1.\" Copyright (c) 1980, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)open.2 8.2 (Berkeley) 11/16/93 29.\" $FreeBSD$ 30.\" 31.Dd March 30, 2020 32.Dt OPEN 2 33.Os 34.Sh NAME 35.Nm open , openat 36.Nd open or create a file for reading, writing or executing 37.Sh LIBRARY 38.Lb libc 39.Sh SYNOPSIS 40.In fcntl.h 41.Ft int 42.Fn open "const char *path" "int flags" "..." 43.Ft int 44.Fn openat "int fd" "const char *path" "int flags" "..." 45.Sh DESCRIPTION 46The file name specified by 47.Fa path 48is opened 49for either execution or reading and/or writing as specified by the 50argument 51.Fa flags 52and the file descriptor returned to the calling process. 53The 54.Fa flags 55argument may indicate the file is to be 56created if it does not exist (by specifying the 57.Dv O_CREAT 58flag). 59In this case 60.Fn open 61and 62.Fn openat 63require an additional argument 64.Fa "mode_t mode" , 65and the file is created with mode 66.Fa mode 67as described in 68.Xr chmod 2 69and modified by the process' umask value (see 70.Xr umask 2 ) . 71.Pp 72The 73.Fn openat 74function is equivalent to the 75.Fn open 76function except in the case where the 77.Fa path 78specifies a relative path, or the 79.Dv O_BENEATH 80flag is provided. 81For 82.Fn openat 83and relative 84.Fa path , 85the file to be opened is determined relative to the directory 86associated with the file descriptor 87.Fa fd 88instead of the current working directory. 89The 90.Fa flag 91parameter and the optional fourth parameter correspond exactly to 92the parameters of 93.Fn open . 94If 95.Fn openat 96is passed the special value 97.Dv AT_FDCWD 98in the 99.Fa fd 100parameter, the current working directory is used 101and the behavior is identical to a call to 102.Fn open . 103.Pp 104When 105.Fn openat 106is called with an absolute 107.Fa path 108without the 109.Dv O_BENEATH 110flag, it ignores the 111.Fa fd 112argument. 113When 114.Dv O_BENEATH 115is specified with an absolute 116.Fa path , 117a directory passed by the 118.Fa fd 119argument is used as the topping point for the resolution. 120See the definition of the 121.Dv O_BENEATH 122flag below. 123.Pp 124In 125.Xr capsicum 4 126capability mode, 127.Fn open 128is not permitted. 129The 130.Fa path 131argument to 132.Fn openat 133must be strictly relative to a file descriptor 134.Fa fd , 135as defined in 136.Pa sys/kern/vfs_lookup.c . 137.Fa path 138must not be an absolute path and must not contain ".." components 139which cause the path resolution to escape the directory hierarchy 140starting at 141.Fa fd . 142Additionally, no symbolic link in 143.Fa path 144may target absolute path or contain escaping ".." components. 145.Fa fd 146must not be 147.Dv AT_FDCWD . 148.Pp 149If the 150.Dv vfs.lookup_cap_dotdot 151.Xr sysctl 3 152MIB is set to zero, ".." components in the paths, 153used in capability mode, or with the 154.Dv O_BENEATH 155flag, are completely disabled. 156If the 157.Dv vfs.lookup_cap_dotdot_nonlocal 158MIB is set to zero, ".." is not allowed if found on non-local filesystem. 159.Pp 160The flags specified are formed by 161.Em or Ns 'ing 162the following values 163.Pp 164.Bd -literal -offset indent -compact 165O_RDONLY open for reading only 166O_WRONLY open for writing only 167O_RDWR open for reading and writing 168O_EXEC open for execute only 169O_SEARCH open for search only, an alias for O_EXEC 170O_NONBLOCK do not block on open 171O_APPEND append on each write 172O_CREAT create file if it does not exist 173O_TRUNC truncate size to 0 174O_EXCL error if create and file exists 175O_SHLOCK atomically obtain a shared lock 176O_EXLOCK atomically obtain an exclusive lock 177O_DIRECT eliminate or reduce cache effects 178O_FSYNC synchronous writes 179O_SYNC synchronous writes 180O_NOFOLLOW do not follow symlinks 181O_NOCTTY ignored 182O_TTY_INIT ignored 183O_DIRECTORY error if file is not a directory 184O_CLOEXEC set FD_CLOEXEC upon open 185O_VERIFY verify the contents of the file 186O_BENEATH require path to be strictly relative to topping directory 187.Ed 188.Pp 189Opening a file with 190.Dv O_APPEND 191set causes each write on the file 192to be appended to the end. 193If 194.Dv O_TRUNC 195is specified and the 196file exists, the file is truncated to zero length. 197If 198.Dv O_EXCL 199is set with 200.Dv O_CREAT 201and the file already 202exists, 203.Fn open 204returns an error. 205This may be used to 206implement a simple exclusive access locking mechanism. 207If 208.Dv O_EXCL 209is set and the last component of the pathname is 210a symbolic link, 211.Fn open 212will fail even if the symbolic 213link points to a non-existent name. 214If the 215.Dv O_NONBLOCK 216flag is specified and the 217.Fn open 218system call would result 219in the process being blocked for some reason (e.g., waiting for 220carrier on a dialup line), 221.Fn open 222returns immediately. 223The descriptor remains in non-blocking mode for subsequent operations. 224.Pp 225If 226.Dv O_FSYNC 227is used in the mask, all writes will 228immediately and synchronously be written to disk. 229.Pp 230.Dv O_SYNC 231is a synonym for 232.Dv O_FSYNC 233required by 234.Tn POSIX . 235.Pp 236If 237.Dv O_NOFOLLOW 238is used in the mask and the target file passed to 239.Fn open 240is a symbolic link then the 241.Fn open 242will fail. 243.Pp 244When opening a file, a lock with 245.Xr flock 2 246semantics can be obtained by setting 247.Dv O_SHLOCK 248for a shared lock, or 249.Dv O_EXLOCK 250for an exclusive lock. 251If creating a file with 252.Dv O_CREAT , 253the request for the lock will never fail 254(provided that the underlying file system supports locking). 255.Pp 256.Dv O_DIRECT 257may be used to minimize or eliminate the cache effects of reading and writing. 258The system will attempt to avoid caching the data you read or write. 259If it cannot avoid caching the data, 260it will minimize the impact the data has on the cache. 261Use of this flag can drastically reduce performance if not used with care. 262.Pp 263.Dv O_NOCTTY 264may be used to ensure the OS does not assign this file as the 265controlling terminal when it opens a tty device. 266This is the default on 267.Fx , 268but is present for 269.Tn POSIX 270compatibility. 271The 272.Fn open 273system call will not assign controlling terminals on 274.Fx . 275.Pp 276.Dv O_TTY_INIT 277may be used to ensure the OS restores the terminal attributes when 278initially opening a TTY. 279This is the default on 280.Fx , 281but is present for 282.Tn POSIX 283compatibility. 284The initial call to 285.Fn open 286on a TTY will always restore default terminal attributes on 287.Fx . 288.Pp 289.Dv O_DIRECTORY 290may be used to ensure the resulting file descriptor refers to a 291directory. 292This flag can be used to prevent applications with elevated privileges 293from opening files which are even unsafe to open with 294.Dv O_RDONLY , 295such as device nodes. 296.Pp 297.Dv O_CLOEXEC 298may be used to set 299.Dv FD_CLOEXEC 300flag for the newly returned file descriptor. 301.Pp 302.Dv O_VERIFY 303may be used to indicate to the kernel that the contents of the file should 304be verified before allowing the open to proceed. 305The details of what 306.Dq verified 307means is implementation specific. 308The run-time linker (rtld) uses this flag to ensure shared objects have 309been verified before operating on them. 310.Pp 311.Dv O_BENEATH 312returns 313.Er ENOTCAPABLE 314if the specified relative path, after resolving all symlinks and ".." 315references, does not reside in the directory hierarchy of 316children beneath the topping directory. 317Topping directory is the process current directory if relative 318.Fa path 319is used for 320.Fn open , 321and the directory referenced by the 322.Fa fd 323argument when using 324.Fn openat . 325If the specified path is absolute, 326.Dv O_BENEATH 327allows arbitrary prefix that ends up at the topping directory, 328after which all further resolved components must be under it. 329.Pp 330When 331.Fa fd 332is opened with 333.Dv O_SEARCH , 334execute permissions are checked at open time. 335The 336.Fa fd 337may not be used for any read operations like 338.Xr getdirentries 2 . 339The primary use for this descriptor will be as the lookup descriptor for the 340.Fn *at 341family of functions. 342.Pp 343If successful, 344.Fn open 345returns a non-negative integer, termed a file descriptor. 346It returns \-1 on failure. 347The file pointer used to mark the current position within the 348file is set to the beginning of the file. 349.Pp 350If a sleeping open of a device node from 351.Xr devfs 5 352is interrupted by a signal, the call always fails with 353.Er EINTR , 354even if the 355.Dv SA_RESTART 356flag is set for the signal. 357A sleeping open of a fifo (see 358.Xr mkfifo 2 ) 359is restarted as normal. 360.Pp 361When a new file is created it is given the group of the directory 362which contains it. 363.Pp 364Unless 365.Dv O_CLOEXEC 366flag was specified, 367the new descriptor is set to remain open across 368.Xr execve 2 369system calls; see 370.Xr close 2 , 371.Xr fcntl 2 372and 373.Dv O_CLOEXEC 374description. 375.Pp 376The system imposes a limit on the number of file descriptors 377open simultaneously by one process. 378The 379.Xr getdtablesize 2 380system call returns the current system limit. 381.Sh RETURN VALUES 382If successful, 383.Fn open 384and 385.Fn openat 386return a non-negative integer, termed a file descriptor. 387They return \-1 on failure, and set 388.Va errno 389to indicate the error. 390.Sh ERRORS 391The named file is opened unless: 392.Bl -tag -width Er 393.It Bq Er ENOTDIR 394A component of the path prefix is not a directory. 395.It Bq Er ENAMETOOLONG 396A component of a pathname exceeded 255 characters, 397or an entire path name exceeded 1023 characters. 398.It Bq Er ENOENT 399.Dv O_CREAT 400is not set and the named file does not exist. 401.It Bq Er ENOENT 402A component of the path name that must exist does not exist. 403.It Bq Er EACCES 404Search permission is denied for a component of the path prefix. 405.It Bq Er EACCES 406The required permissions (for reading and/or writing) 407are denied for the given flags. 408.It Bq Er EACCES 409.Dv O_TRUNC 410is specified and write permission is denied. 411.It Bq Er EACCES 412.Dv O_CREAT 413is specified, 414the file does not exist, 415and the directory in which it is to be created 416does not permit writing. 417.It Bq Er EPERM 418.Dv O_CREAT 419is specified, the file does not exist, and the directory in which it is to be 420created has its immutable flag set, see the 421.Xr chflags 2 422manual page for more information. 423.It Bq Er EPERM 424The named file has its immutable flag set and the file is to be modified. 425.It Bq Er EPERM 426The named file has its append-only flag set, the file is to be modified, and 427.Dv O_TRUNC 428is specified or 429.Dv O_APPEND 430is not specified. 431.It Bq Er ELOOP 432Too many symbolic links were encountered in translating the pathname. 433.It Bq Er EISDIR 434The named file is a directory, and the arguments specify 435it is to be modified. 436.It Bq Er EISDIR 437The named file is a directory, and the flags specified 438.Dv O_CREAT 439without 440.Dv O_DIRECTORY . 441.It Bq Er EROFS 442The named file resides on a read-only file system, 443and the file is to be modified. 444.It Bq Er EROFS 445.Dv O_CREAT 446is specified and the named file would reside on a read-only file system. 447.It Bq Er EMFILE 448The process has already reached its limit for open file descriptors. 449.It Bq Er ENFILE 450The system file table is full. 451.It Bq Er EMLINK 452.Dv O_NOFOLLOW 453was specified and the target is a symbolic link. 454.It Bq Er ENXIO 455The named file is a character special or block 456special file, and the device associated with this special file 457does not exist. 458.It Bq Er ENXIO 459.Dv O_NONBLOCK 460is set, the named file is a fifo, 461.Dv O_WRONLY 462is set, and no process has the file open for reading. 463.It Bq Er EINTR 464The 465.Fn open 466operation was interrupted by a signal. 467.It Bq Er EOPNOTSUPP 468.Dv O_SHLOCK 469or 470.Dv O_EXLOCK 471is specified but the underlying file system does not support locking. 472.It Bq Er EOPNOTSUPP 473The named file is a special file mounted through a file system that 474does not support access to it (e.g.\& NFS). 475.It Bq Er EWOULDBLOCK 476.Dv O_NONBLOCK 477and one of 478.Dv O_SHLOCK 479or 480.Dv O_EXLOCK 481is specified and the file is locked. 482.It Bq Er ENOSPC 483.Dv O_CREAT 484is specified, 485the file does not exist, 486and the directory in which the entry for the new file is being placed 487cannot be extended because there is no space left on the file 488system containing the directory. 489.It Bq Er ENOSPC 490.Dv O_CREAT 491is specified, 492the file does not exist, 493and there are no free inodes on the file system on which the 494file is being created. 495.It Bq Er EDQUOT 496.Dv O_CREAT 497is specified, 498the file does not exist, 499and the directory in which the entry for the new file 500is being placed cannot be extended because the 501user's quota of disk blocks on the file system 502containing the directory has been exhausted. 503.It Bq Er EDQUOT 504.Dv O_CREAT 505is specified, 506the file does not exist, 507and the user's quota of inodes on the file system on 508which the file is being created has been exhausted. 509.It Bq Er EIO 510An I/O error occurred while making the directory entry or 511allocating the inode for 512.Dv O_CREAT . 513.It Bq Er EINTEGRITY 514Corrupted data was detected while reading from the file system. 515.It Bq Er ETXTBSY 516The file is a pure procedure (shared text) file that is being 517executed and the 518.Fn open 519system call requests write access. 520.It Bq Er EFAULT 521The 522.Fa path 523argument 524points outside the process's allocated address space. 525.It Bq Er EEXIST 526.Dv O_CREAT 527and 528.Dv O_EXCL 529were specified and the file exists. 530.It Bq Er EOPNOTSUPP 531An attempt was made to open a socket (not currently implemented). 532.It Bq Er EINVAL 533An attempt was made to open a descriptor with an illegal combination 534of 535.Dv O_RDONLY , 536.Dv O_WRONLY , 537or 538.Dv O_RDWR , 539and 540.Dv O_EXEC 541or 542.Dv O_SEARCH . 543.It Bq Er EBADF 544The 545.Fa path 546argument does not specify an absolute path and the 547.Fa fd 548argument is 549neither 550.Dv AT_FDCWD 551nor a valid file descriptor open for searching. 552.It Bq Er ENOTDIR 553The 554.Fa path 555argument is not an absolute path and 556.Fa fd 557is neither 558.Dv AT_FDCWD 559nor a file descriptor associated with a directory. 560.It Bq Er ENOTDIR 561.Dv O_DIRECTORY 562is specified and the file is not a directory. 563.It Bq Er ECAPMODE 564.Dv AT_FDCWD 565is specified and the process is in capability mode. 566.It Bq Er ECAPMODE 567.Fn open 568was called and the process is in capability mode. 569.It Bq Er ENOTCAPABLE 570.Fa path 571is an absolute path, 572or contained a ".." component leading to a 573directory outside of the directory hierarchy specified by 574.Fa fd , 575and the process is in capability mode. 576.It Bq Er ENOTCAPABLE 577The 578.Dv O_BENEATH 579flag was provided, and the absolute 580.Fa path 581does not have its tail fully contained under the topping directory, 582or the relative 583.Fa path 584escapes it. 585.El 586.Sh SEE ALSO 587.Xr chmod 2 , 588.Xr close 2 , 589.Xr dup 2 , 590.Xr fexecve 2 , 591.Xr fhopen 2 , 592.Xr getdtablesize 2 , 593.Xr getfh 2 , 594.Xr lgetfh 2 , 595.Xr lseek 2 , 596.Xr read 2 , 597.Xr umask 2 , 598.Xr write 2 , 599.Xr fopen 3 , 600.Xr capsicum 4 601.Sh STANDARDS 602These functions are specified by 603.St -p1003.1-2008 . 604.Fx 605sets 606.Va errno 607to 608.Er EMLINK instead of 609.Er ELOOP 610as specified by 611.Tn POSIX 612when 613.Dv O_NOFOLLOW 614is set in flags and the final component of pathname is a symbolic link 615to distinguish it from the case of too many symbolic link traversals 616in one of its non-final components. 617.Sh HISTORY 618The 619.Fn open 620function appeared in 621.At v1 . 622The 623.Fn openat 624function was introduced in 625.Fx 8.0 . 626.Sh BUGS 627The Open Group Extended API Set 2 specification requires that the test 628for whether 629.Fa fd 630is searchable is based on whether 631.Fa fd 632is open for searching, not whether the underlying directory currently 633permits searches. 634The present implementation of the 635.Fa openat 636checks the current permissions of directory instead. 637.Pp 638The 639.Fa mode 640argument is variadic and may result in different calling conventions 641than might otherwise be expected. 642