1.\" 2.\" Sun Microsystems, Inc. gratefully acknowledges The Open Group for 3.\" permission to reproduce portions of its copyrighted documentation. 4.\" Original documentation from The Open Group can be obtained online at 5.\" http://www.opengroup.org/bookstore/. 6.\" 7.\" The Institute of Electrical and Electronics Engineers and The Open 8.\" Group, have given us permission to reprint portions of their 9.\" documentation. 10.\" 11.\" In the following statement, the phrase ``this text'' refers to portions 12.\" of the system documentation. 13.\" 14.\" Portions of this text are reprinted and reproduced in electronic form 15.\" in the SunOS Reference Manual, from IEEE Std 1003.1, 2004 Edition, 16.\" Standard for Information Technology -- Portable Operating System 17.\" Interface (POSIX), The Open Group Base Specifications Issue 6, 18.\" Copyright (C) 2001-2004 by the Institute of Electrical and Electronics 19.\" Engineers, Inc and The Open Group. In the event of any discrepancy 20.\" between these versions and the original IEEE and The Open Group 21.\" Standard, the original IEEE and The Open Group Standard is the referee 22.\" document. The original Standard can be obtained online at 23.\" http://www.opengroup.org/unix/online.html. 24.\" 25.\" This notice shall appear on any product containing this material. 26.\" 27.\" The contents of this file are subject to the terms of the 28.\" Common Development and Distribution License (the "License"). 29.\" You may not use this file except in compliance with the License. 30.\" 31.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 32.\" or http://www.opensolaris.org/os/licensing. 33.\" See the License for the specific language governing permissions 34.\" and limitations under the License. 35.\" 36.\" When distributing Covered Code, include this CDDL HEADER in each 37.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 38.\" If applicable, add the following below this CDDL HEADER, with the 39.\" fields enclosed by brackets "[]" replaced with your own identifying 40.\" information: Portions Copyright [yyyy] [name of copyright owner] 41.\" 42.\" 43.\" Copyright 1989 AT&T. 44.\" Portions Copyright (c) 1992, X/Open Company Limited. All Rights Reserved. 45.\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved. 46.\" Copyright 2014 Garrett D'Amore <garrett@damore.org> 47.\" Copyright 2015, Joyent, Inc. 48.\" Copyright 2025 Oxide Computer Company 49.\" 50.Dd June 25, 2025 51.Dt EXEC 2 52.Os 53.Sh NAME 54.Nm exec , 55.Nm execl , 56.Nm execle , 57.Nm execlp , 58.Nm execv , 59.Nm execve , 60.Nm execvp , 61.Nm execvpe , 62.Nm fexecve 63.Nd execute a file 64.Sh SYNOPSIS 65.In unistd.h 66.Ft int 67.Fo execl 68.Fa "const char *path" 69.Fa "const char *arg0" 70.Fa "..." 71.Fa NULL 72.Fc 73.Ft int 74.Fo execv 75.Fa "const char *path" 76.Fa "char *const argv[]" 77.Fc 78.Ft int 79.Fo execle 80.Fa "const char *path" 81.Fa "const char *arg0" 82.Fa "..." 83.Fa NULL 84.Fa "char *const envp[]" 85.Fc 86.Ft int 87.Fo execve 88.Fa "const char *path" 89.Fa "char *const argv[]" 90.Fa "char *const envp[]" 91.Fc 92.Ft int 93.Fo execlp 94.Fa "const char *file" 95.Fa "const char *arg0" 96.Fa "..." 97.Fa NULL 98.Fc 99.Ft int 100.Fo execvp 101.Fa "const char *file" 102.Fa "char *const argv[]" 103.Fc 104.Ft int 105.Fo execvpe 106.Fa "const char *file" 107.Fa "char *const argv[]" 108.Fa "char *const envp[]" 109.Fc 110.Ft int 111.Fo fexecve 112.Fa "int fd" 113.Fa "char *const argv[]" 114.Fa "char *const envp[]" 115.Fc 116.Sh DESCRIPTION 117Each of the functions in the 118.Nm 119family replaces the current process image with a new process image. 120The new image is constructed from a regular, executable file called the new 121process image file. 122This file is either an executable object file or a file of data for an 123interpreter. 124There is no return from a successful call to one of these functions because the 125calling process image is overlaid by the new process image. 126.Pp 127An interpreter file begins with a line of the form 128.Pp 129.Dl #! Pa pathname Op Ar arg 130.Pp 131where 132.Pa pathname 133is the path of the interpreter, and 134.Ar arg 135is an optional argument. 136When an interpreter file is executed, the system invokes the specified 137interpreter. 138The pathname specified in the interpreter file is passed as 139.Fa arg0 140to the interpreter. 141If 142.Ar arg 143was specified in the interpreter file, it is passed as 144.Fa arg1 145to the interpreter. 146The remaining arguments to the interpreter are 147.Fa arg0 148through 149.Fa argn 150of the originally exec'd file. 151The interpreter named by 152.Pa pathname 153may also be an interpreter file. 154There can be up to four nested interpreter files before the final interpreter. 155The setid bits on nested interpreters are silently ignored. 156.Pp 157When a C-language program is executed as a result of this call, it is entered 158as a C-language function call as follows: 159.Pp 160.Dl int main Ns (int Fa argc Ns No , char * Ns Fa argv[])\&; 161.Pp 162where 163.Fa argc 164is the argument count and 165.Fa argv 166is an array of character pointers to the arguments themselves. 167In addition, the following variable: 168.Pp 169.Dl Va "extern char **environ\&;" 170.Pp 171is initialized as a pointer to an array of character pointers to the 172environment strings. 173The 174.Fa argv 175and 176.Va environ 177arrays are each terminated by a null pointer. 178The null pointer terminating the 179.Fa argv 180array is not counted in 181.Fa argc . 182.Pp 183The value of 184.Fa argc 185is non-negative, and if greater than 0, 186.Fa argv[0] 187points to a string containing the name of the file. 188If 189.Fa argc 190is 0, 191.Fa argv[0] 192is a null pointer, in which case there are no arguments. 193Applications should verify that 194.Fa argc 195is greater than 0 or that 196.Fa argv[0] 197is not a null pointer before dereferencing 198.Fa argv[0] . 199.Pp 200The arguments specified by a program with one of the 201.Nm 202functions are passed on to the new process image in the 203.Fn main 204arguments. 205.Pp 206The 207.Fa path 208argument points to a path name that identifies the new process image file. 209.Pp 210The 211.Fa file 212argument is used to construct a pathname that identifies the new process image 213file. 214If the 215.Fa file 216argument contains a slash character, it is used as the pathname for this file. 217Otherwise, the path prefix for this file is obtained by a search of the 218directories passed in the 219.Ev PATH 220environment variable 221.Po 222see 223.Xr environ 7 224.Pc . 225The environment is supplied typically by the shell. 226If the process image file is not a valid executable object file, 227.Fn execlp , 228.Fn execvp , 229and 230.Fn execvpe 231use the contents of that file as standard input to the shell. 232In this case, the shell becomes the new process image. 233The standard to which the caller conforms determines which shell is used. 234See 235.Xr standards 7 . 236.Pp 237The 238.Fn fexecve 239function is equivalent to 240.Fn execve , 241except that instead of using a named file, the file referenced by the file 242descriptor 243.Fa fd 244is used. 245Note that this file descriptor must reference a regular file which has 246typically been opened with 247.Dv O_EXEC . 248defined in 249.In fcntl.h . 250The image is loaded from offset zero of the file, regardless of the offset of 251fd. 252.Pp 253The arguments represented by 254.Fa arg0 Ns No \&... 255are pointers to null-terminated character strings. 256These strings constitute the argument list available to the new process image. 257The list is terminated by a null pointer. 258The 259.Fa arg0 260argument should point to a filename that is associated with the process being 261started by one of the 262.Nm 263functions. 264.Pp 265The 266.Fa argv 267argument is an array of character pointers to null-terminated strings. 268The last member of this array must be a null pointer. 269These strings constitute the argument list available to the new process image. 270The value in 271.Fa argv[0] 272should point to a filename that is associated with the process being started by 273one of the 274.Nm 275functions. 276.Pp 277The 278.Fa envp 279argument is an array of character pointers to null-terminated strings. 280These strings constitute the environment for the new process image. 281The 282.Fa envp 283array is terminated by a null pointer. 284For 285.Fn execl , 286.Fn execv , 287.Fn execvp , 288and 289.Fn execlp , 290the C-language run-time start-off routine places a pointer to the environment 291of the calling process in the global object 292.Va extern char **environ , 293and it is used to pass the environment of the calling process to the new 294process image. 295.Pp 296The number of bytes available for the new process's combined argument and 297environment lists is 298.Dv ARG_MAX . 299It is implementation-dependent whether null terminators, pointers, and/or any 300alignment bytes are included in this total. 301.Pp 302File descriptors open in the calling process image remain open in the new 303process image, except for those whose close-on-exec flag 304.Dv FD_CLOEXEC 305is set. 306For those file descriptors that remain open, most attributes of the open file 307descriptor, including file locks, remain unchanged; however, the close-on-fork 308flag 309.Dv FD_CLOFORK 310is cleared from all file descriptors. 311See 312.Xr fcntl 2 313for more information on 314.Dv FD_CLOEXEC 315and 316.Dv FD_CLOFORK . 317.Pp 318The preferred hardware address translation size 319.Po 320see 321.Xr memcntl 2 322.Pc 323for the stack and heap of the new process image are set to the default system 324page size. 325.Pp 326Directory streams open in the calling process image are closed in the new 327process image. 328.Pp 329The state of conversion descriptors and message catalogue descriptors in the 330new process image is undefined. 331For the new process, the equivalent of: 332.Pp 333.Dl setlocale(LC_ALL, \&"C"); 334.Pp 335is executed at startup. 336.Pp 337Signals set to the default action 338.Po 339.Dv SIG_DFL 340.Pc 341in the calling process image are set to the default action in the new process 342image 343.Po 344see 345.Xr signal 3C 346.Pc . 347Signals set to be ignored 348.Po 349.Dv SIG_IGN 350.Pc 351by the calling process image are set to be ignored by the new process image. 352Signals set to be caught by the calling process image are set to the default 353action in the new process image 354.Po 355see 356.Xr signal.h 3HEAD 357.Pc . 358After a successful call to any of the 359.Nm 360functions, alternate signal stacks are not preserved and the 361.Dv SA_ONSTACK 362flag is cleared for all signals. 363.Pp 364After a successful call to any of the 365.Nm 366functions, any functions previously registered by 367.Xr atexit 3C 368are no longer registered. 369.Pp 370The saved resource limits in the new process image are set to be a copy of the 371process's corresponding hard and soft resource limits. 372.Pp 373If the 374.Dv ST_NOSUID 375bit is set for the file system containing the new process image file, then the 376effective user ID and effective group ID are unchanged in the new process 377image. 378If the set-user-ID mode bit of the new process image file is set 379.Po 380see 381.Xr chmod 2 382.Pc , 383the effective user ID of the new process image is set to the owner ID of the 384new process image file. 385Similarly, if the set-group-ID mode bit of the new process image file is set, 386the effective group ID of the new process image is set to the group ID of the 387new process image file. 388The real user ID and real group ID of the new process image remain the same as 389those of the calling process image. 390The effective user ID and effective group ID of the new process image are saved 391.Pq as the saved set-user-ID and the saved set-group-ID 392for use by 393.Xr setuid 2 . 394.Pp 395The privilege sets are changed according to the following rules: 396.Bl -enum -offset indent 397.It 398The inheritable set, I, is intersected with the limit set, L. 399This mechanism enforces the limit set for processes. 400.It 401The effective set, E, and the permitted set, P, are made equal to the new 402inheritable set. 403.El 404.Pp 405The system attempts to set the privilege-aware state to non-PA both before 406performing any modifications to the process IDs and privilege sets as well as 407after completing the transition to new UIDs and privilege sets, following the 408rules outlined in 409.Xr privileges 7 . 410.Pp 411If the 412.Brq Dv PRIV_PROC_OWNER 413privilege is asserted in the effective set, the set-user-ID and set-group-ID 414bits will be honored when the process is being controlled by 415.Xr ptrace 3C . 416Additional restrictions can apply when the traced process has an effective UID 417of 0. 418See 419.Xr privileges 7 . 420.Pp 421Any shared memory segments attached to the calling process image will not be 422attached to the new process image 423.Po 424see 425.Xr shmop 2 426.Pc . 427Any mappings established through 428.Fn mmap 429are not preserved across an 430.Nm . 431Memory mappings created in the process are unmapped before the address space is 432rebuilt for the new process image. 433See 434.Xr mmap 2 . 435.Pp 436Memory locks established by the calling process via calls to 437.Xr mlockall 3C 438or 439.Xr mlock 3C 440are removed. 441If locked pages in the address space of the calling process are also mapped 442into the address spaces the locks established by the other processes will be 443unaffected by the call by this process to the 444.Nm 445function. 446If the 447.Nm 448function fails, the effect on memory locks is unspecified. 449.Pp 450If 451.Dv _XOPEN_REALTIME 452is defined and has a value other than \-1, any named semaphores open in the 453calling process are closed as if by appropriate calls to 454.Xr sem_close 3C . 455.Pp 456Profiling is disabled for the new process; see 457.Xr profil 2 . 458.Pp 459Timers created by the calling process with 460.Xr timer_create 3C 461are deleted before replacing the current process image with the new process 462image. 463.Pp 464For the 465.Dv SCHED_FIFO 466and 467.Dv SCHED_RR 468scheduling policies, the policy and priority settings are not changed by a call 469to an 470.Nm 471function. 472.Pp 473All open message queue descriptors in the calling process are closed, as 474described in 475.Xr mq_close 3C . 476.Pp 477Any outstanding asynchronous I/O operations may be cancelled. 478Those asynchronous I/O operations that are not canceled will complete as if the 479.Nm 480function had not yet occurred, but any associated signal notifications are 481suppressed. 482It is unspecified whether the 483.Nm 484function itself blocks awaiting such I/O completion. 485In no event, however, will the new process image created by the 486.Nm 487function be affected by the presence of outstanding asynchronous I/O operations 488at the time the 489.Nm 490function is called. 491.Pp 492All active contract templates are cleared 493.Po 494see 495.Xr contract 5 496.Pc . 497.Pp 498The new process also inherits the following attributes from the calling process: 499.Bl -bullet -offset Ds 500.It 501controlling terminal 502.It 503current working directory 504.It 505file-locks 506.Po 507see 508.Xr fcntl 2 509and 510.Xr lockf 3C 511.Pc 512.It 513file mode creation mask 514.Po 515see 516.Xr umask 2 517.Pc 518.It 519file size limit 520.Po 521see 522.Xr ulimit 2 523.Pc 524.It 525limit privilege set 526.It 527nice value 528.Po 529see 530.Xr nice 2 531.Pc 532.It 533parent process ID 534.It 535pending signals 536.Po 537see 538.Xr sigpending 2 539.Pc 540.It 541privilege debugging flag 542.Po 543see 544.Xr privileges 7 545and 546.Xr getpflags 2 547.Pc 548.It 549process ID 550.It 551process contract 552.Po 553see 554.Xr contract 5 555and 556.Xr process 5 557.Pc 558.It 559process group ID 560.It 561process signal mask 562.Po 563see 564.Xr sigprocmask 2 565.Pc 566.It 567processor bindings 568.Po 569see 570.Xr processor_bind 2 571.Pc 572.It 573processor set bindings 574.Po 575see 576.Xr pset_bind 2 577.Pc 578.It 579project ID 580.It 581real group ID 582.It 583real user ID 584.It 585resource limits 586.Po 587see 588.Xr getrlimit 2 589.Pc 590.It 591root directory 592.It 593scheduler class and priority 594.Po 595see 596.Xr priocntl 2 597.Pc 598.It 599semadj values 600.Po 601see 602.Xr semop 2 603.Pc 604.It 605session membership 606.Po 607see 608.Xr exit 2 609and 610.Xr signal 3C 611.Pc 612.It 613supplementary group IDs 614.It 615task ID 616.It 617time left until an alarm clock signal 618.Po 619see 620.Xr alarm 2 621.Pc 622.It 623.Fa tms_utime , 624.Fa tms_stime , 625.Fa tms_cutime , 626and 627.Fa tms_cstime 628.Po 629see 630.Xr times 2 631.Pc 632.It 633trace flag 634.Po 635see 636.Xr ptrace 3C 637request 0 638.Pc 639.El 640.Pp 641A call to any 642.Nm 643function from a process with more than one thread results in all threads being 644terminated and the new executable image being loaded and executed. 645No destructor functions will be called. 646.Pp 647Upon successful completion, each of the functions in the 648.Nm 649family marks for update the 650.Fa st_atime 651field of the file. 652If an 653.Nm 654function failed but was able to locate the process image file, whether the 655.Fa st_atime 656field is marked for update is unspecified. 657Should the function succeed, the process image file is considered to have been 658opened with 659.Xr open 2 . 660The corresponding 661.Xr close 2 662is considered to occur at a time after this open, but before process 663termination or successful completion of a subsequent call to one of the 664.Nm 665functions. 666The 667.Fa argv[] 668and 669.Fa envp[] 670arrays of pointers and the strings to which those arrays point will not be 671modified by a call to one of the 672.Nm 673functions, except as a consequence of replacing the process image. 674.Pp 675The saved resource limits in the new process image are set to be a copy of the 676process's corresponding hard and soft limits. 677.Sh RETURN VALUES 678If a function in the 679.Nm 680family returns to the calling process image, an error has occurred; the return 681value is \-1 and 682.Va errno 683is set to indicate the error. 684.Sh ERRORS 685The 686.Nm 687functions will fail if: 688.Bl -tag -width Er 689.It Er E2BIG 690The number of bytes in the new process's argument list is greater than the 691system-imposed limit of 692.Dv ARG_MAX 693bytes. 694The argument list limit is sum of the size of the argument list plus the size 695of the environment's exported shell variables. 696.It Er EACCES 697Search permission is denied for a directory listed in the new process file's 698path prefix. 699.Pp 700The new process file is not an ordinary file. 701.Pp 702The new process file mode denies execute permission. 703.Pp 704The 705.Brq Dv FILE_DAC_SEARCH 706privilege overrides the restriction on directory searches. 707.Pp 708The 709.Brq Dv FILE_DAC_EXECUTE 710privilege overrides the lack of execute permission. 711.It Er EAGAIN 712Total amount of system memory available when reading using raw I/O is 713temporarily insufficient. 714.It Er EFAULT 715An argument points to an illegal address. 716.It Er EINVAL 717The new process image file has the appropriate permission and has a recognized 718executable binary format, but the system does not support execution of a file 719with this format. 720.It Er EINTR 721A signal was caught during the execution of one of the functions in the 722.Nm 723family. 724.El 725.Pp 726The 727.Nm 728functions except for 729.Fn fexecve 730will fail if: 731.Bl -tag -width Ds 732.It Er ELOOP 733Too many symbolic links were encountered in translating 734.Fa path 735or 736.Fa file , 737or too many nested interpreter files. 738.It Er ENAMETOOLONG 739The length of the 740.Fa file 741or 742.Fa path 743argument exceeds 744.Dv PATH_MAX , 745or the length of a 746.Fa file 747or 748.Fa path 749component exceeds 750.Dv NAME_MAX 751while 752.Dv _POSIX_NO_TRUNC 753is in effect. 754.It Er ENOENT 755One or more components of the new process path name of the file do not exist or 756is a null pathname. 757.It Er ENOLINK 758The 759.Fa path 760argument points to a remote machine and the link to that machine is no longer 761active. 762.It Er ENOTDIR 763A component of the new process path of the file prefix is not a directory. 764.El 765.Pp 766The 767.Nm 768functions, except for 769.Fn execlp , 770.Fn execvp , 771and 772.Fn execvpe , 773will fail if: 774.Bl -tag -width Ds 775.It Er ENOEXEC 776The new process image file has the appropriate access permission but is not in 777the proper format. 778.El 779.Pp 780The 781.Fn fexecve 782function will fail if: 783.Bl -tag -width Ds 784.It Er EBADF 785The 786.Fa fd 787argument is not a valid file descriptor opened for execution. 788.It Er ENOMEM 789There was insufficient memory for constructing the path corresponding to the 790file descriptor. 791.El 792.Pp 793The 794.Nm 795functions except for 796.Fn fexecve 797may fail if: 798.Bl -tag -width Ds 799.It Er ENAMETOOLONG 800Pathname resolution of a symbolic link produced an intermediate result whose 801length exceeds 802.Dv PATH_MAX . 803.El 804.Pp 805The 806.Nm 807functions may fail if: 808.Bl -tag -width Ds 809.It Er ENOMEM 810The new process image requires more memory than is allowed by the hardware or 811system-imposed by memory management constraints. 812See 813.Xr brk 2 . 814.It Er ETXTBSY 815The new process image file is a pure procedure 816.Pq shared text 817file that is currently open for writing by some process. 818.El 819.Sh USAGE 820As the state of conversion descriptors and message catalogue descriptors in the 821new process image is undefined, portable applications should not rely on their 822use and should close them prior to calling one of the 823.Nm 824functions. 825.Pp 826Applications that require other than the default POSIX locale should call 827.Xr setlocale 3C 828with the appropriate parameters to establish the locale of the new process. 829.Pp 830The 831.Fa environ 832array should not be accessed directly by the application. 833.Sh INTERFACE STABILITY 834.Sy Committed 835.Sh MT-LEVEL 836The 837.Fn execle , 838.Fn execve 839and 840.Fn fexecve 841functions are 842.Sy Async-Signal-Safe 843.Sh SEE ALSO 844.Xr ksh 1 , 845.Xr ps 1 , 846.Xr sh 1 , 847.Xr alarm 2 , 848.Xr brk 2 , 849.Xr chmod 2 , 850.Xr close 2 , 851.Xr exit 2 , 852.Xr fcntl 2 , 853.Xr fork 2 , 854.Xr getpflags 2 , 855.Xr getrlimit 2 , 856.Xr memcntl 2 , 857.Xr mmap 2 , 858.Xr nice 2 , 859.Xr open 2 , 860.Xr priocntl 2 , 861.Xr processor_bind 2 , 862.Xr profil 2 , 863.Xr pset_bind 2 , 864.Xr semop 2 , 865.Xr setuid 2 , 866.Xr shmop 2 , 867.Xr sigpending 2 , 868.Xr sigprocmask 2 , 869.Xr times 2 , 870.Xr ulimit 2 , 871.Xr umask 2 , 872.Xr atexit 3C , 873.Xr lockf 3C , 874.Xr mlock 3C , 875.Xr mlockall 3C , 876.Xr mq_close 3C , 877.Xr ptrace 3C , 878.Xr sem_close 3C , 879.Xr setlocale 3C , 880.Xr signal 3C , 881.Xr system 3C , 882.Xr timer_create 3C , 883.Xr signal.h 3HEAD , 884.Xr a.out 5 , 885.Xr contract 5 , 886.Xr process 5 , 887.Xr attributes 7 , 888.Xr environ 7 , 889.Xr privileges 7 , 890.Xr standards 7 891.Sh WARNINGS 892If a program is setuid to a user ID other than the superuser, and the program 893is executed when the real user ID is super-user, then the program has some of 894the powers of a super-user as well. 895