1.\" Copyright (c) 1980, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.Dd January 3, 2025 29.Dt OPEN 2 30.Os 31.Sh NAME 32.Nm open , openat 33.Nd open or create a file for reading, writing or executing 34.Sh LIBRARY 35.Lb libc 36.Sh SYNOPSIS 37.In fcntl.h 38.Ft int 39.Fn open "const char *path" "int flags" "..." 40.Ft int 41.Fn openat "int fd" "const char *path" "int flags" "..." 42.Sh DESCRIPTION 43The file name specified by 44.Fa path 45is opened 46for either execution or reading and/or writing as specified by the 47argument 48.Fa flags 49and the file descriptor returned to the calling process. 50The 51.Fa flags 52argument may indicate the file is to be 53created if it does not exist (by specifying the 54.Dv O_CREAT 55flag). 56In this case 57.Fn open 58and 59.Fn openat 60require an additional argument 61.Fa "mode_t mode" , 62and the file is created with mode 63.Fa mode 64as described in 65.Xr chmod 2 66and modified by the process' umask value (see 67.Xr umask 2 ) . 68.Pp 69The 70.Fn openat 71function is equivalent to the 72.Fn open 73function except in the case where the 74.Fa path 75specifies a relative path. 76For 77.Fn openat 78and relative 79.Fa path , 80the file to be opened is determined relative to the directory 81associated with the file descriptor 82.Fa fd 83instead of the current working directory. 84The 85.Fa flag 86parameter and the optional fourth parameter correspond exactly to 87the parameters of 88.Fn open . 89If 90.Fn openat 91is passed the special value 92.Dv AT_FDCWD 93in the 94.Fa fd 95parameter, the current working directory is used 96and the behavior is identical to a call to 97.Fn open . 98.Pp 99When 100.Fn openat 101is called with an absolute 102.Fa path , 103it ignores the 104.Fa fd 105argument. 106.Pp 107In 108.Xr capsicum 4 109capability mode, 110.Fn open 111is not permitted. 112The 113.Fa path 114argument to 115.Fn openat 116must be strictly relative to a file descriptor 117.Fa fd ; 118that is, 119.Fa path 120must not be an absolute path and must not contain ".." components 121which cause the path resolution to escape the directory hierarchy 122starting at 123.Fa fd . 124Additionally, no symbolic link in 125.Fa path 126may target absolute path or contain escaping ".." components. 127.Fa fd 128must not be 129.Dv AT_FDCWD . 130.Pp 131If the 132.Dv vfs.lookup_cap_dotdot 133.Xr sysctl 3 134MIB is set to zero, ".." components in the paths, 135used in capability mode, 136are completely disabled. 137If the 138.Dv vfs.lookup_cap_dotdot_nonlocal 139MIB is set to zero, ".." is not allowed if found on non-local filesystem. 140.Pp 141The 142.Fa flags 143are formed by 144.Em or Ns 'ing 145the following values: 146.Pp 147.Bl -tag -width O_RESOLVE_BENEATH 148.It Dv O_RDONLY 149open for reading only 150.It Dv O_WRONLY 151open for writing only 152.It Dv O_RDWR 153open for reading and writing 154.It Dv O_EXEC 155open for execute only 156.It Dv O_SEARCH 157open for search only 158(an alias for 159.Dv O_EXEC 160typically used with 161.Dv O_DIRECTORY ) 162.It Dv O_NONBLOCK 163do not block on open 164.It Dv O_APPEND 165set file pointer to the end of the file before each write 166.It Dv O_CREAT 167create file if it does not exist 168.It Dv O_TRUNC 169truncate size to 0 170.It Dv O_EXCL 171fail if 172.Dv O_CREAT 173is set and the file exists 174.It Dv O_SHLOCK 175atomically obtain a shared lock 176.It Dv O_EXLOCK 177atomically obtain an exclusive lock 178.It Dv O_DIRECT 179read and write directly from the backing store 180.It Dv O_FSYNC 181synchronous data and metadata writes 182.Pq historical synonym for Dv O_SYNC 183.It Dv O_SYNC 184synchronous data and metadata writes 185.It Dv O_DSYNC 186synchronous data writes 187.It Dv O_NOFOLLOW 188do not follow symlinks 189.It Dv O_NOCTTY 190ignored 191.It Dv O_TTY_INIT 192ignored 193.It Dv O_DIRECTORY 194error if file is not a directory 195.It Dv O_CLOEXEC 196automatically close file on 197.Xr execve 2 198.It Dv O_VERIFY 199verify the contents of the file with 200.Xr mac_veriexec 4 201.It Dv O_RESOLVE_BENEATH 202.Pq Xr openat 2 only 203path resolution must not cross the 204.Fa fd 205directory 206.It Dv O_PATH 207record only the target path in the opened descriptor 208.It Dv O_EMPTY_PATH 209.Pq Xr openat 2 only 210open file referenced by 211.Fa fd 212if path is empty 213.El 214.Pp 215Exactly one of the flags 216.Dv O_RDONLY , 217.Dv O_WRONLY , 218.Dv O_RDWR , 219or 220.Dv O_EXEC 221must be provided. 222.Pp 223Opening a file with 224.Dv O_APPEND 225set causes each write on the resulting file descriptor 226to be appended to the end of the file. 227.Pp 228If 229.Dv O_TRUNC 230is specified and the 231file exists, the file is truncated to zero length. 232.Pp 233If 234.Dv O_EXCL 235is set with 236.Dv O_CREAT 237and the file already 238exists, 239.Fn open 240fails with 241.Er EEXIST . 242This may be used to 243implement a simple exclusive access locking mechanism. 244If 245.Dv O_EXCL 246is set and the last component of the pathname is 247a symbolic link, 248.Fn open 249will fail even if the symbolic 250link points to a non-existent name. 251.Pp 252If 253.Dv O_NONBLOCK 254is specified and the 255.Fn open 256system call would 257block for some reason (for example, waiting for 258carrier on a dialup line), 259.Fn open 260returns immediately. 261The descriptor remains in non-blocking mode for subsequent operations. 262.Pp 263If 264.Dv O_SYNC 265is used in the mask, all writes will 266immediately and synchronously be written to disk. 267.Dv O_FSYNC 268is an historical synonym for 269.Dv O_SYNC . 270.Pp 271If 272.Dv O_DSYNC 273is used in the mask, all data and metadata required to read the data will be 274synchronously written to disk, but changes to metadata such as file access and 275modification timestamps may be written later. 276.Pp 277If 278.Dv O_NOFOLLOW 279is used in the mask and the target file passed to 280.Fn open 281is a symbolic link then the 282.Fn open 283will fail. 284.Pp 285When opening a file, a lock with 286.Xr flock 2 287semantics can be obtained by setting 288.Dv O_SHLOCK 289for a shared lock, or 290.Dv O_EXLOCK 291for an exclusive lock. 292If creating a file with 293.Dv O_CREAT , 294the request for the lock will never fail 295(provided that the underlying file system supports locking). 296.Pp 297.Dv O_DIRECT 298may be used to minimize or eliminate the cache effects of reading and writing. 299The system will attempt to avoid caching the data you read or write. 300If it cannot avoid caching the data, 301it will minimize the impact the data has on the cache. 302Use of this flag can drastically reduce performance if not used with care. 303The semantics of this flag are filesystem dependent, 304and some filesystems may ignore it entirely. 305.Pp 306.Dv O_NOCTTY 307may be used to ensure the OS does not assign this file as the 308controlling terminal when it opens a tty device. 309This is the default on 310.Fx , 311but is present for 312POSIX 313compatibility. 314The 315.Fn open 316system call will not assign controlling terminals on 317.Fx . 318.Pp 319.Dv O_TTY_INIT 320may be used to ensure the OS restores the terminal attributes when 321initially opening a TTY. 322This is the default on 323.Fx , 324but is present for 325POSIX 326compatibility. 327The initial call to 328.Fn open 329on a TTY will always restore default terminal attributes on 330.Fx . 331.Pp 332.Dv O_DIRECTORY 333may be used to ensure the resulting file descriptor refers to a 334directory. 335This flag can be used to prevent applications with elevated privileges 336from opening files which are even unsafe to open with 337.Dv O_RDONLY , 338such as device nodes. 339.Pp 340.Dv O_CLOEXEC 341may be used to set 342.Dv FD_CLOEXEC 343flag for the newly returned file descriptor. 344.Pp 345.Dv O_VERIFY 346may be used to indicate to the kernel that the contents of the file should 347be verified before allowing the open to proceed. 348The details of what 349.Dq verified 350means is implementation specific. 351The run-time linker (rtld) uses this flag to ensure shared objects have 352been verified before operating on them. 353.Pp 354.Dv O_RESOLVE_BENEATH 355returns 356.Er ENOTCAPABLE 357if any intermediate component of the specified relative path does not 358reside in the directory hierarchy beneath the starting directory. 359Absolute paths or even the temporal escape from beneath of the starting 360directory is not allowed. 361.Pp 362When a directory 363is opened with 364.Dv O_SEARCH , 365execute permissions are checked at open time. 366The returned file descriptor 367may not be used for any read operations like 368.Xr getdirentries 2 . 369The primary use of this descriptor is as the lookup descriptor for the 370.Fn *at 371family of functions. 372If 373.Dv O_SEARCH 374was not requested at open time, then the 375.Fn *at 376functions use the current directory permissions for the directory referenced 377by the descriptor at the time of the 378.Fn *at 379call. 380.Pp 381.Dv O_PATH 382returns a file descriptor that can be used as a directory file descriptor for 383.Fn openat 384and other system calls taking a file descriptor argument, like 385.Xr fstatat 2 386and others. 387The other functionality of the returned file descriptor is limited to 388the following descriptor-level operations: 389.Pp 390.Bl -tag -width __acl_aclcheck_fd -offset indent -compact 391.It Xr fcntl 2 392but advisory locking is not allowed 393.It Xr dup 2 394.It Xr close 2 395.It Xr fstat 2 396.It Xr fstatfs 2 397.It Xr fchdir 2 398.It Xr fchroot 2 399.It Xr fexecve 2 400.It Xr funlinkat 2 401can be passed as the third argument 402.It Dv SCM_RIGHTS 403can be passed over a 404.Xr unix 4 405socket using a 406.Dv SCM_RIGHTS 407message 408.It Xr kqueue 2 409only with 410.Dv EVFILT_VNODE 411.It Xr __acl_get_fd 2 412.It Xr __acl_aclcheck_fd 2 413.It Xr extattr 2 414.It Xr capsicum 4 415can be passed to 416.Fn cap_*_limit 417and 418.Fn cap_*_get 419system calls (such as 420.Xr cap_rights_limit 2 ) . 421.El 422.Pp 423Other operations like 424.Xr read 2 , 425.Xr ftruncate 2 , 426and any other that operate on file and not on file descriptor (except 427.Xr fstat 2 ) , 428are not allowed. 429.Pp 430A file descriptor created with the 431.Dv O_PATH 432flag can be opened as a normal (operable) file descriptor by 433specifying it as the 434.Fa fd 435argument to 436.Fn openat 437with an empty 438.Fa path 439and the 440.Dv O_EMPTY_PATH 441flag. 442Such an open behaves as if the current path of the file referenced by 443.Fa fd 444is passed, except that path walk permissions are not checked. 445See also the description of 446.Dv AT_EMPTY_PATH 447flag for 448.Xr fstatat 2 449and related syscalls. 450.Pp 451If successful, 452.Fn open 453returns a non-negative integer, termed a file descriptor. 454It returns \-1 on failure. 455The file descriptor value returned is the lowest numbered descriptor 456currently not in use by the process. 457The file pointer used to mark the current position within the 458file is set to the beginning of the file. 459.Pp 460If a sleeping open of a device node from 461.Xr devfs 4 462is interrupted by a signal, the call always fails with 463.Er EINTR , 464even if the 465.Dv SA_RESTART 466flag is set for the signal. 467A sleeping open of a fifo (see 468.Xr mkfifo 2 ) 469is restarted as normal. 470.Pp 471When a new file is created, it is assigned the group of the directory 472which contains it. 473.Pp 474Unless 475.Dv O_CLOEXEC 476flag was specified, 477the new descriptor is set to remain open across 478.Xr execve 2 479system calls; see 480.Xr close 2 , 481.Xr fcntl 2 482and the description of the 483.Dv O_CLOEXEC 484flag. 485.Pp 486The system imposes a limit on the number of file descriptors 487open simultaneously by one process. 488The 489.Xr getdtablesize 2 490system call returns the current system limit. 491.Sh RETURN VALUES 492If successful, 493.Fn open 494and 495.Fn openat 496return a non-negative integer, termed a file descriptor. 497They return \-1 on failure, and set 498.Va errno 499to indicate the error. 500.Sh ERRORS 501The named file is opened unless: 502.Bl -tag -width Er 503.It Bq Er ENOTDIR 504A component of the path prefix is not a directory. 505.It Bq Er ENAMETOOLONG 506A component of a pathname exceeded 255 characters, 507or an entire path name exceeded 1023 characters. 508.It Bq Er ENOENT 509.Dv O_CREAT 510is not set and the named file does not exist. 511.It Bq Er ENOENT 512A component of the path name that must exist does not exist. 513.It Bq Er EACCES 514Search permission is denied for a component of the path prefix. 515.It Bq Er EACCES 516The required permissions (for reading and/or writing) 517are denied for the given flags. 518.It Bq Er EACCES 519.Dv O_TRUNC 520is specified and write permission is denied. 521.It Bq Er EACCES 522.Dv O_CREAT 523is specified, 524the file does not exist, 525and the directory in which it is to be created 526does not permit writing. 527.It Bq Er EPERM 528.Dv O_CREAT 529is specified, the file does not exist, and the directory in which it is to be 530created has its immutable flag set, see the 531.Xr chflags 2 532manual page for more information. 533.It Bq Er EPERM 534The named file has its immutable flag set and the file is to be modified. 535.It Bq Er EPERM 536The named file has its append-only flag set, the file is to be modified, and 537.Dv O_TRUNC 538is specified or 539.Dv O_APPEND 540is not specified. 541.It Bq Er ELOOP 542Too many symbolic links were encountered in translating the pathname. 543.It Bq Er EISDIR 544The named file is a directory, and the arguments specify 545it is to be modified. 546.It Bq Er EISDIR 547The named file is a directory, and the flags specified 548.Dv O_CREAT 549without 550.Dv O_DIRECTORY . 551.It Bq Er EROFS 552The named file resides on a read-only file system, 553and the file is to be modified. 554.It Bq Er EROFS 555.Dv O_CREAT 556is specified and the named file would reside on a read-only file system. 557.It Bq Er EMFILE 558The process has already reached its limit for open file descriptors. 559.It Bq Er ENFILE 560The system file table is full. 561.It Bq Er EMLINK 562.Dv O_NOFOLLOW 563was specified and the target is a symbolic link. 564POSIX 565specifies a different error for this case; see the note in 566.Sx STANDARDS 567below. 568.It Bq Er ENXIO 569The named file is a character special or block 570special file, and the device associated with this special file 571does not exist. 572.It Bq Er ENXIO 573.Dv O_NONBLOCK 574is set, the named file is a fifo, 575.Dv O_WRONLY 576is set, and no process has the file open for reading. 577.It Bq Er EINTR 578The 579.Fn open 580operation was interrupted by a signal. 581.It Bq Er EOPNOTSUPP 582.Dv O_SHLOCK 583or 584.Dv O_EXLOCK 585is specified but the underlying file system does not support locking. 586.It Bq Er EOPNOTSUPP 587The named file is a special file mounted through a file system that 588does not support access to it (for example, NFS). 589.It Bq Er EWOULDBLOCK 590.Dv O_NONBLOCK 591and one of 592.Dv O_SHLOCK 593or 594.Dv O_EXLOCK 595is specified and the file is locked. 596.It Bq Er ENOSPC 597.Dv O_CREAT 598is specified, 599the file does not exist, 600and the directory in which the entry for the new file is being placed 601cannot be extended because there is no space left on the file 602system containing the directory. 603.It Bq Er ENOSPC 604.Dv O_CREAT 605is specified, 606the file does not exist, 607and there are no free inodes on the file system on which the 608file is being created. 609.It Bq Er EDQUOT 610.Dv O_CREAT 611is specified, 612the file does not exist, 613and the directory in which the entry for the new file 614is being placed cannot be extended because the 615user's quota of disk blocks on the file system 616containing the directory has been exhausted. 617.It Bq Er EDQUOT 618.Dv O_CREAT 619is specified, 620the file does not exist, 621and the user's quota of inodes on the file system on 622which the file is being created has been exhausted. 623.It Bq Er EIO 624An I/O error occurred while making the directory entry or 625allocating the inode for 626.Dv O_CREAT . 627.It Bq Er EINTEGRITY 628Corrupted data was detected while reading from the file system. 629.It Bq Er ETXTBSY 630The file is a pure procedure (shared text) file that is being 631executed and the 632.Fn open 633system call requests write access. 634.It Bq Er EFAULT 635The 636.Fa path 637argument 638points outside the process's allocated address space. 639.It Bq Er EEXIST 640.Dv O_CREAT 641and 642.Dv O_EXCL 643were specified and the file exists. 644.It Bq Er EOPNOTSUPP 645An attempt was made to open a socket (not currently implemented). 646.It Bq Er EINVAL 647An attempt was made to open a descriptor with an illegal combination 648of 649.Dv O_RDONLY , 650.Dv O_WRONLY , 651or 652.Dv O_RDWR , 653and 654.Dv O_EXEC 655or 656.Dv O_SEARCH . 657.It Bq Er EINVAL 658.Dv O_CREAT 659is specified, 660and the last component of the 661.Fa path 662argument is invalid on the file system on which the file is being created. 663.It Bq Er EBADF 664The 665.Fa path 666argument does not specify an absolute path and the 667.Fa fd 668argument is 669neither 670.Dv AT_FDCWD 671nor a valid file descriptor open for searching. 672.It Bq Er ENOTDIR 673The 674.Fa path 675argument is not an absolute path and 676.Fa fd 677is neither 678.Dv AT_FDCWD 679nor a file descriptor associated with a directory. 680.It Bq Er ENOTDIR 681.Dv O_DIRECTORY 682is specified and the file is not a directory. 683.It Bq Er ECAPMODE 684.Dv AT_FDCWD 685is specified and the process is in capability mode. 686.It Bq Er ECAPMODE 687.Fn open 688was called and the process is in capability mode. 689.It Bq Er ENOTCAPABLE 690.Fa path 691is an absolute path and the process is in capability mode. 692.It Bq Er ENOTCAPABLE 693.Fa path 694is an absolute path and 695.Dv O_RESOLVE_BENEATH 696is specified. 697.It Bq Er ENOTCAPABLE 698.Fa path 699contains a ".." component leading to a directory outside 700of the directory hierarchy specified by 701.Fa fd 702and the process is in capability mode. 703.It Bq Er ENOTCAPABLE 704.Fa path 705contains a ".." component leading to a directory outside 706of the directory hierarchy specified by 707.Fa fd 708and 709.Dv O_RESOLVE_BENEATH 710is specified. 711.It Bq Er ENOTCAPABLE 712.Fa path 713contains a ".." component, the 714.Dv vfs.lookup_cap_dotdot 715.Xr sysctl 3 716is set, and the process is in capability mode. 717.El 718.Sh SEE ALSO 719.Xr chmod 2 , 720.Xr close 2 , 721.Xr dup 2 , 722.Xr fexecve 2 , 723.Xr fhopen 2 , 724.Xr getdtablesize 2 , 725.Xr getfh 2 , 726.Xr lgetfh 2 , 727.Xr lseek 2 , 728.Xr read 2 , 729.Xr umask 2 , 730.Xr write 2 , 731.Xr fopen 3 , 732.Xr capsicum 4 733.Sh STANDARDS 734These functions are specified by 735.St -p1003.1-2008 . 736.Pp 737.Fx 738sets 739.Va errno 740to 741.Er EMLINK instead of 742.Er ELOOP 743as specified by 744POSIX 745when 746.Dv O_NOFOLLOW 747is set in flags and the final component of pathname is a symbolic link 748to distinguish it from the case of too many symbolic link traversals 749in one of its non-final components. 750.Pp 751The Open Group Extended API Set 2 specification, that introduced the 752.Fn *at 753API, required that the test for whether 754.Fa fd 755is searchable is based on whether 756.Fa fd 757is open for searching, not whether the underlying directory currently 758permits searches. 759The present implementation of the 760.Fa openat 761system call is believed to be compatible with 762.\" .St -p1003.1-2017 , 763.\" XXX: This should be replaced in the future when an appropriate argument to 764.\" the St macro is available: -p1003.1-2017 765.No IEEE Std 1003.1-2008, 2017 Edition ("POSIX.1") , 766which specifies that behavior for 767.Dv O_SEARCH , 768in the absence of the flag the implementation checks the current 769permissions of a directory. 770.Sh HISTORY 771The 772.Fn open 773function appeared in 774.At v1 . 775The 776.Fn openat 777function was introduced in 778.Fx 8.0 . 779.Dv O_DSYNC 780appeared in 13.0. 781.Sh BUGS 782The 783.Fa mode 784argument is variadic and may result in different calling conventions 785than might otherwise be expected. 786