xref: /freebsd/lib/libsys/open.2 (revision d59a76183470685bdf0b88013d2baad1f04f030f)
1.\" Copyright (c) 1980, 1991, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.Dd August 25, 2024
29.Dt OPEN 2
30.Os
31.Sh NAME
32.Nm open , openat
33.Nd open or create a file for reading, writing or executing
34.Sh LIBRARY
35.Lb libc
36.Sh SYNOPSIS
37.In fcntl.h
38.Ft int
39.Fn open "const char *path" "int flags" "..."
40.Ft int
41.Fn openat "int fd" "const char *path" "int flags" "..."
42.Sh DESCRIPTION
43The file name specified by
44.Fa path
45is opened
46for either execution or reading and/or writing as specified by the
47argument
48.Fa flags
49and the file descriptor returned to the calling process.
50The
51.Fa flags
52argument may indicate the file is to be
53created if it does not exist (by specifying the
54.Dv O_CREAT
55flag).
56In this case
57.Fn open
58and
59.Fn openat
60require an additional argument
61.Fa "mode_t mode" ,
62and the file is created with mode
63.Fa mode
64as described in
65.Xr chmod 2
66and modified by the process' umask value (see
67.Xr umask 2 ) .
68.Pp
69The
70.Fn openat
71function is equivalent to the
72.Fn open
73function except in the case where the
74.Fa path
75specifies a relative path.
76For
77.Fn openat
78and relative
79.Fa path ,
80the file to be opened is determined relative to the directory
81associated with the file descriptor
82.Fa fd
83instead of the current working directory.
84The
85.Fa flag
86parameter and the optional fourth parameter correspond exactly to
87the parameters of
88.Fn open .
89If
90.Fn openat
91is passed the special value
92.Dv AT_FDCWD
93in the
94.Fa fd
95parameter, the current working directory is used
96and the behavior is identical to a call to
97.Fn open .
98.Pp
99When
100.Fn openat
101is called with an absolute
102.Fa path ,
103it ignores the
104.Fa fd
105argument.
106.Pp
107In
108.Xr capsicum 4
109capability mode,
110.Fn open
111is not permitted.
112The
113.Fa path
114argument to
115.Fn openat
116must be strictly relative to a file descriptor
117.Fa fd .
118.Fa path
119must not be an absolute path and must not contain ".." components
120which cause the path resolution to escape the directory hierarchy
121starting at
122.Fa fd .
123Additionally, no symbolic link in
124.Fa path
125may target absolute path or contain escaping ".." components.
126.Fa fd
127must not be
128.Dv AT_FDCWD .
129.Pp
130If the
131.Dv vfs.lookup_cap_dotdot
132.Xr sysctl 3
133MIB is set to zero, ".." components in the paths,
134used in capability mode,
135are completely disabled.
136If the
137.Dv vfs.lookup_cap_dotdot_nonlocal
138MIB is set to zero, ".." is not allowed if found on non-local filesystem.
139.Pp
140The flags specified are formed by
141.Em or Ns 'ing
142the following values
143.Pp
144.Bd -literal -offset indent -compact
145O_RDONLY	open for reading only
146O_WRONLY	open for writing only
147O_RDWR		open for reading and writing
148O_EXEC		open for execute only
149O_SEARCH	open for search only, an alias for O_EXEC
150O_NONBLOCK	do not block on open
151O_APPEND	append on each write
152O_CREAT		create file if it does not exist
153O_TRUNC		truncate size to 0
154O_EXCL		error if create and file exists
155O_SHLOCK	atomically obtain a shared lock
156O_EXLOCK	atomically obtain an exclusive lock
157O_DIRECT	eliminate or reduce cache effects
158O_FSYNC		synchronous writes (historical synonym for O_SYNC)
159O_SYNC		synchronous writes
160O_DSYNC		synchronous data writes
161O_NOFOLLOW	do not follow symlinks
162O_NOCTTY	ignored
163O_TTY_INIT	ignored
164O_DIRECTORY	error if file is not a directory
165O_CLOEXEC	set FD_CLOEXEC upon open
166O_VERIFY	verify the contents of the file
167O_RESOLVE_BENEATH	path resolution must not cross the fd directory
168O_PATH		record only the target path in the opened descriptor
169O_EMPTY_PATH	openat, open file referenced by fd if path is empty
170.Ed
171.Pp
172Opening a file with
173.Dv O_APPEND
174set causes each write on the file
175to be appended to the end.
176If
177.Dv O_TRUNC
178is specified and the
179file exists, the file is truncated to zero length.
180If
181.Dv O_EXCL
182is set with
183.Dv O_CREAT
184and the file already
185exists,
186.Fn open
187returns an error.
188This may be used to
189implement a simple exclusive access locking mechanism.
190If
191.Dv O_EXCL
192is set and the last component of the pathname is
193a symbolic link,
194.Fn open
195will fail even if the symbolic
196link points to a non-existent name.
197If the
198.Dv O_NONBLOCK
199flag is specified and the
200.Fn open
201system call would result
202in the process being blocked for some reason (e.g., waiting for
203carrier on a dialup line),
204.Fn open
205returns immediately.
206The descriptor remains in non-blocking mode for subsequent operations.
207.Pp
208If
209.Dv O_SYNC
210is used in the mask, all writes will
211immediately and synchronously be written to disk.
212.Dv O_FSYNC
213is an historical synonym for
214.Dv O_SYNC .
215.Pp
216If
217.Dv O_DSYNC
218is used in the mask, all data and metadata required to read the data will be
219synchronously written to disk, but changes to metadata such as file access and
220modification timestamps may be written later.
221.Pp
222If
223.Dv O_NOFOLLOW
224is used in the mask and the target file passed to
225.Fn open
226is a symbolic link then the
227.Fn open
228will fail.
229.Pp
230When opening a file, a lock with
231.Xr flock 2
232semantics can be obtained by setting
233.Dv O_SHLOCK
234for a shared lock, or
235.Dv O_EXLOCK
236for an exclusive lock.
237If creating a file with
238.Dv O_CREAT ,
239the request for the lock will never fail
240(provided that the underlying file system supports locking).
241.Pp
242.Dv O_DIRECT
243may be used to minimize or eliminate the cache effects of reading and writing.
244The system will attempt to avoid caching the data you read or write.
245If it cannot avoid caching the data,
246it will minimize the impact the data has on the cache.
247Use of this flag can drastically reduce performance if not used with care.
248.Pp
249.Dv O_NOCTTY
250may be used to ensure the OS does not assign this file as the
251controlling terminal when it opens a tty device.
252This is the default on
253.Fx ,
254but is present for
255POSIX
256compatibility.
257The
258.Fn open
259system call will not assign controlling terminals on
260.Fx .
261.Pp
262.Dv O_TTY_INIT
263may be used to ensure the OS restores the terminal attributes when
264initially opening a TTY.
265This is the default on
266.Fx ,
267but is present for
268POSIX
269compatibility.
270The initial call to
271.Fn open
272on a TTY will always restore default terminal attributes on
273.Fx .
274.Pp
275.Dv O_DIRECTORY
276may be used to ensure the resulting file descriptor refers to a
277directory.
278This flag can be used to prevent applications with elevated privileges
279from opening files which are even unsafe to open with
280.Dv O_RDONLY ,
281such as device nodes.
282.Pp
283.Dv O_CLOEXEC
284may be used to set
285.Dv FD_CLOEXEC
286flag for the newly returned file descriptor.
287.Pp
288.Dv O_VERIFY
289may be used to indicate to the kernel that the contents of the file should
290be verified before allowing the open to proceed.
291The details of what
292.Dq verified
293means is implementation specific.
294The run-time linker (rtld) uses this flag to ensure shared objects have
295been verified before operating on them.
296.Pp
297.Dv O_RESOLVE_BENEATH
298returns
299.Er ENOTCAPABLE
300if any intermediate component of the specified relative path does not
301reside in the directory hierarchy beneath the starting directory.
302Absolute paths or even the temporal escape from beneath of the starting
303directory is not allowed.
304.Pp
305When
306.Fa fd
307is opened with
308.Dv O_SEARCH ,
309execute permissions are checked at open time.
310The
311.Fa fd
312may not be used for any read operations like
313.Xr getdirentries 2 .
314The primary use for this descriptor will be as the lookup descriptor for the
315.Fn *at
316family of functions.
317If
318.Dv O_SEARCH
319was not requested at open time, then the
320.Fn *at
321functions use the current directory permissions for the directory referenced
322by the descriptor at the time of the call.
323.Pp
324.Dv O_PATH
325returns a file descriptor that can be used as a directory file descriptor for
326.Fn openat
327and other system calls taking a file descriptor argument, like
328.Xr fstatat 2
329and others.
330The other functionality of the returned file descriptor is limited to
331the descriptor-level operations.
332It can be used for
333.Bl -tag -width readlinkat(2) -offset indent -compact
334.It Xr fcntl 2
335but advisory locking is not allowed
336.It Xr dup 2
337.It Xr close 2
338.It Xr fstat 2
339.It Xr fexecve 2
340.It Dv SCM_RIGHTS
341can be passed over a
342.Xr unix 4
343socket using a
344.Dv SCM_RIGHTS
345message
346.It Xr kqueue 2
347using for
348.Dv EVFILT_VNODE
349.It Xr readlinkat 2
350.It Xr __acl_get_fd 2 , Xr __acl_aclcheck_fd 2
351.El
352But operations like
353.Xr read 2 ,
354.Xr ftruncate 2 ,
355and any other that operate on file and not on file descriptor (except
356.Xr fstat 2 ),
357are not allowed.
358.Pp
359A file descriptor created with the
360.Dv O_PATH
361flag can be opened into normal (operable) file descriptor by
362specifying it as the
363.Fa fd
364argument to
365.Fn openat
366with empty
367.Fa path
368and flag
369.Dv O_EMPTY_PATH .
370Such an open behaves as if the current path of the file referenced by
371.Fa fd
372is passed, except that the path walk permissions are not checked.
373See also the description of
374.Dv AT_EMPTY_PATH
375flag for
376.Xr fstatat 2
377and related syscalls.
378.Pp
379If successful,
380.Fn open
381returns a non-negative integer, termed a file descriptor.
382It returns \-1 on failure.
383The file pointer used to mark the current position within the
384file is set to the beginning of the file.
385.Pp
386If a sleeping open of a device node from
387.Xr devfs 4
388is interrupted by a signal, the call always fails with
389.Er EINTR ,
390even if the
391.Dv SA_RESTART
392flag is set for the signal.
393A sleeping open of a fifo (see
394.Xr mkfifo 2 )
395is restarted as normal.
396.Pp
397When a new file is created it is given the group of the directory
398which contains it.
399.Pp
400Unless
401.Dv O_CLOEXEC
402flag was specified,
403the new descriptor is set to remain open across
404.Xr execve 2
405system calls; see
406.Xr close 2 ,
407.Xr fcntl 2
408and
409.Dv O_CLOEXEC
410description.
411.Pp
412The system imposes a limit on the number of file descriptors
413open simultaneously by one process.
414The
415.Xr getdtablesize 2
416system call returns the current system limit.
417.Sh RETURN VALUES
418If successful,
419.Fn open
420and
421.Fn openat
422return a non-negative integer, termed a file descriptor.
423They return \-1 on failure, and set
424.Va errno
425to indicate the error.
426.Sh ERRORS
427The named file is opened unless:
428.Bl -tag -width Er
429.It Bq Er ENOTDIR
430A component of the path prefix is not a directory.
431.It Bq Er ENAMETOOLONG
432A component of a pathname exceeded 255 characters,
433or an entire path name exceeded 1023 characters.
434.It Bq Er ENOENT
435.Dv O_CREAT
436is not set and the named file does not exist.
437.It Bq Er ENOENT
438A component of the path name that must exist does not exist.
439.It Bq Er EACCES
440Search permission is denied for a component of the path prefix.
441.It Bq Er EACCES
442The required permissions (for reading and/or writing)
443are denied for the given flags.
444.It Bq Er EACCES
445.Dv O_TRUNC
446is specified and write permission is denied.
447.It Bq Er EACCES
448.Dv O_CREAT
449is specified,
450the file does not exist,
451and the directory in which it is to be created
452does not permit writing.
453.It Bq Er EPERM
454.Dv O_CREAT
455is specified, the file does not exist, and the directory in which it is to be
456created has its immutable flag set, see the
457.Xr chflags 2
458manual page for more information.
459.It Bq Er EPERM
460The named file has its immutable flag set and the file is to be modified.
461.It Bq Er EPERM
462The named file has its append-only flag set, the file is to be modified, and
463.Dv O_TRUNC
464is specified or
465.Dv O_APPEND
466is not specified.
467.It Bq Er ELOOP
468Too many symbolic links were encountered in translating the pathname.
469.It Bq Er EISDIR
470The named file is a directory, and the arguments specify
471it is to be modified.
472.It Bq Er EISDIR
473The named file is a directory, and the flags specified
474.Dv O_CREAT
475without
476.Dv O_DIRECTORY .
477.It Bq Er EROFS
478The named file resides on a read-only file system,
479and the file is to be modified.
480.It Bq Er EROFS
481.Dv O_CREAT
482is specified and the named file would reside on a read-only file system.
483.It Bq Er EMFILE
484The process has already reached its limit for open file descriptors.
485.It Bq Er ENFILE
486The system file table is full.
487.It Bq Er EMLINK
488.Dv O_NOFOLLOW
489was specified and the target is a symbolic link.
490POSIX
491specifies a different error for this case; see the note in
492.Sx STANDARDS
493below.
494.It Bq Er ENXIO
495The named file is a character special or block
496special file, and the device associated with this special file
497does not exist.
498.It Bq Er ENXIO
499.Dv O_NONBLOCK
500is set, the named file is a fifo,
501.Dv O_WRONLY
502is set, and no process has the file open for reading.
503.It Bq Er EINTR
504The
505.Fn open
506operation was interrupted by a signal.
507.It Bq Er EOPNOTSUPP
508.Dv O_SHLOCK
509or
510.Dv O_EXLOCK
511is specified but the underlying file system does not support locking.
512.It Bq Er EOPNOTSUPP
513The named file is a special file mounted through a file system that
514does not support access to it (e.g.\& NFS).
515.It Bq Er EWOULDBLOCK
516.Dv O_NONBLOCK
517and one of
518.Dv O_SHLOCK
519or
520.Dv O_EXLOCK
521is specified and the file is locked.
522.It Bq Er ENOSPC
523.Dv O_CREAT
524is specified,
525the file does not exist,
526and the directory in which the entry for the new file is being placed
527cannot be extended because there is no space left on the file
528system containing the directory.
529.It Bq Er ENOSPC
530.Dv O_CREAT
531is specified,
532the file does not exist,
533and there are no free inodes on the file system on which the
534file is being created.
535.It Bq Er EDQUOT
536.Dv O_CREAT
537is specified,
538the file does not exist,
539and the directory in which the entry for the new file
540is being placed cannot be extended because the
541user's quota of disk blocks on the file system
542containing the directory has been exhausted.
543.It Bq Er EDQUOT
544.Dv O_CREAT
545is specified,
546the file does not exist,
547and the user's quota of inodes on the file system on
548which the file is being created has been exhausted.
549.It Bq Er EIO
550An I/O error occurred while making the directory entry or
551allocating the inode for
552.Dv O_CREAT .
553.It Bq Er EINTEGRITY
554Corrupted data was detected while reading from the file system.
555.It Bq Er ETXTBSY
556The file is a pure procedure (shared text) file that is being
557executed and the
558.Fn open
559system call requests write access.
560.It Bq Er EFAULT
561The
562.Fa path
563argument
564points outside the process's allocated address space.
565.It Bq Er EEXIST
566.Dv O_CREAT
567and
568.Dv O_EXCL
569were specified and the file exists.
570.It Bq Er EOPNOTSUPP
571An attempt was made to open a socket (not currently implemented).
572.It Bq Er EINVAL
573An attempt was made to open a descriptor with an illegal combination
574of
575.Dv O_RDONLY ,
576.Dv O_WRONLY ,
577or
578.Dv O_RDWR ,
579and
580.Dv O_EXEC
581or
582.Dv O_SEARCH .
583.It Bq Er EINVAL
584.Dv O_CREAT
585is specified,
586and the last component of the
587.Fa path
588argument is invalid on the file system on which the file is being created.
589.It Bq Er EBADF
590The
591.Fa path
592argument does not specify an absolute path and the
593.Fa fd
594argument is
595neither
596.Dv AT_FDCWD
597nor a valid file descriptor open for searching.
598.It Bq Er ENOTDIR
599The
600.Fa path
601argument is not an absolute path and
602.Fa fd
603is neither
604.Dv AT_FDCWD
605nor a file descriptor associated with a directory.
606.It Bq Er ENOTDIR
607.Dv O_DIRECTORY
608is specified and the file is not a directory.
609.It Bq Er ECAPMODE
610.Dv AT_FDCWD
611is specified and the process is in capability mode.
612.It Bq Er ECAPMODE
613.Fn open
614was called and the process is in capability mode.
615.It Bq Er ENOTCAPABLE
616.Fa path
617is an absolute path and the process is in capability mode.
618.It Bq Er ENOTCAPABLE
619.Fa path
620is an absolute path and
621.Dv O_RESOLVE_BENEATH
622is specified.
623.It Bq Er ENOTCAPABLE
624.Fa path
625contains a ".." component leading to a directory outside
626of the directory hierarchy specified by
627.Fa fd
628and the process is in capability mode.
629.It Bq Er ENOTCAPABLE
630.Fa path
631contains a ".." component leading to a directory outside
632of the directory hierarchy specified by
633.Fa fd
634and
635.Dv O_RESOLVE_BENEATH
636is specified.
637.It Bq Er ENOTCAPABLE
638.Fa path
639contains a ".." component, the
640.Dv vfs.lookup_cap_dotdot
641.Xr sysctl 3
642is set, and the process is in capability mode.
643.El
644.Sh SEE ALSO
645.Xr chmod 2 ,
646.Xr close 2 ,
647.Xr dup 2 ,
648.Xr fexecve 2 ,
649.Xr fhopen 2 ,
650.Xr getdtablesize 2 ,
651.Xr getfh 2 ,
652.Xr lgetfh 2 ,
653.Xr lseek 2 ,
654.Xr read 2 ,
655.Xr umask 2 ,
656.Xr write 2 ,
657.Xr fopen 3 ,
658.Xr capsicum 4
659.Sh STANDARDS
660These functions are specified by
661.St -p1003.1-2008 .
662.Pp
663.Fx
664sets
665.Va errno
666to
667.Er EMLINK instead of
668.Er ELOOP
669as specified by
670POSIX
671when
672.Dv O_NOFOLLOW
673is set in flags and the final component of pathname is a symbolic link
674to distinguish it from the case of too many symbolic link traversals
675in one of its non-final components.
676.Pp
677The Open Group Extended API Set 2 specification, that introduced the
678.Fn *at
679API, required that the test for whether
680.Fa fd
681is searchable is based on whether
682.Fa fd
683is open for searching, not whether the underlying directory currently
684permits searches.
685The present implementation of the
686.Fa openat
687system call is believed to be compatible with
688.\" .St -p1003.1-2017 ,
689.\" XXX: This should be replaced in the future when an appropriate argument to
690.\" the St macro is available: -p1003.1-2017
691.No IEEE Std 1003.1-2008, 2017 Edition (\\(LqPOSIX.1\\(Rq) ,
692which specifies that behavior for
693.Dv O_SEARCH ,
694in the absence of the flag the implementation checks the current
695permissions of a directory.
696.Sh HISTORY
697The
698.Fn open
699function appeared in
700.At v1 .
701The
702.Fn openat
703function was introduced in
704.Fx 8.0 .
705.Dv O_DSYNC
706appeared in 13.0.
707.Sh BUGS
708The
709.Fa mode
710argument is variadic and may result in different calling conventions
711than might otherwise be expected.
712