1.\" Copyright (c) 1980, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.Dd January 29, 2024 29.Dt OPEN 2 30.Os 31.Sh NAME 32.Nm open , openat 33.Nd open or create a file for reading, writing or executing 34.Sh LIBRARY 35.Lb libc 36.Sh SYNOPSIS 37.In fcntl.h 38.Ft int 39.Fn open "const char *path" "int flags" "..." 40.Ft int 41.Fn openat "int fd" "const char *path" "int flags" "..." 42.Sh DESCRIPTION 43The file name specified by 44.Fa path 45is opened 46for either execution or reading and/or writing as specified by the 47argument 48.Fa flags 49and the file descriptor returned to the calling process. 50The 51.Fa flags 52argument may indicate the file is to be 53created if it does not exist (by specifying the 54.Dv O_CREAT 55flag). 56In this case 57.Fn open 58and 59.Fn openat 60require an additional argument 61.Fa "mode_t mode" , 62and the file is created with mode 63.Fa mode 64as described in 65.Xr chmod 2 66and modified by the process' umask value (see 67.Xr umask 2 ) . 68.Pp 69The 70.Fn openat 71function is equivalent to the 72.Fn open 73function except in the case where the 74.Fa path 75specifies a relative path. 76For 77.Fn openat 78and relative 79.Fa path , 80the file to be opened is determined relative to the directory 81associated with the file descriptor 82.Fa fd 83instead of the current working directory. 84The 85.Fa flag 86parameter and the optional fourth parameter correspond exactly to 87the parameters of 88.Fn open . 89If 90.Fn openat 91is passed the special value 92.Dv AT_FDCWD 93in the 94.Fa fd 95parameter, the current working directory is used 96and the behavior is identical to a call to 97.Fn open . 98.Pp 99When 100.Fn openat 101is called with an absolute 102.Fa path , 103it ignores the 104.Fa fd 105argument. 106.Pp 107In 108.Xr capsicum 4 109capability mode, 110.Fn open 111is not permitted. 112The 113.Fa path 114argument to 115.Fn openat 116must be strictly relative to a file descriptor 117.Fa fd . 118.Fa path 119must not be an absolute path and must not contain ".." components 120which cause the path resolution to escape the directory hierarchy 121starting at 122.Fa fd . 123Additionally, no symbolic link in 124.Fa path 125may target absolute path or contain escaping ".." components. 126.Fa fd 127must not be 128.Dv AT_FDCWD . 129.Pp 130If the 131.Dv vfs.lookup_cap_dotdot 132.Xr sysctl 3 133MIB is set to zero, ".." components in the paths, 134used in capability mode, 135are completely disabled. 136If the 137.Dv vfs.lookup_cap_dotdot_nonlocal 138MIB is set to zero, ".." is not allowed if found on non-local filesystem. 139.Pp 140The flags specified are formed by 141.Em or Ns 'ing 142the following values 143.Pp 144.Bd -literal -offset indent -compact 145O_RDONLY open for reading only 146O_WRONLY open for writing only 147O_RDWR open for reading and writing 148O_EXEC open for execute only 149O_SEARCH open for search only, an alias for O_EXEC 150O_NONBLOCK do not block on open 151O_APPEND append on each write 152O_CREAT create file if it does not exist 153O_TRUNC truncate size to 0 154O_EXCL error if create and file exists 155O_SHLOCK atomically obtain a shared lock 156O_EXLOCK atomically obtain an exclusive lock 157O_DIRECT eliminate or reduce cache effects 158O_FSYNC synchronous writes (historical synonym for O_SYNC) 159O_SYNC synchronous writes 160O_DSYNC synchronous data writes 161O_NOFOLLOW do not follow symlinks 162O_NOCTTY ignored 163O_TTY_INIT ignored 164O_DIRECTORY error if file is not a directory 165O_CLOEXEC set FD_CLOEXEC upon open 166O_VERIFY verify the contents of the file 167O_RESOLVE_BENEATH path resolution must not cross the fd directory 168O_PATH record only the target path in the opened descriptor 169O_EMPTY_PATH openat, open file referenced by fd if path is empty 170.Ed 171.Pp 172Opening a file with 173.Dv O_APPEND 174set causes each write on the file 175to be appended to the end. 176If 177.Dv O_TRUNC 178is specified and the 179file exists, the file is truncated to zero length. 180If 181.Dv O_EXCL 182is set with 183.Dv O_CREAT 184and the file already 185exists, 186.Fn open 187returns an error. 188This may be used to 189implement a simple exclusive access locking mechanism. 190If 191.Dv O_EXCL 192is set and the last component of the pathname is 193a symbolic link, 194.Fn open 195will fail even if the symbolic 196link points to a non-existent name. 197If the 198.Dv O_NONBLOCK 199flag is specified and the 200.Fn open 201system call would result 202in the process being blocked for some reason (e.g., waiting for 203carrier on a dialup line), 204.Fn open 205returns immediately. 206The descriptor remains in non-blocking mode for subsequent operations. 207.Pp 208If 209.Dv O_SYNC 210is used in the mask, all writes will 211immediately and synchronously be written to disk. 212.Dv O_FSYNC 213is an historical synonym for 214.Dv O_SYNC . 215.Pp 216If 217.Dv O_DSYNC 218is used in the mask, all data and metadata required to read the data will be 219synchronously written to disk, but changes to metadata such as file access and 220modification timestamps may be written later. 221.Pp 222If 223.Dv O_NOFOLLOW 224is used in the mask and the target file passed to 225.Fn open 226is a symbolic link then the 227.Fn open 228will fail. 229.Pp 230When opening a file, a lock with 231.Xr flock 2 232semantics can be obtained by setting 233.Dv O_SHLOCK 234for a shared lock, or 235.Dv O_EXLOCK 236for an exclusive lock. 237If creating a file with 238.Dv O_CREAT , 239the request for the lock will never fail 240(provided that the underlying file system supports locking). 241.Pp 242.Dv O_DIRECT 243may be used to minimize or eliminate the cache effects of reading and writing. 244The system will attempt to avoid caching the data you read or write. 245If it cannot avoid caching the data, 246it will minimize the impact the data has on the cache. 247Use of this flag can drastically reduce performance if not used with care. 248.Pp 249.Dv O_NOCTTY 250may be used to ensure the OS does not assign this file as the 251controlling terminal when it opens a tty device. 252This is the default on 253.Fx , 254but is present for 255.Tn POSIX 256compatibility. 257The 258.Fn open 259system call will not assign controlling terminals on 260.Fx . 261.Pp 262.Dv O_TTY_INIT 263may be used to ensure the OS restores the terminal attributes when 264initially opening a TTY. 265This is the default on 266.Fx , 267but is present for 268.Tn POSIX 269compatibility. 270The initial call to 271.Fn open 272on a TTY will always restore default terminal attributes on 273.Fx . 274.Pp 275.Dv O_DIRECTORY 276may be used to ensure the resulting file descriptor refers to a 277directory. 278This flag can be used to prevent applications with elevated privileges 279from opening files which are even unsafe to open with 280.Dv O_RDONLY , 281such as device nodes. 282.Pp 283.Dv O_CLOEXEC 284may be used to set 285.Dv FD_CLOEXEC 286flag for the newly returned file descriptor. 287.Pp 288.Dv O_VERIFY 289may be used to indicate to the kernel that the contents of the file should 290be verified before allowing the open to proceed. 291The details of what 292.Dq verified 293means is implementation specific. 294The run-time linker (rtld) uses this flag to ensure shared objects have 295been verified before operating on them. 296.Pp 297.Dv O_RESOLVE_BENEATH 298returns 299.Er ENOTCAPABLE 300if any intermediate component of the specified relative path does not 301reside in the directory hierarchy beneath the starting directory. 302Absolute paths or even the temporal escape from beneath of the starting 303directory is not allowed. 304.Pp 305When 306.Fa fd 307is opened with 308.Dv O_SEARCH , 309execute permissions are checked at open time. 310The 311.Fa fd 312may not be used for any read operations like 313.Xr getdirentries 2 . 314The primary use for this descriptor will be as the lookup descriptor for the 315.Fn *at 316family of functions. 317If 318.Dv O_SEARCH 319was not requested at open time, then the 320.Fn *at 321functions use the current directory permissions for the directory referenced 322by the descriptor at the time of the call. 323.Pp 324.Dv O_PATH 325returns a file descriptor that can be used as a directory file descriptor for 326.Fn openat 327and other system calls taking a file descriptor argument, like 328.Xr fstatat 2 329and others. 330The other functionality of the returned file descriptor is limited to 331the descriptor-level operations. 332It can be used for 333.Bl -tag -width readlinkat(2) -offset indent -compact 334.It Xr fcntl 2 335but advisory locking is not allowed 336.It Xr dup 2 337.It Xr close 2 338.It Xr fstat 2 339.It Xr fexecve 2 340.It Dv SCM_RIGHTS 341can be passed over a 342.Xr unix 4 343socket using a 344.Dv SCM_RIGHTS 345message 346.It Xr kqueue 2 347using for 348.Dv EVFILT_VNODE 349.It Xr readlinkat 2 350.It Xr __acl_get_fd 2 , Xr __acl_aclcheck_fd 2 351.El 352But operations like 353.Xr read 2 , 354.Xr ftruncate 2 , 355and any other that operate on file and not on file descriptor (except 356.Xr fstat 2 ), 357are not allowed. 358.Pp 359A file descriptor created with the 360.Dv O_PATH 361flag can be opened into normal (operable) file descriptor by 362specifying it as the 363.Fa fd 364argument to 365.Fn openat 366with empty 367.Fa path 368and flag 369.Dv O_EMPTY_PATH . 370Such an open behaves as if the current path of the file referenced by 371.Fa fd 372is passed, except that the path walk permissions are not checked. 373See also the description of 374.Dv AT_EMPTY_PATH 375flag for 376.Xr fstatat 2 377and related syscalls. 378.Pp 379If successful, 380.Fn open 381returns a non-negative integer, termed a file descriptor. 382It returns \-1 on failure. 383The file pointer used to mark the current position within the 384file is set to the beginning of the file. 385.Pp 386If a sleeping open of a device node from 387.Xr devfs 4 388is interrupted by a signal, the call always fails with 389.Er EINTR , 390even if the 391.Dv SA_RESTART 392flag is set for the signal. 393A sleeping open of a fifo (see 394.Xr mkfifo 2 ) 395is restarted as normal. 396.Pp 397When a new file is created it is given the group of the directory 398which contains it. 399.Pp 400Unless 401.Dv O_CLOEXEC 402flag was specified, 403the new descriptor is set to remain open across 404.Xr execve 2 405system calls; see 406.Xr close 2 , 407.Xr fcntl 2 408and 409.Dv O_CLOEXEC 410description. 411.Pp 412The system imposes a limit on the number of file descriptors 413open simultaneously by one process. 414The 415.Xr getdtablesize 2 416system call returns the current system limit. 417.Sh RETURN VALUES 418If successful, 419.Fn open 420and 421.Fn openat 422return a non-negative integer, termed a file descriptor. 423They return \-1 on failure, and set 424.Va errno 425to indicate the error. 426.Sh ERRORS 427The named file is opened unless: 428.Bl -tag -width Er 429.It Bq Er ENOTDIR 430A component of the path prefix is not a directory. 431.It Bq Er ENAMETOOLONG 432A component of a pathname exceeded 255 characters, 433or an entire path name exceeded 1023 characters. 434.It Bq Er ENOENT 435.Dv O_CREAT 436is not set and the named file does not exist. 437.It Bq Er ENOENT 438A component of the path name that must exist does not exist. 439.It Bq Er EACCES 440Search permission is denied for a component of the path prefix. 441.It Bq Er EACCES 442The required permissions (for reading and/or writing) 443are denied for the given flags. 444.It Bq Er EACCES 445.Dv O_TRUNC 446is specified and write permission is denied. 447.It Bq Er EACCES 448.Dv O_CREAT 449is specified, 450the file does not exist, 451and the directory in which it is to be created 452does not permit writing. 453.It Bq Er EPERM 454.Dv O_CREAT 455is specified, the file does not exist, and the directory in which it is to be 456created has its immutable flag set, see the 457.Xr chflags 2 458manual page for more information. 459.It Bq Er EPERM 460The named file has its immutable flag set and the file is to be modified. 461.It Bq Er EPERM 462The named file has its append-only flag set, the file is to be modified, and 463.Dv O_TRUNC 464is specified or 465.Dv O_APPEND 466is not specified. 467.It Bq Er ELOOP 468Too many symbolic links were encountered in translating the pathname. 469.It Bq Er EISDIR 470The named file is a directory, and the arguments specify 471it is to be modified. 472.It Bq Er EISDIR 473The named file is a directory, and the flags specified 474.Dv O_CREAT 475without 476.Dv O_DIRECTORY . 477.It Bq Er EROFS 478The named file resides on a read-only file system, 479and the file is to be modified. 480.It Bq Er EROFS 481.Dv O_CREAT 482is specified and the named file would reside on a read-only file system. 483.It Bq Er EMFILE 484The process has already reached its limit for open file descriptors. 485.It Bq Er ENFILE 486The system file table is full. 487.It Bq Er EMLINK 488.Dv O_NOFOLLOW 489was specified and the target is a symbolic link. 490.Tn POSIX 491specifies a different error for this case; see the note in 492.Sx STANDARDS 493below. 494.It Bq Er ENXIO 495The named file is a character special or block 496special file, and the device associated with this special file 497does not exist. 498.It Bq Er ENXIO 499.Dv O_NONBLOCK 500is set, the named file is a fifo, 501.Dv O_WRONLY 502is set, and no process has the file open for reading. 503.It Bq Er EINTR 504The 505.Fn open 506operation was interrupted by a signal. 507.It Bq Er EOPNOTSUPP 508.Dv O_SHLOCK 509or 510.Dv O_EXLOCK 511is specified but the underlying file system does not support locking. 512.It Bq Er EOPNOTSUPP 513The named file is a special file mounted through a file system that 514does not support access to it (e.g.\& NFS). 515.It Bq Er EWOULDBLOCK 516.Dv O_NONBLOCK 517and one of 518.Dv O_SHLOCK 519or 520.Dv O_EXLOCK 521is specified and the file is locked. 522.It Bq Er ENOSPC 523.Dv O_CREAT 524is specified, 525the file does not exist, 526and the directory in which the entry for the new file is being placed 527cannot be extended because there is no space left on the file 528system containing the directory. 529.It Bq Er ENOSPC 530.Dv O_CREAT 531is specified, 532the file does not exist, 533and there are no free inodes on the file system on which the 534file is being created. 535.It Bq Er EDQUOT 536.Dv O_CREAT 537is specified, 538the file does not exist, 539and the directory in which the entry for the new file 540is being placed cannot be extended because the 541user's quota of disk blocks on the file system 542containing the directory has been exhausted. 543.It Bq Er EDQUOT 544.Dv O_CREAT 545is specified, 546the file does not exist, 547and the user's quota of inodes on the file system on 548which the file is being created has been exhausted. 549.It Bq Er EIO 550An I/O error occurred while making the directory entry or 551allocating the inode for 552.Dv O_CREAT . 553.It Bq Er EINTEGRITY 554Corrupted data was detected while reading from the file system. 555.It Bq Er ETXTBSY 556The file is a pure procedure (shared text) file that is being 557executed and the 558.Fn open 559system call requests write access. 560.It Bq Er EFAULT 561The 562.Fa path 563argument 564points outside the process's allocated address space. 565.It Bq Er EEXIST 566.Dv O_CREAT 567and 568.Dv O_EXCL 569were specified and the file exists. 570.It Bq Er EOPNOTSUPP 571An attempt was made to open a socket (not currently implemented). 572.It Bq Er EINVAL 573An attempt was made to open a descriptor with an illegal combination 574of 575.Dv O_RDONLY , 576.Dv O_WRONLY , 577or 578.Dv O_RDWR , 579and 580.Dv O_EXEC 581or 582.Dv O_SEARCH . 583.It Bq Er EBADF 584The 585.Fa path 586argument does not specify an absolute path and the 587.Fa fd 588argument is 589neither 590.Dv AT_FDCWD 591nor a valid file descriptor open for searching. 592.It Bq Er ENOTDIR 593The 594.Fa path 595argument is not an absolute path and 596.Fa fd 597is neither 598.Dv AT_FDCWD 599nor a file descriptor associated with a directory. 600.It Bq Er ENOTDIR 601.Dv O_DIRECTORY 602is specified and the file is not a directory. 603.It Bq Er ECAPMODE 604.Dv AT_FDCWD 605is specified and the process is in capability mode. 606.It Bq Er ECAPMODE 607.Fn open 608was called and the process is in capability mode. 609.It Bq Er ENOTCAPABLE 610.Fa path 611is an absolute path and the process is in capability mode. 612.It Bq Er ENOTCAPABLE 613.Fa path 614is an absolute path and 615.Dv O_RESOLVE_BENEATH 616is specified. 617.It Bq Er ENOTCAPABLE 618.Fa path 619contains a ".." component leading to a directory outside 620of the directory hierarchy specified by 621.Fa fd 622and the process is in capability mode. 623.It Bq Er ENOTCAPABLE 624.Fa path 625contains a ".." component leading to a directory outside 626of the directory hierarchy specified by 627.Fa fd 628and 629.Dv O_RESOLVE_BENEATH 630is specified. 631.It Bq Er ENOTCAPABLE 632.Fa path 633contains a ".." component, the 634.Dv vfs.lookup_cap_dotdot 635.Xr sysctl 3 636is set, and the process is in capability mode. 637.El 638.Sh SEE ALSO 639.Xr chmod 2 , 640.Xr close 2 , 641.Xr dup 2 , 642.Xr fexecve 2 , 643.Xr fhopen 2 , 644.Xr getdtablesize 2 , 645.Xr getfh 2 , 646.Xr lgetfh 2 , 647.Xr lseek 2 , 648.Xr read 2 , 649.Xr umask 2 , 650.Xr write 2 , 651.Xr fopen 3 , 652.Xr capsicum 4 653.Sh STANDARDS 654These functions are specified by 655.St -p1003.1-2008 . 656.Pp 657.Fx 658sets 659.Va errno 660to 661.Er EMLINK instead of 662.Er ELOOP 663as specified by 664.Tn POSIX 665when 666.Dv O_NOFOLLOW 667is set in flags and the final component of pathname is a symbolic link 668to distinguish it from the case of too many symbolic link traversals 669in one of its non-final components. 670.Pp 671The Open Group Extended API Set 2 specification, that introduced the 672.Fn *at 673API, required that the test for whether 674.Fa fd 675is searchable is based on whether 676.Fa fd 677is open for searching, not whether the underlying directory currently 678permits searches. 679The present implementation of the 680.Fa openat 681system call is believed to be compatible with 682.St -p1003.1-2017 , 683which specifies that behavior for 684.Dv O_SEARCH , 685in the absence of the flag the implementation checks the current 686permissions of a directory. 687.Sh HISTORY 688The 689.Fn open 690function appeared in 691.At v1 . 692The 693.Fn openat 694function was introduced in 695.Fx 8.0 . 696.Dv O_DSYNC 697appeared in 13.0. 698.Sh BUGS 699The 700.Fa mode 701argument is variadic and may result in different calling conventions 702than might otherwise be expected. 703