1.\" Copyright (c) 1980, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.Dd February 28, 2025 29.Dt OPEN 2 30.Os 31.Sh NAME 32.Nm open , openat 33.Nd open or create a file for reading, writing or executing 34.Sh LIBRARY 35.Lb libc 36.Sh SYNOPSIS 37.In fcntl.h 38.Ft int 39.Fn open "const char *path" "int flags" "..." 40.Ft int 41.Fn openat "int fd" "const char *path" "int flags" "..." 42.Sh DESCRIPTION 43The file name specified by 44.Fa path 45is opened 46for either execution or reading and/or writing as specified by the 47argument 48.Fa flags 49and the file descriptor returned to the calling process. 50The 51.Fa flags 52argument may indicate the file is to be 53created if it does not exist (by specifying the 54.Dv O_CREAT 55flag). 56In this case 57.Fn open 58and 59.Fn openat 60require an additional argument 61.Fa "mode_t mode" , 62and the file is created with mode 63.Fa mode 64as described in 65.Xr chmod 2 66and modified by the process' umask value (see 67.Xr umask 2 ) . 68.Pp 69The 70.Fn openat 71function is equivalent to the 72.Fn open 73function except in the case where the 74.Fa path 75specifies a relative path. 76For 77.Fn openat 78and relative 79.Fa path , 80the file to be opened is determined relative to the directory 81associated with the file descriptor 82.Fa fd 83instead of the current working directory. 84The 85.Fa flag 86parameter and the optional fourth parameter correspond exactly to 87the parameters of 88.Fn open . 89If 90.Fn openat 91is passed the special value 92.Dv AT_FDCWD 93in the 94.Fa fd 95parameter, the current working directory is used 96and the behavior is identical to a call to 97.Fn open . 98.Pp 99When 100.Fn openat 101is called with an absolute 102.Fa path , 103it ignores the 104.Fa fd 105argument. 106.Pp 107In 108.Xr capsicum 4 109capability mode, 110.Fn open 111is not permitted. 112The 113.Fa path 114argument to 115.Fn openat 116must be strictly relative to a file descriptor 117.Fa fd ; 118that is, 119.Fa path 120must not be an absolute path and must not contain ".." components 121which cause the path resolution to escape the directory hierarchy 122starting at 123.Fa fd . 124Additionally, no symbolic link in 125.Fa path 126may target absolute path or contain escaping ".." components. 127.Fa fd 128must not be 129.Dv AT_FDCWD . 130.Pp 131If the 132.Dv vfs.lookup_cap_dotdot 133.Xr sysctl 3 134MIB is set to zero, ".." components in the paths, 135used in capability mode, 136are completely disabled. 137If the 138.Dv vfs.lookup_cap_dotdot_nonlocal 139MIB is set to zero, ".." is not allowed if found on non-local filesystem. 140.Pp 141The 142.Fa flags 143are formed by 144.Em or Ns 'ing 145the following values: 146.Pp 147.Bl -tag -width O_RESOLVE_BENEATH 148.It Dv O_RDONLY 149open for reading only 150.It Dv O_WRONLY 151open for writing only 152.It Dv O_RDWR 153open for reading and writing 154.It Dv O_EXEC 155open for execute only 156.It Dv O_SEARCH 157open for search only 158(an alias for 159.Dv O_EXEC 160typically used with 161.Dv O_DIRECTORY ) 162.It Dv O_NONBLOCK 163do not block on open 164.It Dv O_APPEND 165set file pointer to the end of the file before each write 166.It Dv O_CREAT 167create file if it does not exist 168.It Dv O_TRUNC 169truncate size to 0 170.It Dv O_EXCL 171fail if 172.Dv O_CREAT 173is set and the file exists 174.It Dv O_SHLOCK 175atomically obtain a shared lock 176.It Dv O_EXLOCK 177atomically obtain an exclusive lock 178.It Dv O_DIRECT 179read and write directly from the backing store 180.It Dv O_FSYNC 181synchronous data and metadata writes 182.Pq historical synonym for Dv O_SYNC 183.It Dv O_SYNC 184synchronous data and metadata writes 185.It Dv O_DSYNC 186synchronous data writes 187.It Dv O_NOFOLLOW 188do not follow symlinks 189.It Dv O_NOCTTY 190ignored 191.It Dv O_TTY_INIT 192ignored 193.It Dv O_DIRECTORY 194error if file is not a directory 195.It Dv O_CLOEXEC 196automatically close file on 197.Xr execve 2 198.It Dv O_VERIFY 199verify the contents of the file with 200.Xr mac_veriexec 4 201.It Dv O_RESOLVE_BENEATH 202.Pq Xr openat 2 only 203path resolution must not cross the 204.Fa fd 205directory 206.It Dv O_PATH 207record only the target path in the opened descriptor 208.It Dv O_EMPTY_PATH 209.Pq Xr openat 2 only 210open file referenced by 211.Fa fd 212if path is empty 213.El 214.Pp 215Exactly one of the flags 216.Dv O_RDONLY , 217.Dv O_WRONLY , 218.Dv O_RDWR , 219or 220.Dv O_EXEC 221must be provided. 222.Pp 223Opening a file with 224.Dv O_APPEND 225set causes each write on the resulting file descriptor 226to be appended to the end of the file. 227.Pp 228If 229.Dv O_TRUNC 230is specified and the 231file exists, the file is truncated to zero length. 232.Pp 233If 234.Dv O_CREAT 235is set, but file already exists, 236this flag has no effect except when 237.Dv O_EXCL 238is set too, in this case 239.Fn open 240fails with 241.Er EEXIST . 242This may be used to 243implement a simple exclusive access locking mechanism. 244In all other cases, the file is created 245and the access permission bits (see 246.Xr chmod 2) 247of the file mode 248are set to the value of the third argument taken as 249.Fa "mode_t mode" 250and passed through the 251.Xr umask 2 . 252This argument does not affect whether the file is opened 253for reading, writing, or for both. 254The open' request for a lock on the file, created with 255.Dv O_CREAT , 256will never fail 257provided that the underlying file system supports locking; 258see also 259.Dv O_SHLOCK 260and 261.Dv O_EXLOCK 262below. 263.Pp 264If 265.Dv O_EXCL 266is set and the last component of the pathname is 267a symbolic link, 268.Fn open 269will fail even if the symbolic 270link points to a non-existent name. 271.Pp 272If 273.Dv O_NONBLOCK 274is specified and the 275.Fn open 276system call would 277block for some reason (for example, waiting for 278carrier on a dialup line), 279.Fn open 280returns immediately. 281The descriptor remains in non-blocking mode for subsequent operations. 282.Pp 283If 284.Dv O_SYNC 285is used in the mask, all writes will 286immediately and synchronously be written to disk. 287.Dv O_FSYNC 288is an historical synonym for 289.Dv O_SYNC . 290.Pp 291If 292.Dv O_DSYNC 293is used in the mask, all data and metadata required to read the data will be 294synchronously written to disk, but changes to metadata such as file access and 295modification timestamps may be written later. 296.Pp 297If 298.Dv O_NOFOLLOW 299is used in the mask and the target file passed to 300.Fn open 301is a symbolic link then the 302.Fn open 303will fail. 304.Pp 305When opening a file, a lock with 306.Xr flock 2 307semantics can be obtained by setting 308.Dv O_SHLOCK 309for a shared lock, or 310.Dv O_EXLOCK 311for an exclusive lock. 312.Pp 313.Dv O_DIRECT 314may be used to minimize or eliminate the cache effects of reading and writing. 315The system will attempt to avoid caching the data you read or write. 316If it cannot avoid caching the data, 317it will minimize the impact the data has on the cache. 318Use of this flag can drastically reduce performance if not used with care. 319The semantics of this flag are filesystem dependent, 320and some filesystems may ignore it entirely. 321.Pp 322.Dv O_NOCTTY 323may be used to ensure the OS does not assign this file as the 324controlling terminal when it opens a tty device. 325This is the default on 326.Fx , 327but is present for 328POSIX 329compatibility. 330The 331.Fn open 332system call will not assign controlling terminals on 333.Fx . 334.Pp 335.Dv O_TTY_INIT 336may be used to ensure the OS restores the terminal attributes when 337initially opening a TTY. 338This is the default on 339.Fx , 340but is present for 341POSIX 342compatibility. 343The initial call to 344.Fn open 345on a TTY will always restore default terminal attributes on 346.Fx . 347.Pp 348.Dv O_DIRECTORY 349may be used to ensure the resulting file descriptor refers to a 350directory. 351This flag can be used to prevent applications with elevated privileges 352from opening files which are even unsafe to open with 353.Dv O_RDONLY , 354such as device nodes. 355.Pp 356.Dv O_CLOEXEC 357may be used to set 358.Dv FD_CLOEXEC 359flag for the newly returned file descriptor. 360.Pp 361.Dv O_VERIFY 362may be used to indicate to the kernel that the contents of the file should 363be verified before allowing the open to proceed. 364The details of what 365.Dq verified 366means is implementation specific. 367The run-time linker (rtld) uses this flag to ensure shared objects have 368been verified before operating on them. 369.Pp 370.Dv O_RESOLVE_BENEATH 371returns 372.Er ENOTCAPABLE 373if any intermediate component of the specified relative path does not 374reside in the directory hierarchy beneath the starting directory. 375Absolute paths or even the temporal escape from beneath of the starting 376directory is not allowed. 377.Pp 378When a directory 379is opened with 380.Dv O_SEARCH , 381execute permissions are checked at open time. 382The returned file descriptor 383may not be used for any read operations like 384.Xr getdirentries 2 . 385The primary use of this descriptor is as the lookup descriptor for the 386.Fn *at 387family of functions. 388If 389.Dv O_SEARCH 390was not requested at open time, then the 391.Fn *at 392functions use the current directory permissions for the directory referenced 393by the descriptor at the time of the 394.Fn *at 395call. 396.Pp 397.Dv O_PATH 398returns a file descriptor that can be used as a directory file descriptor for 399.Fn openat 400and other system calls taking a file descriptor argument, like 401.Xr fstatat 2 402and others. 403The other functionality of the returned file descriptor is limited to 404the following descriptor-level operations: 405.Pp 406.Bl -tag -width __acl_aclcheck_fd -offset indent -compact 407.It Xr fcntl 2 408but advisory locking is not allowed 409.It Xr dup 2 410.It Xr close 2 411.It Xr fstat 2 412.It Xr fstatfs 2 413.It Xr fchdir 2 414.It Xr fchroot 2 415.It Xr fexecve 2 416.It Xr funlinkat 2 417can be passed as the third argument 418.It Dv SCM_RIGHTS 419can be passed over a 420.Xr unix 4 421socket using a 422.Dv SCM_RIGHTS 423message 424.It Xr kqueue 2 425only with 426.Dv EVFILT_VNODE 427.It Xr __acl_get_fd 2 428.It Xr __acl_aclcheck_fd 2 429.It Xr extattr 2 430.It Xr capsicum 4 431can be passed to 432.Fn cap_*_limit 433and 434.Fn cap_*_get 435system calls (such as 436.Xr cap_rights_limit 2 ) . 437.El 438.Pp 439Other operations like 440.Xr read 2 , 441.Xr ftruncate 2 , 442and any other that operate on file and not on file descriptor (except 443.Xr fstat 2 ) , 444are not allowed. 445.Pp 446A file descriptor created with the 447.Dv O_PATH 448flag can be opened as a normal (operable) file descriptor by 449specifying it as the 450.Fa fd 451argument to 452.Fn openat 453with an empty 454.Fa path 455and the 456.Dv O_EMPTY_PATH 457flag. 458Such an open behaves as if the current path of the file referenced by 459.Fa fd 460is passed, except that path walk permissions are not checked. 461See also the description of 462.Dv AT_EMPTY_PATH 463flag for 464.Xr fstatat 2 465and related syscalls. 466.Pp 467If successful, 468.Fn open 469returns a non-negative integer, termed a file descriptor. 470It returns \-1 on failure. 471The file descriptor value returned is the lowest numbered descriptor 472currently not in use by the process. 473The file pointer used to mark the current position within the 474file is set to the beginning of the file. 475.Pp 476If a sleeping open of a device node from 477.Xr devfs 4 478is interrupted by a signal, the call always fails with 479.Er EINTR , 480even if the 481.Dv SA_RESTART 482flag is set for the signal. 483A sleeping open of a fifo (see 484.Xr mkfifo 2 ) 485is restarted as normal. 486.Pp 487When a new file is created, it is assigned the group of the directory 488which contains it. 489.Pp 490Unless 491.Dv O_CLOEXEC 492flag was specified, 493the new descriptor is set to remain open across 494.Xr execve 2 495system calls; see 496.Xr close 2 , 497.Xr fcntl 2 498and the description of the 499.Dv O_CLOEXEC 500flag. 501.Pp 502The system imposes a limit on the number of file descriptors 503open simultaneously by one process. 504The 505.Xr getdtablesize 2 506system call returns the current system limit. 507.Sh RETURN VALUES 508If successful, 509.Fn open 510and 511.Fn openat 512return a non-negative integer, termed a file descriptor. 513They return \-1 on failure, and set 514.Va errno 515to indicate the error. 516.Sh ERRORS 517The named file is opened unless: 518.Bl -tag -width Er 519.It Bq Er ENOTDIR 520A component of the path prefix is not a directory. 521.It Bq Er ENAMETOOLONG 522A component of a pathname exceeded 255 characters, 523or an entire path name exceeded 1023 characters. 524.It Bq Er ENOENT 525.Dv O_CREAT 526is not set and the named file does not exist. 527.It Bq Er ENOENT 528A component of the path name that must exist does not exist. 529.It Bq Er EACCES 530Search permission is denied for a component of the path prefix. 531.It Bq Er EACCES 532The required permissions (for reading and/or writing) 533are denied for the given flags. 534.It Bq Er EACCES 535.Dv O_TRUNC 536is specified and write permission is denied. 537.It Bq Er EACCES 538.Dv O_CREAT 539is specified, 540the file does not exist, 541and the directory in which it is to be created 542does not permit writing. 543.It Bq Er EPERM 544.Dv O_CREAT 545is specified, the file does not exist, and the directory in which it is to be 546created has its immutable flag set, see the 547.Xr chflags 2 548manual page for more information. 549.It Bq Er EPERM 550The named file has its immutable flag set and the file is to be modified. 551.It Bq Er EPERM 552The named file has its append-only flag set, the file is to be modified, and 553.Dv O_TRUNC 554is specified or 555.Dv O_APPEND 556is not specified. 557.It Bq Er ELOOP 558Too many symbolic links were encountered in translating the pathname. 559.It Bq Er EISDIR 560The named file is a directory, and the arguments specify 561it is to be modified. 562.It Bq Er EISDIR 563The named file is a directory, and the flags specified 564.Dv O_CREAT 565without 566.Dv O_DIRECTORY . 567.It Bq Er EROFS 568The named file resides on a read-only file system, 569and the file is to be modified. 570.It Bq Er EROFS 571.Dv O_CREAT 572is specified and the named file would reside on a read-only file system. 573.It Bq Er EMFILE 574The process has already reached its limit for open file descriptors. 575.It Bq Er ENFILE 576The system file table is full. 577.It Bq Er EMLINK 578.Dv O_NOFOLLOW 579was specified and the target is a symbolic link. 580POSIX 581specifies a different error for this case; see the note in 582.Sx STANDARDS 583below. 584.It Bq Er ENXIO 585The named file is a character special or block 586special file, and the device associated with this special file 587does not exist. 588.It Bq Er ENXIO 589.Dv O_NONBLOCK 590is set, the named file is a fifo, 591.Dv O_WRONLY 592is set, and no process has the file open for reading. 593.It Bq Er EINTR 594The 595.Fn open 596operation was interrupted by a signal. 597.It Bq Er EOPNOTSUPP 598.Dv O_SHLOCK 599or 600.Dv O_EXLOCK 601is specified but the underlying file system does not support locking. 602.It Bq Er EOPNOTSUPP 603The named file is a special file mounted through a file system that 604does not support access to it (for example, NFS). 605.It Bq Er EWOULDBLOCK 606.Dv O_NONBLOCK 607and one of 608.Dv O_SHLOCK 609or 610.Dv O_EXLOCK 611is specified and the file is locked. 612.It Bq Er ENOSPC 613.Dv O_CREAT 614is specified, 615the file does not exist, 616and the directory in which the entry for the new file is being placed 617cannot be extended because there is no space left on the file 618system containing the directory. 619.It Bq Er ENOSPC 620.Dv O_CREAT 621is specified, 622the file does not exist, 623and there are no free inodes on the file system on which the 624file is being created. 625.It Bq Er EDQUOT 626.Dv O_CREAT 627is specified, 628the file does not exist, 629and the directory in which the entry for the new file 630is being placed cannot be extended because the 631user's quota of disk blocks on the file system 632containing the directory has been exhausted. 633.It Bq Er EDQUOT 634.Dv O_CREAT 635is specified, 636the file does not exist, 637and the user's quota of inodes on the file system on 638which the file is being created has been exhausted. 639.It Bq Er EIO 640An I/O error occurred while making the directory entry or 641allocating the inode for 642.Dv O_CREAT . 643.It Bq Er EINTEGRITY 644Corrupted data was detected while reading from the file system. 645.It Bq Er ETXTBSY 646The file is a pure procedure (shared text) file that is being 647executed and the 648.Fn open 649system call requests write access. 650.It Bq Er EFAULT 651The 652.Fa path 653argument 654points outside the process's allocated address space. 655.It Bq Er EEXIST 656.Dv O_CREAT 657and 658.Dv O_EXCL 659were specified and the file exists. 660.It Bq Er EOPNOTSUPP 661An attempt was made to open a socket (not currently implemented). 662.It Bq Er EINVAL 663An attempt was made to open a descriptor with an illegal combination 664of 665.Dv O_RDONLY , 666.Dv O_WRONLY , 667or 668.Dv O_RDWR , 669and 670.Dv O_EXEC 671or 672.Dv O_SEARCH . 673.It Bq Er EINVAL 674.Dv O_CREAT 675is specified, 676and the last component of the 677.Fa path 678argument is invalid on the file system on which the file is being created. 679.It Bq Er EBADF 680The 681.Fa path 682argument does not specify an absolute path and the 683.Fa fd 684argument is 685neither 686.Dv AT_FDCWD 687nor a valid file descriptor open for searching. 688.It Bq Er ENOTDIR 689The 690.Fa path 691argument is not an absolute path and 692.Fa fd 693is neither 694.Dv AT_FDCWD 695nor a file descriptor associated with a directory. 696.It Bq Er ENOTDIR 697.Dv O_DIRECTORY 698is specified and the file is not a directory. 699.It Bq Er ECAPMODE 700.Dv AT_FDCWD 701is specified and the process is in capability mode. 702.It Bq Er ECAPMODE 703.Fn open 704was called and the process is in capability mode. 705.It Bq Er ENOTCAPABLE 706.Fa path 707is an absolute path and the process is in capability mode. 708.It Bq Er ENOTCAPABLE 709.Fa path 710is an absolute path and 711.Dv O_RESOLVE_BENEATH 712is specified. 713.It Bq Er ENOTCAPABLE 714.Fa path 715contains a ".." component leading to a directory outside 716of the directory hierarchy specified by 717.Fa fd 718and the process is in capability mode. 719.It Bq Er ENOTCAPABLE 720.Fa path 721contains a ".." component leading to a directory outside 722of the directory hierarchy specified by 723.Fa fd 724and 725.Dv O_RESOLVE_BENEATH 726is specified. 727.It Bq Er ENOTCAPABLE 728.Fa path 729contains a ".." component, the 730.Dv vfs.lookup_cap_dotdot 731.Xr sysctl 3 732is set, and the process is in capability mode. 733.El 734.Sh SEE ALSO 735.Xr chmod 2 , 736.Xr close 2 , 737.Xr dup 2 , 738.Xr fexecve 2 , 739.Xr fhopen 2 , 740.Xr getdtablesize 2 , 741.Xr getfh 2 , 742.Xr lgetfh 2 , 743.Xr lseek 2 , 744.Xr read 2 , 745.Xr umask 2 , 746.Xr write 2 , 747.Xr fopen 3 , 748.Xr capsicum 4 749.Sh STANDARDS 750These functions are specified by 751.St -p1003.1-2008 . 752.Pp 753.Fx 754sets 755.Va errno 756to 757.Er EMLINK instead of 758.Er ELOOP 759as specified by 760POSIX 761when 762.Dv O_NOFOLLOW 763is set in flags and the final component of pathname is a symbolic link 764to distinguish it from the case of too many symbolic link traversals 765in one of its non-final components. 766.Pp 767The Open Group Extended API Set 2 specification, that introduced the 768.Fn *at 769API, required that the test for whether 770.Fa fd 771is searchable is based on whether 772.Fa fd 773is open for searching, not whether the underlying directory currently 774permits searches. 775The present implementation of the 776.Fa openat 777system call is believed to be compatible with 778.\" .St -p1003.1-2017 , 779.\" XXX: This should be replaced in the future when an appropriate argument to 780.\" the St macro is available: -p1003.1-2017 781.No IEEE Std 1003.1-2008, 2017 Edition ("POSIX.1") , 782which specifies that behavior for 783.Dv O_SEARCH , 784in the absence of the flag the implementation checks the current 785permissions of a directory. 786.Sh HISTORY 787The 788.Fn open 789function appeared in 790.At v1 . 791The 792.Fn openat 793function was introduced in 794.Fx 8.0 . 795.Dv O_DSYNC 796appeared in 13.0. 797.Sh BUGS 798The 799.Fa mode 800argument is variadic and may result in different calling conventions 801than might otherwise be expected. 802