from The Open Group can be obtained online at 5.\" http://www.opengroup.org/bookstore/. 6.\" 7.\" The Institute of Electrical and Electronics Engineers and The Open 8.\" Group, have given us permission to reprint portions of their 9.\" documentation. 10.\" 11.\" In the following statement, the phrase ``this text'' refers to portions 12.\" of the system documentation. 13.\" 14.\" Portions of this text are reprinted and reproduced in electronic form 15.\" in the SunOS Reference Manual, from IEEE Std 1003.1, 2004 Edition, 16.\" Standard for Information Technology -- Portable Operating System 17.\" Interface (POSIX), The Open Group Base Specifications Issue 6, 18.\" Copyright (C) 2001-2004 by the Institute of Electrical and Electronics 19.\" Engineers, Inc and The Open Group. In the event of any discrepancy 20.\" between these versions and the original IEEE and The Open Group 21.\" Standard, the original IEEE and The Open Group Standard is the referee 22.\" document. The original Standard can be obtained online at 23.\" http://www.opengroup.org/unix/online.html. 24.\" 25.\" This notice shall appear on any product containing this material. 26.\" 27.\" The contents of this file are subject to the terms of the 28.\" Common Development and Distribution License (the "License"). 29.\" You may not use this file except in compliance with the License. 30.\" 31.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 32.\" or http://www.opensolaris.org/os/licensing. 33.\" See the License for the specific language governing permissions 34.\" and limitations under the License. 35.\" 36.\" When distributing Covered Code, include this CDDL HEADER in each 37.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 38.\" If applicable, add the following below this CDDL HEADER, with the 39.\" fields enclosed by brackets "[]" replaced with your own identifying 40.\" information: Portions Copyright [yyyy] [name of copyright owner] 41.\" 42.\" 43.\" Copyright 1989 AT&T. 44.\" Portions Copyright (c) 1992, X/Open Company Limited. All Rights Reserved. 45.\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved. 46.\" Copyright 2014 Garrett D'Amore <garrett@damore.org> 47.\" Copyright 2015, Joyent, Inc. 48.\" Copyright 2024 Oxide Computer Company 49.\" 50.Dd June 21, 2024 51.Dt EXEC 2 52.Os 53.Sh NAME 54.Nm exec , 55.Nm execl , 56.Nm execle , 57.Nm execlp , 58.Nm execv , 59.Nm execve , 60.Nm execvp , 61.Nm execvpe , 62.Nm fexecve 63.Nd execute a file 64.Sh SYNOPSIS 65.In unistd.h 66.Ft int 67.Fo execl 68.Fa "const char *path" 69.Fa "const char *arg0" 70.Fa "..." 71.Fa NULL 72.Fc 73.Ft int 74.Fo execv 75.Fa "const char *path" 76.Fa "char *const argv[]" 77.Fc 78.Ft int 79.Fo execle 80.Fa "const char *path" 81.Fa "const char *arg0" 82.Fa "..." 83.Fa NULL 84.Fa "char *const envp[]" 85.Fc 86.Ft int 87.Fo execve 88.Fa "const char *path" 89.Fa "char *const argv[]" 90.Fa "char *const envp[]" 91.Fc 92.Ft int 93.Fo execlp 94.Fa "const char *file" 95.Fa "const char *arg0" 96.Fa "..." 97.Fa NULL 98.Fc 99.Ft int 100.Fo execvp 101.Fa "const char *file" 102.Fa "char *const argv[]" 103.Fc 104.Ft int 105.Fo execvpe 106.Fa "const char *file" 107.Fa "char *const argv[]" 108.Fa "char *const envp[]" 109.Fc 110.Ft int 111.Fo fexecve 112.Fa "int fd" 113.Fa "char *const argv[]" 114.Fa "char *const envp[]" 115.Fc 116.Sh DESCRIPTION 117Each of the functions in the 118.Nm 119family replaces the current process image with a new process image. 120The new image is constructed from a regular, executable file called the new 121process image file. 122This file is either an executable object file or a file of data for an 123interpreter. 124There is no return from a successful call to one of these functions because the 125calling process image is overlaid by the new process image. 126.Pp 127An interpreter file begins with a line of the form 128.Pp 129.Dl #! Pa pathname Op Ar arg 130.Pp 131where 132.Pa pathname 133is the path of the interpreter, and 134.Ar arg 135is an optional argument. 136When an interpreter file is executed, the system invokes the specified 137interpreter. 138The pathname specified in the interpreter file is passed as 139.Fa arg0 140to the interpreter. 141If 142.Ar arg 143was specified in the interpreter file, it is passed as 144.Fa arg1 145to the interpreter. 146The remaining arguments to the interpreter are 147.Fa arg0 148through 149.Fa argn 150of the originally exec'd file. 151The interpreter named by 152.Pa pathname 153may also be an interpreter file. 154There can be up to four nested interpreter files before the final interpreter. 155The setid bits on nested interpreters are silently ignored. 156.Pp 157When a C-language program is executed as a result of this call, it is entered 158as a C-language function call as follows: 159.Pp 160.Dl int main Ns (int Fa argc Ns No , char * Ns Fa argv[])\&; 161.Pp 162where 163.Fa argc 164is the argument count and 165.Fa argv 166is an array of character pointers to the arguments themselves. 167In addition, the following variable: 168.Pp 169.Dl Va "extern char **environ\&;" 170.Pp 171is initialized as a pointer to an array of character pointers to the 172environment strings. 173The 174.Fa argv 175and 176.Va environ 177arrays are each terminated by a null pointer. 178The null pointer terminating the 179.Fa argv 180array is not counted in 181.Fa argc . 182.Pp 183The value of 184.Fa argc 185is non-negative, and if greater than 0, 186.Fa argv[0] 187points to a string containing the name of the file. 188If 189.Fa argc 190is 0, 191.Fa argv[0] 192is a null pointer, in which case there are no arguments. 193Applications should verify that 194.Fa argc 195is greater than 0 or that 196.Fa argv[0] 197is not a null pointer before dereferencing 198.Fa argv[0] . 199.Pp 200The arguments specified by a program with one of the 201.Nm 202functions are passed on to the new process image in the 203.Fn main 204arguments. 205.Pp 206The 207.Fa path 208argument points to a path name that identifies the new process image file. 209.Pp 210The 211.Fa file 212argument is used to construct a pathname that identifies the new process image 213file. 214If the 215.Fa file 216argument contains a slash character, it is used as the pathname for this file. 217Otherwise, the path prefix for this file is obtained by a search of the 218directories passed in the 219.Ev PATH 220environment variable 221.Po 222see 223.Xr environ 7 224.Pc . 225The environment is supplied typically by the shell. 226If the process image file is not a valid executable object file, 227.Fn execlp , 228.Fn execvp , 229and 230.Fn execvpe 231use the contents of that file as standard input to the shell. 232In this case, the shell becomes the new process image. 233The standard to which the caller conforms determines which shell is used. 234See 235.Xr standards 7 . 236.Pp 237The 238.Fn fexecve 239function is equivalent to 240.Fn execve , 241except that instead of using a named file, the file referenced by the file 242descriptor 243.Fa fd 244is used. 245Note that this file descriptor must reference a regular file which has 246typically been opened with 247.Dv O_EXEC . 248defined in 249.In fcntl.h . 250The image is loaded from offset zero of the file, regardless of the offset of 251fd. 252.Pp 253The arguments represented by 254.Fa arg0 Ns No \&... 255are pointers to null-terminated character strings. 256These strings constitute the argument list available to the new process image. 257The list is terminated by a null pointer. 258The 259.Fa arg0 260argument should point to a filename that is associated with the process being 261started by one of the 262.Nm 263functions. 264.Pp 265The 266.Fa argv 267argument is an array of character pointers to null-terminated strings. 268The last member of this array must be a null pointer. 269These strings constitute the argument list available to the new process image. 270The value in 271.Fa argv[0] 272should point to a filename that is associated with the process being started by 273one of the 274.Nm 275functions. 276.Pp 277The 278.Fa envp 279argument is an array of character pointers to null-terminated strings. 280These strings constitute the environment for the new process image. 281The 282.Fa envp 283array is terminated by a null pointer. 284For 285.Fn execl , 286.Fn execv , 287.Fn execvp , 288and 289.Fn execlp , 290the C-language run-time start-off routine places a pointer to the environment 291of the calling process in the global object 292.Va extern char **environ , 293and it is used to pass the environment of the calling process to the new 294process image. 295.Pp 296The number of bytes available for the new process's combined argument and 297environment lists is 298.Dv ARG_MAX . 299It is implementation-dependent whether null terminators, pointers, and/or any 300alignment bytes are included in this total. 301.Pp 302File descriptors open in the calling process image remain open in the new 303process image, except for those whose close-on-exec flag 304.Dv FD_CLOEXEC 305is set; see 306.Xr fcntl 2 . 307For those file descriptors that remain open, all attributes of the open file 308description, including file locks and the disposition of the close-on-fork flag 309.Dv FD_CLOFORK , 310remain unchanged. 311.Pp 312The preferred hardware address translation size 313.Po 314see 315.Xr memcntl 2 316.Pc 317for the stack and heap of the new process image are set to the default system 318page size. 319.Pp 320Directory streams open in the calling process image are closed in the new 321process image. 322.Pp 323The state of conversion descriptors and message catalogue descriptors in the 324new process image is undefined. 325For the new process, the equivalent of: 326.Pp 327.Dl setlocale(LC_ALL, \&"C"); 328.Pp 329is executed at startup. 330.Pp 331Signals set to the default action 332.Po 333.Dv SIG_DFL 334.Pc 335in the calling process image are set to the default action in the new process 336image 337.Po 338see 339.Xr signal 3C 340.Pc . 341Signals set to be ignored 342.Po 343.Dv SIG_IGN 344.Pc 345by the calling process image are set to be ignored by the new process image. 346Signals set to be caught by the calling process image are set to the default 347action in the new process image 348.Po 349see 350.Xr signal.h 3HEAD 351.Pc . 352After a successful call to any of the 353.Nm 354functions, alternate signal stacks are not preserved and the 355.Dv SA_ONSTACK 356flag is cleared for all signals. 357.Pp 358After a successful call to any of the 359.Nm 360functions, any functions previously registered by 361.Xr atexit 3C 362are no longer registered. 363.Pp 364The saved resource limits in the new process image are set to be a copy of the 365process's corresponding hard and soft resource limits. 366.Pp 367If the 368.Dv ST_NOSUID 369bit is set for the file system containing the new process image file, then the 370effective user ID and effective group ID are unchanged in the new process 371image. 372If the set-user-ID mode bit of the new process image file is set 373.Po 374see 375.Xr chmod 2 376.Pc , 377the effective user ID of the new process image is set to the owner ID of the 378new process image file. 379Similarly, if the set-group-ID mode bit of the new process image file is set, 380the effective group ID of the new process image is set to the group ID of the 381new process image file. 382The real user ID and real group ID of the new process image remain the same as 383those of the calling process image. 384The effective user ID and effective group ID of the new process image are saved 385.Pq as the saved set-user-ID and the saved set-group-ID 386for use by 387.Xr setuid 2 . 388.Pp 389The privilege sets are changed according to the following rules: 390.Bl -enum -offset indent 391.It 392The inheritable set, I, is intersected with the limit set, L. 393This mechanism enforces the limit set for processes. 394.It 395The effective set, E, and the permitted set, P, are made equal to the new 396inheritable set. 397.El 398.Pp 399The system attempts to set the privilege-aware state to non-PA both before 400performing any modifications to the process IDs and privilege sets as well as 401after completing the transition to new UIDs and privilege sets, following the 402rules outlined in 403.Xr privileges 7 . 404.Pp 405If the 406.Brq Dv PRIV_PROC_OWNER 407privilege is asserted in the effective set, the set-user-ID and set-group-ID 408bits will be honored when the process is being controlled by 409.Xr ptrace 3C . 410Additional restrictions can apply when the traced process has an effective UID 411of 0. 412See 413.Xr privileges 7 . 414.Pp 415Any shared memory segments attached to the calling process image will not be 416attached to the new process image 417.Po 418see 419.Xr shmop 2 420.Pc . 421Any mappings established through 422.Fn mmap 423are not preserved across an 424.Nm . 425Memory mappings created in the process are unmapped before the address space is 426rebuilt for the new process image. 427See 428.Xr mmap 2 . 429.Pp 430Memory locks established by the calling process via calls to 431.Xr mlockall 3C 432or 433.Xr mlock 3C 434are removed. 435If locked pages in the address space of the calling process are also mapped 436into the address spaces the locks established by the other processes will be 437unaffected by the call by this process to the 438.Nm 439function. 440If the 441.Nm 442function fails, the effect on memory locks is unspecified. 443.Pp 444If 445.Dv _XOPEN_REALTIME 446is defined and has a value other than \-1, any named semaphores open in the 447calling process are closed as if by appropriate calls to 448.Xr sem_close 3C . 449.Pp 450Profiling is disabled for the new process; see 451.Xr profil 2 . 452.Pp 453Timers created by the calling process with 454.Xr timer_create 3C 455are deleted before replacing the current process image with the new process 456image. 457.Pp 458For the 459.Dv SCHED_FIFO 460and 461.Dv SCHED_RR 462scheduling policies, the policy and priority settings are not changed by a call 463to an 464.Nm 465function. 466.Pp 467All open message queue descriptors in the calling process are closed, as 468described in 469.Xr mq_close 3C . 470.Pp 471Any outstanding asynchronous I/O operations may be cancelled. 472Those asynchronous I/O operations that are not canceled will complete as if the 473.Nm 474function had not yet occurred, but any associated signal notifications are 475suppressed. 476It is unspecified whether the 477.Nm 478function itself blocks awaiting such I/O completion. 479In no event, however, will the new process image created by the 480.Nm 481function be affected by the presence of outstanding asynchronous I/O operations 482at the time the 483.Nm 484function is called. 485.Pp 486All active contract templates are cleared 487.Po 488see 489.Xr contract 5 490.Pc . 491.Pp 492The new process also inherits the following attributes from the calling process: 493.Bl -bullet -offset Ds 494.It 495controlling terminal 496.It 497current working directory 498.It 499file-locks 500.Po 501see 502.Xr fcntl 2 503and 504.Xr lockf 3C 505.Pc 506.It 507file mode creation mask 508.Po 509see 510.Xr umask 2 511.Pc 512.It 513file size limit 514.Po 515see 516.Xr ulimit 2 517.Pc 518.It 519limit privilege set 520.It 521nice value 522.Po 523see 524.Xr nice 2 525.Pc 526.It 527parent process ID 528.It 529pending signals 530.Po 531see 532.Xr sigpending 2 533.Pc 534.It 535privilege debugging flag 536.Po 537see 538.Xr privileges 7 539and 540.Xr getpflags 2 541.Pc 542.It 543process ID 544.It 545process contract 546.Po 547see 548.Xr contract 5 549and 550.Xr process 5 551.Pc 552.It 553process group ID 554.It 555process signal mask 556.Po 557see 558.Xr sigprocmask 2 559.Pc 560.It 561processor bindings 562.Po 563see 564.Xr processor_bind 2 565.Pc 566.It 567processor set bindings 568.Po 569see 570.Xr pset_bind 2 571.Pc 572.It 573project ID 574.It 575real group ID 576.It 577real user ID 578.It 579resource limits 580.Po 581see 582.Xr getrlimit 2 583.Pc 584.It 585root directory 586.It 587scheduler class and priority 588.Po 589see 590.Xr priocntl 2 591.Pc 592.It 593semadj values 594.Po 595see 596.Xr semop 2 597.Pc 598.It 599session membership 600.Po 601see 602.Xr exit 2 603and 604.Xr signal 3C 605.Pc 606.It 607supplementary group IDs 608.It 609task ID 610.It 611time left until an alarm clock signal 612.Po 613see 614.Xr alarm 2 615.Pc 616.It 617.Fa tms_utime , 618.Fa tms_stime , 619.Fa tms_cutime , 620and 621.Fa tms_cstime 622.Po 623see 624.Xr times 2 625.Pc 626.It 627trace flag 628.Po 629see 630.Xr ptrace 3C 631request 0 632.Pc 633.El 634.Pp 635A call to any 636.Nm 637function from a process with more than one thread results in all threads being 638terminated and the new executable image being loaded and executed. 639No destructor functions will be called. 640.Pp 641Upon successful completion, each of the functions in the 642.Nm 643family marks for update the 644.Fa st_atime 645field of the file. 646If an 647.Nm 648function failed but was able to locate the process image file, whether the 649.Fa st_atime 650field is marked for update is unspecified. 651Should the function succeed, the process image file is considered to have been 652opened with 653.Xr open 2 . 654The corresponding 655.Xr close 2 656is considered to occur at a time after this open, but before process 657termination or successful completion of a subsequent call to one of the 658.Nm 659functions. 660The 661.Fa argv[] 662and 663.Fa envp[] 664arrays of pointers and the strings to which those arrays point will not be 665modified by a call to one of the 666.Nm 667functions, except as a consequence of replacing the process image. 668.Pp 669The saved resource limits in the new process image are set to be a copy of the 670process's corresponding hard and soft limits. 671.Sh RETURN VALUES 672If a function in the 673.Nm 674family returns to the calling process image, an error has occurred; the return 675value is \-1 and 676.Va errno 677is set to indicate the error. 678.Sh ERRORS 679The 680.Nm 681functions will fail if: 682.Bl -tag -width Er 683.It Er E2BIG 684The number of bytes in the new process's argument list is greater than the 685system-imposed limit of 686.Dv ARG_MAX 687bytes. 688The argument list limit is sum of the size of the argument list plus the size 689of the environment's exported shell variables. 690.It Er EACCES 691Search permission is denied for a directory listed in the new process file's 692path prefix. 693.Pp 694The new process file is not an ordinary file. 695.Pp 696The new process file mode denies execute permission. 697.Pp 698The 699.Brq Dv FILE_DAC_SEARCH 700privilege overrides the restriction on directory searches. 701.Pp 702The 703.Brq Dv FILE_DAC_EXECUTE 704privilege overrides the lack of execute permission. 705.It Er EAGAIN 706Total amount of system memory available when reading using raw I/O is 707temporarily insufficient. 708.It Er EFAULT 709An argument points to an illegal address. 710.It Er EINVAL 711The new process image file has the appropriate permission and has a recognized 712executable binary format, but the system does not support execution of a file 713with this format. 714.It Er EINTR 715A signal was caught during the execution of one of the functions in the 716.Nm 717family. 718.El 719.Pp 720The 721.Nm 722functions except for 723.Fn fexecve 724will fail if: 725.Bl -tag -width Ds 726.It Er ELOOP 727Too many symbolic links were encountered in translating 728.Fa path 729or 730.Fa file , 731or too many nested interpreter files. 732.It Er ENAMETOOLONG 733The length of the 734.Fa file 735or 736.Fa path 737argument exceeds 738.Dv PATH_MAX , 739or the length of a 740.Fa file 741or 742.Fa path 743component exceeds 744.Dv NAME_MAX 745while 746.Dv _POSIX_NO_TRUNC 747is in effect. 748.It Er ENOENT 749One or more components of the new process path name of the file do not exist or 750is a null pathname. 751.It Er ENOLINK 752The 753.Fa path 754argument points to a remote machine and the link to that machine is no longer 755active. 756.It Er ENOTDIR 757A component of the new process path of the file prefix is not a directory. 758.El 759.Pp 760The 761.Nm 762functions, except for 763.Fn execlp , 764.Fn execvp , 765and 766.Fn execvpe , 767will fail if: 768.Bl -tag -width Ds 769.It Er ENOEXEC 770The new process image file has the appropriate access permission but is not in 771the proper format. 772.El 773.Pp 774The 775.Fn fexecve 776function will fail if: 777.Bl -tag -width Ds 778.It Er EBADF 779The 780.Fa fd 781argument is not a valid file descriptor opened for execution. 782.It Er ENOMEM 783There was insufficient memory for constructing the path corresponding to the 784file descriptor. 785.El 786.Pp 787The 788.Nm 789functions except for 790.Fn fexecve 791may fail if: 792.Bl -tag -width Ds 793.It Er ENAMETOOLONG 794Pathname resolution of a symbolic link produced an intermediate result whose 795length exceeds 796.Dv PATH_MAX . 797.El 798.Pp 799The 800.Nm 801functions may fail if: 802.Bl -tag -width Ds 803.It Er ENOMEM 804The new process image requires more memory than is allowed by the hardware or 805system-imposed by memory management constraints. 806See 807.Xr brk 2 . 808.It Er ETXTBSY 809The new process image file is a pure procedure 810.Pq shared text 811file that is currently open for writing by some process. 812.El 813.Sh USAGE 814As the state of conversion descriptors and message catalogue descriptors in the 815new process image is undefined, portable applications should not rely on their 816use and should close them prior to calling one of the 817.Nm 818functions. 819.Pp 820Applications that require other than the default POSIX locale should call 821.Xr setlocale 3C 822with the appropriate parameters to establish the locale of the new process. 823.Pp 824The 825.Fa environ 826array should not be accessed directly by the application. 827.Sh INTERFACE STABILITY 828.Sy Committed 829.Sh MT-LEVEL 830The 831.Fn execle , 832.Fn execve 833and 834.Fn fexecve 835functions are 836.Sy Async-Signal-Safe 837.Sh SEE ALSO 838.Xr ksh 1 , 839.Xr ps 1 , 840.Xr sh 1 , 841.Xr alarm 2 , 842.Xr brk 2 , 843.Xr chmod 2 , 844.Xr close 2 , 845.Xr exit 2 , 846.Xr fcntl 2 , 847.Xr fork 2 , 848.Xr getpflags 2 , 849.Xr getrlimit 2 , 850.Xr memcntl 2 , 851.Xr mmap 2 , 852.Xr nice 2 , 853.Xr open 2 , 854.Xr priocntl 2 , 855.Xr processor_bind 2 , 856.Xr profil 2 , 857.Xr pset_bind 2 , 858.Xr semop 2 , 859.Xr setuid 2 , 860.Xr shmop 2 , 861.Xr sigpending 2 , 862.Xr sigprocmask 2 , 863.Xr times 2 , 864.Xr ulimit 2 , 865.Xr umask 2 , 866.Xr atexit 3C , 867.Xr lockf 3C , 868.Xr mlock 3C , 869.Xr mlockall 3C , 870.Xr mq_close 3C , 871.Xr ptrace 3C , 872.Xr sem_close 3C , 873.Xr setlocale 3C , 874.Xr signal 3C , 875.Xr system 3C , 876.Xr timer_create 3C , 877.Xr signal.h 3HEAD , 878.Xr a.out 5 , 879.Xr contract 5 , 880.Xr process 5 , 881.Xr attributes 7 , 882.Xr environ 7 , 883.Xr privileges 7 , 884.Xr standards 7 885.Sh WARNINGS 886If a program is setuid to a user ID other than the superuser, and the program 887is executed when the real user ID is super-user, then the program has some of 888the powers of a super-user as well. 889