xref: /illumos-gate/usr/src/man/man2/exec.2 (revision 590e0b5da08d7261161e979afc4bf4aa0f543574)
1.\"
2.\" Sun Microsystems, Inc. gratefully acknowledges The Open Group for
3.\" permission to reproduce portions of its copyrighted documentation.
4.\" Original documentation from The Open Group can be obtained online at
5.\" http://www.opengroup.org/bookstore/.
6.\"
7.\" The Institute of Electrical and Electronics Engineers and The Open
8.\" Group, have given us permission to reprint portions of their
9.\" documentation.
10.\"
11.\" In the following statement, the phrase ``this text'' refers to portions
12.\" of the system documentation.
13.\"
14.\" Portions of this text are reprinted and reproduced in electronic form
15.\" in the SunOS Reference Manual, from IEEE Std 1003.1, 2004 Edition,
16.\" Standard for Information Technology -- Portable Operating System
17.\" Interface (POSIX), The Open Group Base Specifications Issue 6,
18.\" Copyright (C) 2001-2004 by the Institute of Electrical and Electronics
19.\" Engineers, Inc and The Open Group.  In the event of any discrepancy
20.\" between these versions and the original IEEE and The Open Group
21.\" Standard, the original IEEE and The Open Group Standard is the referee
22.\" document.  The original Standard can be obtained online at
23.\" http://www.opengroup.org/unix/online.html.
24.\"
25.\" This notice shall appear on any product containing this material.
26.\"
27.\" The contents of this file are subject to the terms of the
28.\" Common Development and Distribution License (the "License").
29.\" You may not use this file except in compliance with the License.
30.\"
31.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
32.\" or http://www.opensolaris.org/os/licensing.
33.\" See the License for the specific language governing permissions
34.\" and limitations under the License.
35.\"
36.\" When distributing Covered Code, include this CDDL HEADER in each
37.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
38.\" If applicable, add the following below this CDDL HEADER, with the
39.\" fields enclosed by brackets "[]" replaced with your own identifying
40.\" information: Portions Copyright [yyyy] [name of copyright owner]
41.\"
42.\"
43.\" Copyright 1989 AT&T.
44.\" Portions Copyright (c) 1992, X/Open Company Limited.  All Rights Reserved.
45.\" Copyright (c) 2008, Sun Microsystems, Inc.  All Rights Reserved.
46.\" Copyright 2014 Garrett D'Amore <garrett@damore.org>
47.\" Copyright 2015, Joyent, Inc.
48.\" Copyright 2024 Oxide Computer Company
49.\"
50.Dd June 21, 2024
51.Dt EXEC 2
52.Os
53.Sh NAME
54.Nm exec ,
55.Nm execl ,
56.Nm execle ,
57.Nm execlp ,
58.Nm execv ,
59.Nm execve ,
60.Nm execvp ,
61.Nm execvpe ,
62.Nm fexecve
63.Nd execute a file
64.Sh SYNOPSIS
65.In unistd.h
66.Ft int
67.Fo execl
68.Fa "const char *path"
69.Fa "const char *arg0"
70.Fa "..."
71.Fa NULL
72.Fc
73.Ft int
74.Fo execv
75.Fa "const char *path"
76.Fa "char *const argv[]"
77.Fc
78.Ft int
79.Fo execle
80.Fa "const char *path"
81.Fa "const char *arg0"
82.Fa "..."
83.Fa NULL
84.Fa "char *const envp[]"
85.Fc
86.Ft int
87.Fo execve
88.Fa "const char *path"
89.Fa "char *const argv[]"
90.Fa "char *const envp[]"
91.Fc
92.Ft int
93.Fo execlp
94.Fa "const char *file"
95.Fa "const char *arg0"
96.Fa "..."
97.Fa NULL
98.Fc
99.Ft int
100.Fo execvp
101.Fa "const char *file"
102.Fa "char *const argv[]"
103.Fc
104.Ft int
105.Fo execvpe
106.Fa "const char *file"
107.Fa "char *const argv[]"
108.Fa "char *const envp[]"
109.Fc
110.Ft int
111.Fo fexecve
112.Fa "int fd"
113.Fa "char *const argv[]"
114.Fa "char *const envp[]"
115.Fc
116.Sh DESCRIPTION
117Each of the functions in the
118.Nm
119family replaces the current process image with a new process image.
120The new image is constructed from a regular, executable file called the new
121process image file.
122This file is either an executable object file or a file of data for an
123interpreter.
124There is no return from a successful call to one of these functions because the
125calling process image is overlaid by the new process image.
126.Pp
127An interpreter file begins with a line of the form
128.Pp
129.Dl #! Pa pathname Op Ar arg
130.Pp
131where
132.Pa pathname
133is the path of the interpreter, and
134.Ar arg
135is an optional argument.
136When an interpreter file is executed, the system invokes the specified
137interpreter.
138The pathname specified in the interpreter file is passed as
139.Fa arg0
140to the interpreter.
141If
142.Ar arg
143was specified in the interpreter file, it is passed as
144.Fa arg1
145to the interpreter.
146The remaining arguments to the interpreter are
147.Fa arg0
148through
149.Fa argn
150of the originally exec'd file.
151The interpreter named by
152.Pa pathname
153may also be an interpreter file.
154There can be up to four nested interpreter files before the final interpreter.
155The setid bits on nested interpreters are silently ignored.
156.Pp
157When a C-language program is executed as a result of this call, it is entered
158as a C-language function call as follows:
159.Pp
160.Dl int main Ns (int Fa argc Ns No , char * Ns Fa argv[])\&;
161.Pp
162where
163.Fa argc
164is the argument count and
165.Fa argv
166is an array of character pointers to the arguments themselves.
167In addition, the following variable:
168.Pp
169.Dl Va "extern char **environ\&;"
170.Pp
171is initialized as a pointer to an array of character pointers to the
172environment strings.
173The
174.Fa argv
175and
176.Va environ
177arrays are each terminated by a null pointer.
178The null pointer terminating the
179.Fa argv
180array is not counted in
181.Fa argc .
182.Pp
183The value of
184.Fa argc
185is non-negative, and if greater than 0,
186.Fa argv[0]
187points to a string containing the name of the file.
188If
189.Fa argc
190is 0,
191.Fa argv[0]
192is a null pointer, in which case there are no arguments.
193Applications should verify that
194.Fa argc
195is greater than 0 or that
196.Fa argv[0]
197is not a null pointer before dereferencing
198.Fa argv[0] .
199.Pp
200The arguments specified by a program with one of the
201.Nm
202functions are passed on to the new process image in the
203.Fn main
204arguments.
205.Pp
206The
207.Fa path
208argument points to a path name that identifies the new process image file.
209.Pp
210The
211.Fa file
212argument is used to construct a pathname that identifies the new process image
213file.
214If the
215.Fa file
216argument contains a slash character, it is used as the pathname for this file.
217Otherwise, the path prefix for this file is obtained by a search of the
218directories passed in the
219.Ev PATH
220environment variable
221.Po
222see
223.Xr environ 7
224.Pc .
225The environment is supplied typically by the shell.
226If the process image file is not a valid executable object file,
227.Fn execlp ,
228.Fn execvp ,
229and
230.Fn execvpe
231use the contents of that file as standard input to the shell.
232In this case, the shell becomes the new process image.
233The standard to which the caller conforms determines which shell is used.
234See
235.Xr standards 7 .
236.Pp
237The
238.Fn fexecve
239function is equivalent to
240.Fn execve ,
241except that instead of using a named file, the file referenced by the file
242descriptor
243.Fa fd
244is used.
245Note that this file descriptor must reference a regular file which has
246typically been opened with
247.Dv O_EXEC .
248defined in
249.In fcntl.h .
250The image is loaded from offset zero of the file, regardless of the offset of
251fd.
252.Pp
253The arguments represented by
254.Fa arg0 Ns No \&...
255are pointers to null-terminated character strings.
256These strings constitute the argument list available to the new process image.
257The list is terminated by a null pointer.
258The
259.Fa arg0
260argument should point to a filename that is associated with the process being
261started by one of the
262.Nm
263functions.
264.Pp
265The
266.Fa argv
267argument is an array of character pointers to null-terminated strings.
268The last member of this array must be a null pointer.
269These strings constitute the argument list available to the new process image.
270The value in
271.Fa argv[0]
272should point to a filename that is associated with the process being started by
273one of the
274.Nm
275functions.
276.Pp
277The
278.Fa envp
279argument is an array of character pointers to null-terminated strings.
280These strings constitute the environment for the new process image.
281The
282.Fa envp
283array is terminated by a null pointer.
284For
285.Fn execl ,
286.Fn execv ,
287.Fn execvp ,
288and
289.Fn execlp ,
290the C-language run-time start-off routine places a pointer to the environment
291of the calling process in the global object
292.Va extern char **environ ,
293and it is used to pass the environment of the calling process to the new
294process image.
295.Pp
296The number of bytes available for the new process's combined argument and
297environment lists is
298.Dv ARG_MAX .
299It is implementation-dependent whether null terminators, pointers, and/or any
300alignment bytes are included in this total.
301.Pp
302File descriptors open in the calling process image remain open in the new
303process image, except for those whose close-on-exec flag
304.Dv FD_CLOEXEC
305is set; see
306.Xr fcntl 2 .
307For those file descriptors that remain open, all attributes of the open file
308description, including file locks and the disposition of the close-on-fork flag
309.Dv FD_CLOFORK ,
310remain unchanged.
311.Pp
312The preferred hardware address translation size
313.Po
314see
315.Xr memcntl 2
316.Pc
317for the stack and heap of the new process image are set to the default system
318page size.
319.Pp
320Directory streams open in the calling process image are closed in the new
321process image.
322.Pp
323The state of conversion descriptors and message catalogue descriptors in the
324new process image is undefined.
325For the new process, the equivalent of:
326.Pp
327.Dl setlocale(LC_ALL, \&"C");
328.Pp
329is executed at startup.
330.Pp
331Signals set to the default action
332.Po
333.Dv SIG_DFL
334.Pc
335in the calling process image are set to the default action in the new process
336image
337.Po
338see
339.Xr signal 3C
340.Pc .
341Signals set to be ignored
342.Po
343.Dv SIG_IGN
344.Pc
345by the calling process image are set to be ignored by the new process image.
346Signals set to be caught by the calling process image are set to the default
347action in the new process image
348.Po
349see
350.Xr signal.h 3HEAD
351.Pc .
352After a successful call to any of the
353.Nm
354functions, alternate signal stacks are not preserved and the
355.Dv SA_ONSTACK
356flag is cleared for all signals.
357.Pp
358After a successful call to any of the
359.Nm
360functions, any functions previously registered by
361.Xr atexit 3C
362are no longer registered.
363.Pp
364The saved resource limits in the new process image are set to be a copy of the
365process's corresponding hard and soft resource limits.
366.Pp
367If the
368.Dv ST_NOSUID
369bit is set for the file system containing the new process image file, then the
370effective user ID and effective group ID are unchanged in the new process
371image.
372If the set-user-ID mode bit of the new process image file is set
373.Po
374see
375.Xr chmod 2
376.Pc ,
377the effective user ID of the new process image is set to the owner ID of the
378new process image file.
379Similarly, if the set-group-ID mode bit of the new process image file is set,
380the effective group ID of the new process image is set to the group ID of the
381new process image file.
382The real user ID and real group ID of the new process image remain the same as
383those of the calling process image.
384The effective user ID and effective group ID of the new process image are saved
385.Pq as the saved set-user-ID and the saved set-group-ID
386for use by
387.Xr setuid 2 .
388.Pp
389The privilege sets are changed according to the following rules:
390.Bl -enum -offset indent
391.It
392The inheritable set, I, is intersected with the limit set, L.
393This mechanism enforces the limit set for processes.
394.It
395The effective set, E, and the permitted set, P, are made equal to the new
396inheritable set.
397.El
398.Pp
399The system attempts to set the privilege-aware state to non-PA both before
400performing any modifications to the process IDs and privilege sets as well as
401after completing the transition to new UIDs and privilege sets, following the
402rules outlined in
403.Xr privileges 7 .
404.Pp
405If the
406.Brq Dv PRIV_PROC_OWNER
407privilege is asserted in the effective set, the set-user-ID and set-group-ID
408bits will be honored when the process is being controlled by
409.Xr ptrace 3C .
410Additional restrictions can apply when the traced process has an effective UID
411of 0.
412See
413.Xr privileges 7 .
414.Pp
415Any shared memory segments attached to the calling process image will not be
416attached to the new process image
417.Po
418see
419.Xr shmop 2
420.Pc .
421Any mappings established through
422.Fn mmap
423are not preserved across an
424.Nm .
425Memory mappings created in the process are unmapped before the address space is
426rebuilt for the new process image.
427See
428.Xr mmap 2 .
429.Pp
430Memory locks established by the calling process via calls to
431.Xr mlockall 3C
432or
433.Xr mlock 3C
434are removed.
435If locked pages in the address space of the calling process are also mapped
436into the address spaces the locks established by the other processes will be
437unaffected by the call by this process to the
438.Nm
439function.
440If the
441.Nm
442function fails, the effect on memory locks is unspecified.
443.Pp
444If
445.Dv _XOPEN_REALTIME
446is defined and has a value other than \-1, any named semaphores open in the
447calling process are closed as if by appropriate calls to
448.Xr sem_close 3C .
449.Pp
450Profiling is disabled for the new process; see
451.Xr profil 2 .
452.Pp
453Timers created by the calling process with
454.Xr timer_create 3C
455are deleted before replacing the current process image with the new process
456image.
457.Pp
458For the
459.Dv SCHED_FIFO
460and
461.Dv SCHED_RR
462scheduling policies, the policy and priority settings are not changed by a call
463to an
464.Nm
465function.
466.Pp
467All open message queue descriptors in the calling process are closed, as
468described in
469.Xr mq_close 3C .
470.Pp
471Any outstanding asynchronous I/O operations may be cancelled.
472Those asynchronous I/O operations that are not canceled will complete as if the
473.Nm
474function had not yet occurred, but any associated signal notifications are
475suppressed.
476It is unspecified whether the
477.Nm
478function itself blocks awaiting such I/O completion.
479In no event, however, will the new process image created by the
480.Nm
481function be affected by the presence of outstanding asynchronous I/O operations
482at the time the
483.Nm
484function is called.
485.Pp
486All active contract templates are cleared
487.Po
488see
489.Xr contract 5
490.Pc .
491.Pp
492The new process also inherits the following attributes from the calling process:
493.Bl -bullet -offset Ds
494.It
495controlling terminal
496.It
497current working directory
498.It
499file-locks
500.Po
501see
502.Xr fcntl 2
503and
504.Xr lockf 3C
505.Pc
506.It
507file mode creation mask
508.Po
509see
510.Xr umask 2
511.Pc
512.It
513file size limit
514.Po
515see
516.Xr ulimit 2
517.Pc
518.It
519limit privilege set
520.It
521nice value
522.Po
523see
524.Xr nice 2
525.Pc
526.It
527parent process ID
528.It
529pending signals
530.Po
531see
532.Xr sigpending 2
533.Pc
534.It
535privilege debugging flag
536.Po
537see
538.Xr privileges 7
539and
540.Xr getpflags 2
541.Pc
542.It
543process ID
544.It
545process contract
546.Po
547see
548.Xr contract 5
549and
550.Xr process 5
551.Pc
552.It
553process group ID
554.It
555process signal mask
556.Po
557see
558.Xr sigprocmask 2
559.Pc
560.It
561processor bindings
562.Po
563see
564.Xr processor_bind 2
565.Pc
566.It
567processor set bindings
568.Po
569see
570.Xr pset_bind 2
571.Pc
572.It
573project ID
574.It
575real group ID
576.It
577real user ID
578.It
579resource limits
580.Po
581see
582.Xr getrlimit 2
583.Pc
584.It
585root directory
586.It
587scheduler class and priority
588.Po
589see
590.Xr priocntl 2
591.Pc
592.It
593semadj values
594.Po
595see
596.Xr semop 2
597.Pc
598.It
599session membership
600.Po
601see
602.Xr exit 2
603and
604.Xr signal 3C
605.Pc
606.It
607supplementary group IDs
608.It
609task ID
610.It
611time left until an alarm clock signal
612.Po
613see
614.Xr alarm 2
615.Pc
616.It
617.Fa tms_utime ,
618.Fa tms_stime ,
619.Fa tms_cutime ,
620and
621.Fa tms_cstime
622.Po
623see
624.Xr times 2
625.Pc
626.It
627trace flag
628.Po
629see
630.Xr ptrace 3C
631request 0
632.Pc
633.El
634.Pp
635A call to any
636.Nm
637function from a process with more than one thread results in all threads being
638terminated and the new executable image being loaded and executed.
639No destructor functions will be called.
640.Pp
641Upon successful completion, each of the functions in the
642.Nm
643family marks for update the
644.Fa st_atime
645field of the file.
646If an
647.Nm
648function failed but was able to locate the process image file, whether the
649.Fa st_atime
650field is marked for update is unspecified.
651Should the function succeed, the process image file is considered to have been
652opened with
653.Xr open 2 .
654The corresponding
655.Xr close 2
656is considered to occur at a time after this open, but before process
657termination or successful completion of a subsequent call to one of the
658.Nm
659functions.
660The
661.Fa argv[]
662and
663.Fa envp[]
664arrays of pointers and the strings to which those arrays point will not be
665modified by a call to one of the
666.Nm
667functions, except as a consequence of replacing the process image.
668.Pp
669The saved resource limits in the new process image are set to be a copy of the
670process's corresponding hard and soft limits.
671.Sh RETURN VALUES
672If a function in the
673.Nm
674family returns to the calling process image, an error has occurred; the return
675value is \-1 and
676.Va errno
677is set to indicate the error.
678.Sh ERRORS
679The
680.Nm
681functions will fail if:
682.Bl -tag -width Er
683.It Er E2BIG
684The number of bytes in the new process's argument list is greater than the
685system-imposed limit of
686.Dv ARG_MAX
687bytes.
688The argument list limit is sum of the size of the argument list plus the size
689of the environment's exported shell variables.
690.It Er EACCES
691Search permission is denied for a directory listed in the new process file's
692path prefix.
693.Pp
694The new process file is not an ordinary file.
695.Pp
696The new process file mode denies execute permission.
697.Pp
698The
699.Brq Dv FILE_DAC_SEARCH
700privilege overrides the restriction on directory searches.
701.Pp
702The
703.Brq Dv FILE_DAC_EXECUTE
704privilege overrides the lack of execute permission.
705.It Er EAGAIN
706Total amount of system memory available when reading using raw I/O is
707temporarily insufficient.
708.It Er EFAULT
709An argument points to an illegal address.
710.It Er EINVAL
711The new process image file has the appropriate permission and has a recognized
712executable binary format, but the system does not support execution of a file
713with this format.
714.It Er EINTR
715A signal was caught during the execution of one of the functions in the
716.Nm
717family.
718.El
719.Pp
720The
721.Nm
722functions except for
723.Fn fexecve
724will fail if:
725.Bl -tag -width Ds
726.It Er ELOOP
727Too many symbolic links were encountered in translating
728.Fa path
729or
730.Fa file ,
731or too many nested interpreter files.
732.It Er ENAMETOOLONG
733The length of the
734.Fa file
735or
736.Fa path
737argument exceeds
738.Dv PATH_MAX ,
739or the length of a
740.Fa file
741or
742.Fa path
743component exceeds
744.Dv NAME_MAX
745while
746.Dv _POSIX_NO_TRUNC
747is in effect.
748.It Er ENOENT
749One or more components of the new process path name of the file do not exist or
750is a null pathname.
751.It Er ENOLINK
752The
753.Fa path
754argument points to a remote machine and the link to that machine is no longer
755active.
756.It Er ENOTDIR
757A component of the new process path of the file prefix is not a directory.
758.El
759.Pp
760The
761.Nm
762functions, except for
763.Fn execlp ,
764.Fn execvp ,
765and
766.Fn execvpe ,
767will fail if:
768.Bl -tag -width Ds
769.It Er ENOEXEC
770The new process image file has the appropriate access permission but is not in
771the proper format.
772.El
773.Pp
774The
775.Fn fexecve
776function will fail if:
777.Bl -tag -width Ds
778.It Er EBADF
779The
780.Fa fd
781argument is not a valid file descriptor opened for execution.
782.It Er ENOMEM
783There was insufficient memory for constructing the path corresponding to the
784file descriptor.
785.El
786.Pp
787The
788.Nm
789functions except for
790.Fn fexecve
791may fail if:
792.Bl -tag -width Ds
793.It Er ENAMETOOLONG
794Pathname resolution of a symbolic link produced an intermediate result whose
795length exceeds
796.Dv PATH_MAX .
797.El
798.Pp
799The
800.Nm
801functions may fail if:
802.Bl -tag -width Ds
803.It Er ENOMEM
804The new process image requires more memory than is allowed by the hardware or
805system-imposed by memory management constraints.
806See
807.Xr brk 2 .
808.It Er ETXTBSY
809The new process image file is a pure procedure
810.Pq shared text
811file that is currently open for writing by some process.
812.El
813.Sh USAGE
814As the state of conversion descriptors and message catalogue descriptors in the
815new process image is undefined, portable applications should not rely on their
816use and should close them prior to calling one of the
817.Nm
818functions.
819.Pp
820Applications that require other than the default POSIX locale should call
821.Xr setlocale 3C
822with the appropriate parameters to establish the locale of the new process.
823.Pp
824The
825.Fa environ
826array should not be accessed directly by the application.
827.Sh INTERFACE STABILITY
828.Sy Committed
829.Sh MT-LEVEL
830The
831.Fn execle ,
832.Fn execve
833and
834.Fn fexecve
835functions are
836.Sy Async-Signal-Safe
837.Sh SEE ALSO
838.Xr ksh 1 ,
839.Xr ps 1 ,
840.Xr sh 1 ,
841.Xr alarm 2 ,
842.Xr brk 2 ,
843.Xr chmod 2 ,
844.Xr close 2 ,
845.Xr exit 2 ,
846.Xr fcntl 2 ,
847.Xr fork 2 ,
848.Xr getpflags 2 ,
849.Xr getrlimit 2 ,
850.Xr memcntl 2 ,
851.Xr mmap 2 ,
852.Xr nice 2 ,
853.Xr open 2 ,
854.Xr priocntl 2 ,
855.Xr processor_bind 2 ,
856.Xr profil 2 ,
857.Xr pset_bind 2 ,
858.Xr semop 2 ,
859.Xr setuid 2 ,
860.Xr shmop 2 ,
861.Xr sigpending 2 ,
862.Xr sigprocmask 2 ,
863.Xr times 2 ,
864.Xr ulimit 2 ,
865.Xr umask 2 ,
866.Xr atexit 3C ,
867.Xr lockf 3C ,
868.Xr mlock 3C ,
869.Xr mlockall 3C ,
870.Xr mq_close 3C ,
871.Xr ptrace 3C ,
872.Xr sem_close 3C ,
873.Xr setlocale 3C ,
874.Xr signal 3C ,
875.Xr system 3C ,
876.Xr timer_create 3C ,
877.Xr signal.h 3HEAD ,
878.Xr a.out 5 ,
879.Xr contract 5 ,
880.Xr process 5 ,
881.Xr attributes 7 ,
882.Xr environ 7 ,
883.Xr privileges 7 ,
884.Xr standards 7
885.Sh WARNINGS
886If a program is setuid to a user ID other than the superuser, and the program
887is executed when the real user ID is super-user, then the program has some of
888the powers of a super-user as well.
889