1.\" Copyright (c) 1980, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.Dd January 26, 2022 29.Dt EXECVE 2 30.Os 31.Sh NAME 32.Nm execve , 33.Nm fexecve 34.Nd execute a file 35.Sh LIBRARY 36.Lb libc 37.Sh SYNOPSIS 38.In unistd.h 39.Ft int 40.Fn execve "const char *path" "char *const argv[]" "char *const envp[]" 41.Ft int 42.Fn fexecve "int fd" "char *const argv[]" "char *const envp[]" 43.Sh DESCRIPTION 44The 45.Fn execve 46system call 47transforms the calling process into a new process. 48The new process is constructed from an ordinary file, 49whose name is pointed to by 50.Fa path , 51called the 52.Em new process file . 53The 54.Fn fexecve 55system call is equivalent to 56.Fn execve 57except that the file to be executed is determined by the file 58descriptor 59.Fa fd 60instead of a 61.Fa path . 62This file is either an executable object file, 63or a file of data for an interpreter. 64An executable object file consists of an identifying header, 65followed by pages of data representing the initial program (text) 66and initialized data pages. 67Additional pages may be specified 68by the header to be initialized with zero data; see 69.Xr elf 5 70and 71.Xr a.out 5 . 72.Pp 73An interpreter file begins with a line of the form: 74.Pp 75.Bd -ragged -offset indent -compact 76.Sy \&#! 77.Em interpreter 78.Bq Em arg 79.Ed 80.Pp 81When an interpreter file is 82.Sy execve Ap d , 83the system actually 84.Sy execve Ap s 85the specified 86.Em interpreter . 87If the optional 88.Em arg 89is specified, it becomes the first argument to the 90.Em interpreter , 91and the name of the originally 92.Sy execve Ap d 93file becomes the second argument; 94otherwise, the name of the originally 95.Sy execve Ap d 96file becomes the first argument. 97The original arguments are shifted over to 98become the subsequent arguments. 99The zeroth argument is set to the specified 100.Em interpreter . 101.Pp 102The argument 103.Fa argv 104is a pointer to a null-terminated array of 105character pointers to null-terminated character strings. 106These strings construct the argument list to be made available to the new 107process. 108At least one argument must be present in 109the array; by custom, the first element should be 110the name of the executed program (for example, the last component of 111.Fa path ) . 112.Pp 113The argument 114.Fa envp 115is also a pointer to a null-terminated array of 116character pointers to null-terminated strings. 117A pointer to this array is normally stored in the global variable 118.Va environ . 119These strings pass information to the 120new process that is not directly an argument to the command (see 121.Xr environ 7 ) . 122.Pp 123File descriptors open in the calling process image remain open in 124the new process image, except for those for which the close-on-exec 125flag is set (see 126.Xr close 2 127and 128.Xr fcntl 2 ) . 129Descriptors that remain open are unaffected by 130.Fn execve . 131If any of the standard descriptors (0, 1, and/or 2) are closed at the 132time 133.Fn execve 134is called, and the process will gain privilege as a result of set-id 135semantics, those descriptors will be re-opened automatically. 136No programs, whether privileged or not, should assume that these descriptors 137will remain closed across a call to 138.Fn execve . 139.Pp 140Signals set to be ignored in the calling process are set to be ignored in 141the 142new process. 143Signals which are set to be caught in the calling process image 144are set to default action in the new process image. 145Blocked signals remain blocked regardless of changes to the signal action. 146The signal stack is reset to be undefined (see 147.Xr sigaction 2 148for more information). 149.Pp 150If the set-user-ID mode bit of the new process image file is set 151(see 152.Xr chmod 2 ) , 153the effective user ID of the new process image is set to the owner ID 154of the new process image file. 155If the set-group-ID mode bit of the new process image file is set, 156the effective group ID of the new process image is set to the group ID 157of the new process image file. 158(The effective group ID is the first element of the group list.) 159The real user ID, real group ID and 160other group IDs of the new process image remain the same as the calling 161process image. 162After any set-user-ID and set-group-ID processing, 163the effective user ID is recorded as the saved set-user-ID, 164and the effective group ID is recorded as the saved set-group-ID. 165These values may be used in changing the effective IDs later (see 166.Xr setuid 2 ) . 167.Pp 168The set-ID bits are not honored if the respective file system has the 169.Cm nosuid 170option enabled or if the new process file is an interpreter file. 171Syscall 172tracing is disabled if effective IDs are changed. 173.Pp 174The new process also inherits the following attributes from 175the calling process: 176.Pp 177.Bl -column parent_process_ID -offset indent -compact 178.It process ID Ta see Xr getpid 2 179.It parent process ID Ta see Xr getppid 2 180.It process group ID Ta see Xr getpgrp 2 181.It access groups Ta see Xr getgroups 2 182.It working directory Ta see Xr chdir 2 183.It root directory Ta see Xr chroot 2 184.It control terminal Ta see Xr termios 4 185.It resource usages Ta see Xr getrusage 2 186.It interval timers Ta see Xr getitimer 2 187.It resource limits Ta see Xr getrlimit 2 188.It file mode mask Ta see Xr umask 2 189.It signal mask Ta see Xr sigaction 2 , 190.Xr sigprocmask 2 191.El 192.Pp 193When a program is executed as a result of an 194.Fn execve 195system call, it is entered as follows: 196.Bd -literal -offset indent 197main(argc, argv, envp) 198int argc; 199char **argv, **envp; 200.Ed 201.Pp 202where 203.Fa argc 204is the number of elements in 205.Fa argv 206(the ``arg count'') 207and 208.Fa argv 209points to the array of character pointers 210to the arguments themselves. 211.Pp 212The 213.Fn fexecve 214ignores the file offset of 215.Fa fd . 216Since execute permission is checked by 217.Fn fexecve , 218the file descriptor 219.Fa fd 220need not have been opened with the 221.Dv O_EXEC 222flag. 223However, if the file to be executed denies read permission for the process 224preparing to do the exec, the only way to provide the 225.Fa fd 226to 227.Fn fexecve 228is to use the 229.Dv O_EXEC 230flag when opening 231.Fa fd . 232Note that the file to be executed can not be open for writing. 233.Sh RETURN VALUES 234As the 235.Fn execve 236system call overlays the current process image 237with a new process image the successful call 238has no process to return to. 239If 240.Fn execve 241does return to the calling process an error has occurred; the 242return value will be -1 and the global variable 243.Va errno 244is set to indicate the error. 245.Sh ERRORS 246The 247.Fn execve 248system call 249will fail and return to the calling process if: 250.Bl -tag -width Er 251.It Bq Er ENOTDIR 252A component of the path prefix is not a directory. 253.It Bq Er ENAMETOOLONG 254A component of a pathname exceeded 255 characters, 255or an entire path name exceeded 1023 characters. 256.It Bq Er ENOEXEC 257When invoking an interpreted script, the length of the first line, 258inclusive of the 259.Sy \&#! 260prefix and terminating newline, exceeds 261.Dv MAXSHELLCMDLEN 262characters. 263.It Bq Er ENOENT 264The new process file does not exist. 265.It Bq Er ELOOP 266Too many symbolic links were encountered in translating the pathname. 267.It Bq Er EACCES 268Search permission is denied for a component of the path prefix. 269.It Bq Er EACCES 270The new process file is not an ordinary file. 271.It Bq Er EACCES 272The new process file mode denies execute permission. 273.It Bq Er EINVAL 274.Fa argv 275did not contain at least one element. 276.It Bq Er ENOEXEC 277The new process file has the appropriate access 278permission, but has an invalid magic number in its header. 279.It Bq Er ETXTBSY 280The new process file is a pure procedure (shared text) 281file that is currently open for writing by some process. 282.It Bq Er ENOMEM 283The new process requires more virtual memory than 284is allowed by the imposed maximum 285.Pq Xr getrlimit 2 . 286.It Bq Er E2BIG 287The number of bytes in the new process' argument list 288is larger than the system-imposed limit. 289This limit is specified by the 290.Xr sysctl 3 291MIB variable 292.Dv KERN_ARGMAX . 293.It Bq Er EFAULT 294The new process file is not as long as indicated by 295the size values in its header. 296.It Bq Er EFAULT 297The 298.Fa path , 299.Fa argv , 300or 301.Fa envp 302arguments 303point 304to an illegal address. 305.It Bq Er EIO 306An I/O error occurred while reading from the file system. 307.It Bq Er EINTEGRITY 308Corrupted data was detected while reading from the file system. 309.El 310.Pp 311In addition, the 312.Fn fexecve 313will fail and return to the calling process if: 314.Bl -tag -width Er 315.It Bq Er EBADF 316The 317.Fa fd 318argument is not a valid file descriptor open for executing. 319.El 320.Sh SEE ALSO 321.Xr ktrace 1 , 322.Xr _exit 2 , 323.Xr fork 2 , 324.Xr open 2 , 325.Xr execl 3 , 326.Xr exit 3 , 327.Xr sysctl 3 , 328.Xr a.out 5 , 329.Xr elf 5 , 330.Xr fdescfs 5 , 331.Xr environ 7 , 332.Xr mount 8 333.Sh STANDARDS 334The 335.Fn execve 336system call conforms to 337.St -p1003.1-2001 , 338with the exception of reopening descriptors 0, 1, and/or 2 in certain 339circumstances. 340A future update of the Standard is expected to require this behavior, 341and it may become the default for non-privileged processes as well. 342.\" NB: update this caveat when TC1 is blessed. 343The support for executing interpreted programs is an extension. 344The 345.Fn fexecve 346system call conforms to The Open Group Extended API Set 2 specification. 347.Sh HISTORY 348The 349.Fn execve 350system call appeared in 351.At v7 . 352The 353.Fn fexecve 354system call appeared in 355.Fx 8.0 . 356.Sh CAVEATS 357If a program is 358.Em setuid 359to a non-super-user, but is executed when 360the real 361.Em uid 362is ``root'', then the program has some of the powers 363of a super-user as well. 364.Pp 365When executing an interpreted program through 366.Fn fexecve , 367kernel supplies 368.Pa /dev/fd/n 369as a second argument to the interpreter, 370where 371.Ar n 372is the file descriptor passed in the 373.Fa fd 374argument to 375.Fn fexecve . 376For this construction to work correctly, the 377.Xr fdescfs 5 378filesystem shall be mounted on 379.Pa /dev/fd . 380