xref: /freebsd/lib/libsys/execve.2 (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1.\" Copyright (c) 1980, 1991, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.Dd January 26, 2022
29.Dt EXECVE 2
30.Os
31.Sh NAME
32.Nm execve ,
33.Nm fexecve
34.Nd execute a file
35.Sh LIBRARY
36.Lb libc
37.Sh SYNOPSIS
38.In unistd.h
39.Ft int
40.Fn execve "const char *path" "char *const argv[]" "char *const envp[]"
41.Ft int
42.Fn fexecve "int fd" "char *const argv[]" "char *const envp[]"
43.Sh DESCRIPTION
44The
45.Fn execve
46system call
47transforms the calling process into a new process.
48The new process is constructed from an ordinary file,
49whose name is pointed to by
50.Fa path ,
51called the
52.Em new process file .
53The
54.Fn fexecve
55system call is equivalent to
56.Fn execve
57except that the file to be executed is determined by the file
58descriptor
59.Fa fd
60instead of a
61.Fa path .
62This file is either an executable object file,
63or a file of data for an interpreter.
64An executable object file consists of an identifying header,
65followed by pages of data representing the initial program (text)
66and initialized data pages.
67Additional pages may be specified
68by the header to be initialized with zero data; see
69.Xr elf 5
70and
71.Xr a.out 5 .
72.Pp
73An interpreter file begins with a line of the form:
74.Pp
75.Bd -ragged -offset indent -compact
76.Sy \&#!
77.Em interpreter
78.Bq Em arg
79.Ed
80.Pp
81When an interpreter file is
82.Sy execve Ap d ,
83the system actually
84.Sy execve Ap s
85the specified
86.Em interpreter .
87If the optional
88.Em arg
89is specified, it becomes the first argument to the
90.Em interpreter ,
91and the name of the originally
92.Sy execve Ap d
93file becomes the second argument;
94otherwise, the name of the originally
95.Sy execve Ap d
96file becomes the first argument.
97The original arguments are shifted over to
98become the subsequent arguments.
99The zeroth argument is set to the specified
100.Em interpreter .
101.Pp
102The argument
103.Fa argv
104is a pointer to a null-terminated array of
105character pointers to null-terminated character strings.
106These strings construct the argument list to be made available to the new
107process.
108At least one argument must be present in
109the array; by custom, the first element should be
110the name of the executed program (for example, the last component of
111.Fa path ) .
112.Pp
113The argument
114.Fa envp
115is also a pointer to a null-terminated array of
116character pointers to null-terminated strings.
117A pointer to this array is normally stored in the global variable
118.Va environ .
119These strings pass information to the
120new process that is not directly an argument to the command (see
121.Xr environ 7 ) .
122.Pp
123File descriptors open in the calling process image remain open in
124the new process image, except for those for which the close-on-exec
125flag is set (see
126.Xr close 2
127and
128.Xr fcntl 2 ) .
129Descriptors that remain open are unaffected by
130.Fn execve .
131If any of the standard descriptors (0, 1, and/or 2) are closed at the
132time
133.Fn execve
134is called, and the process will gain privilege as a result of set-id
135semantics, those descriptors will be re-opened automatically.
136No programs, whether privileged or not, should assume that these descriptors
137will remain closed across a call to
138.Fn execve .
139.Pp
140Signals set to be ignored in the calling process are set to be ignored in
141the
142new process.
143Signals which are set to be caught in the calling process image
144are set to default action in the new process image.
145Blocked signals remain blocked regardless of changes to the signal action.
146The signal stack is reset to be undefined (see
147.Xr sigaction 2
148for more information).
149.Pp
150If the set-user-ID mode bit of the new process image file is set
151(see
152.Xr chmod 2 ) ,
153the effective user ID of the new process image is set to the owner ID
154of the new process image file.
155If the set-group-ID mode bit of the new process image file is set,
156the effective group ID of the new process image is set to the group ID
157of the new process image file.
158(The effective group ID is the first element of the group list.)
159The real user ID, real group ID and
160other group IDs of the new process image remain the same as the calling
161process image.
162After any set-user-ID and set-group-ID processing,
163the effective user ID is recorded as the saved set-user-ID,
164and the effective group ID is recorded as the saved set-group-ID.
165These values may be used in changing the effective IDs later (see
166.Xr setuid 2 ) .
167.Pp
168The set-ID bits are not honored if the respective file system has the
169.Cm nosuid
170option enabled or if the new process file is an interpreter file.
171Syscall
172tracing is disabled if effective IDs are changed.
173.Pp
174The new process also inherits the following attributes from
175the calling process:
176.Pp
177.Bl -column parent_process_ID -offset indent -compact
178.It process ID Ta see Xr getpid 2
179.It parent process ID Ta see Xr getppid 2
180.It process group ID Ta see Xr getpgrp 2
181.It access groups Ta see Xr getgroups 2
182.It working directory Ta see Xr chdir 2
183.It root directory Ta see Xr chroot 2
184.It control terminal Ta see Xr termios 4
185.It resource usages Ta see Xr getrusage 2
186.It interval timers Ta see Xr getitimer 2
187.It resource limits Ta see Xr getrlimit 2
188.It file mode mask Ta see Xr umask 2
189.It signal mask Ta see Xr sigaction 2 ,
190.Xr sigprocmask 2
191.El
192.Pp
193When a program is executed as a result of an
194.Fn execve
195system call, it is entered as follows:
196.Bd -literal -offset indent
197main(argc, argv, envp)
198int argc;
199char **argv, **envp;
200.Ed
201.Pp
202where
203.Fa argc
204is the number of elements in
205.Fa argv
206(the ``arg count'')
207and
208.Fa argv
209points to the array of character pointers
210to the arguments themselves.
211.Pp
212The
213.Fn fexecve
214ignores the file offset of
215.Fa fd .
216Since execute permission is checked by
217.Fn fexecve ,
218the file descriptor
219.Fa fd
220need not have been opened with the
221.Dv O_EXEC
222flag.
223However, if the file to be executed denies read permission for the process
224preparing to do the exec, the only way to provide the
225.Fa fd
226to
227.Fn fexecve
228is to use the
229.Dv O_EXEC
230flag when opening
231.Fa fd .
232Note that the file to be executed can not be open for writing.
233.Sh RETURN VALUES
234As the
235.Fn execve
236system call overlays the current process image
237with a new process image the successful call
238has no process to return to.
239If
240.Fn execve
241does return to the calling process an error has occurred; the
242return value will be -1 and the global variable
243.Va errno
244is set to indicate the error.
245.Sh ERRORS
246The
247.Fn execve
248system call
249will fail and return to the calling process if:
250.Bl -tag -width Er
251.It Bq Er ENOTDIR
252A component of the path prefix is not a directory.
253.It Bq Er ENAMETOOLONG
254A component of a pathname exceeded 255 characters,
255or an entire path name exceeded 1023 characters.
256.It Bq Er ENOEXEC
257When invoking an interpreted script, the length of the first line,
258inclusive of the
259.Sy \&#!
260prefix and terminating newline, exceeds
261.Dv MAXSHELLCMDLEN
262characters.
263.It Bq Er ENOENT
264The new process file does not exist.
265.It Bq Er ELOOP
266Too many symbolic links were encountered in translating the pathname.
267.It Bq Er EACCES
268Search permission is denied for a component of the path prefix.
269.It Bq Er EACCES
270The new process file is not an ordinary file.
271.It Bq Er EACCES
272The new process file mode denies execute permission.
273.It Bq Er EINVAL
274.Fa argv
275did not contain at least one element.
276.It Bq Er ENOEXEC
277The new process file has the appropriate access
278permission, but has an invalid magic number in its header.
279.It Bq Er ETXTBSY
280The new process file is a pure procedure (shared text)
281file that is currently open for writing by some process.
282.It Bq Er ENOMEM
283The new process requires more virtual memory than
284is allowed by the imposed maximum
285.Pq Xr getrlimit 2 .
286.It Bq Er E2BIG
287The number of bytes in the new process' argument list
288is larger than the system-imposed limit.
289This limit is specified by the
290.Xr sysctl 3
291MIB variable
292.Dv KERN_ARGMAX .
293.It Bq Er EFAULT
294The new process file is not as long as indicated by
295the size values in its header.
296.It Bq Er EFAULT
297The
298.Fa path ,
299.Fa argv ,
300or
301.Fa envp
302arguments
303point
304to an illegal address.
305.It Bq Er EIO
306An I/O error occurred while reading from the file system.
307.It Bq Er EINTEGRITY
308Corrupted data was detected while reading from the file system.
309.El
310.Pp
311In addition, the
312.Fn fexecve
313will fail and return to the calling process if:
314.Bl -tag -width Er
315.It Bq Er EBADF
316The
317.Fa fd
318argument is not a valid file descriptor open for executing.
319.El
320.Sh SEE ALSO
321.Xr ktrace 1 ,
322.Xr _exit 2 ,
323.Xr fork 2 ,
324.Xr open 2 ,
325.Xr execl 3 ,
326.Xr exit 3 ,
327.Xr sysctl 3 ,
328.Xr a.out 5 ,
329.Xr elf 5 ,
330.Xr fdescfs 5 ,
331.Xr environ 7 ,
332.Xr mount 8
333.Sh STANDARDS
334The
335.Fn execve
336system call conforms to
337.St -p1003.1-2001 ,
338with the exception of reopening descriptors 0, 1, and/or 2 in certain
339circumstances.
340A future update of the Standard is expected to require this behavior,
341and it may become the default for non-privileged processes as well.
342.\" NB: update this caveat when TC1 is blessed.
343The support for executing interpreted programs is an extension.
344The
345.Fn fexecve
346system call conforms to The Open Group Extended API Set 2 specification.
347.Sh HISTORY
348The
349.Fn execve
350system call appeared in
351.At v7 .
352The
353.Fn fexecve
354system call appeared in
355.Fx 8.0 .
356.Sh CAVEATS
357If a program is
358.Em setuid
359to a non-super-user, but is executed when
360the real
361.Em uid
362is ``root'', then the program has some of the powers
363of a super-user as well.
364.Pp
365When executing an interpreted program through
366.Fn fexecve ,
367kernel supplies
368.Pa /dev/fd/n
369as a second argument to the interpreter,
370where
371.Ar n
372is the file descriptor passed in the
373.Fa fd
374argument to
375.Fn fexecve .
376For this construction to work correctly, the
377.Xr fdescfs 5
378filesystem shall be mounted on
379.Pa /dev/fd .
380