1.\" Copyright (c) 1980, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)execve.2 8.5 (Berkeley) 6/1/94 29.\" 30.Dd January 26, 2022 31.Dt EXECVE 2 32.Os 33.Sh NAME 34.Nm execve , 35.Nm fexecve 36.Nd execute a file 37.Sh LIBRARY 38.Lb libc 39.Sh SYNOPSIS 40.In unistd.h 41.Ft int 42.Fn execve "const char *path" "char *const argv[]" "char *const envp[]" 43.Ft int 44.Fn fexecve "int fd" "char *const argv[]" "char *const envp[]" 45.Sh DESCRIPTION 46The 47.Fn execve 48system call 49transforms the calling process into a new process. 50The new process is constructed from an ordinary file, 51whose name is pointed to by 52.Fa path , 53called the 54.Em new process file . 55The 56.Fn fexecve 57system call is equivalent to 58.Fn execve 59except that the file to be executed is determined by the file 60descriptor 61.Fa fd 62instead of a 63.Fa path . 64This file is either an executable object file, 65or a file of data for an interpreter. 66An executable object file consists of an identifying header, 67followed by pages of data representing the initial program (text) 68and initialized data pages. 69Additional pages may be specified 70by the header to be initialized with zero data; see 71.Xr elf 5 72and 73.Xr a.out 5 . 74.Pp 75An interpreter file begins with a line of the form: 76.Pp 77.Bd -ragged -offset indent -compact 78.Sy \&#! 79.Em interpreter 80.Bq Em arg 81.Ed 82.Pp 83When an interpreter file is 84.Sy execve Ap d , 85the system actually 86.Sy execve Ap s 87the specified 88.Em interpreter . 89If the optional 90.Em arg 91is specified, it becomes the first argument to the 92.Em interpreter , 93and the name of the originally 94.Sy execve Ap d 95file becomes the second argument; 96otherwise, the name of the originally 97.Sy execve Ap d 98file becomes the first argument. 99The original arguments are shifted over to 100become the subsequent arguments. 101The zeroth argument is set to the specified 102.Em interpreter . 103.Pp 104The argument 105.Fa argv 106is a pointer to a null-terminated array of 107character pointers to null-terminated character strings. 108These strings construct the argument list to be made available to the new 109process. 110At least one argument must be present in 111the array; by custom, the first element should be 112the name of the executed program (for example, the last component of 113.Fa path ) . 114.Pp 115The argument 116.Fa envp 117is also a pointer to a null-terminated array of 118character pointers to null-terminated strings. 119A pointer to this array is normally stored in the global variable 120.Va environ . 121These strings pass information to the 122new process that is not directly an argument to the command (see 123.Xr environ 7 ) . 124.Pp 125File descriptors open in the calling process image remain open in 126the new process image, except for those for which the close-on-exec 127flag is set (see 128.Xr close 2 129and 130.Xr fcntl 2 ) . 131Descriptors that remain open are unaffected by 132.Fn execve . 133If any of the standard descriptors (0, 1, and/or 2) are closed at the 134time 135.Fn execve 136is called, and the process will gain privilege as a result of set-id 137semantics, those descriptors will be re-opened automatically. 138No programs, whether privileged or not, should assume that these descriptors 139will remain closed across a call to 140.Fn execve . 141.Pp 142Signals set to be ignored in the calling process are set to be ignored in 143the 144new process. 145Signals which are set to be caught in the calling process image 146are set to default action in the new process image. 147Blocked signals remain blocked regardless of changes to the signal action. 148The signal stack is reset to be undefined (see 149.Xr sigaction 2 150for more information). 151.Pp 152If the set-user-ID mode bit of the new process image file is set 153(see 154.Xr chmod 2 ) , 155the effective user ID of the new process image is set to the owner ID 156of the new process image file. 157If the set-group-ID mode bit of the new process image file is set, 158the effective group ID of the new process image is set to the group ID 159of the new process image file. 160(The effective group ID is the first element of the group list.) 161The real user ID, real group ID and 162other group IDs of the new process image remain the same as the calling 163process image. 164After any set-user-ID and set-group-ID processing, 165the effective user ID is recorded as the saved set-user-ID, 166and the effective group ID is recorded as the saved set-group-ID. 167These values may be used in changing the effective IDs later (see 168.Xr setuid 2 ) . 169.Pp 170The set-ID bits are not honored if the respective file system has the 171.Cm nosuid 172option enabled or if the new process file is an interpreter file. 173Syscall 174tracing is disabled if effective IDs are changed. 175.Pp 176The new process also inherits the following attributes from 177the calling process: 178.Pp 179.Bl -column parent_process_ID -offset indent -compact 180.It process ID Ta see Xr getpid 2 181.It parent process ID Ta see Xr getppid 2 182.It process group ID Ta see Xr getpgrp 2 183.It access groups Ta see Xr getgroups 2 184.It working directory Ta see Xr chdir 2 185.It root directory Ta see Xr chroot 2 186.It control terminal Ta see Xr termios 4 187.It resource usages Ta see Xr getrusage 2 188.It interval timers Ta see Xr getitimer 2 189.It resource limits Ta see Xr getrlimit 2 190.It file mode mask Ta see Xr umask 2 191.It signal mask Ta see Xr sigaction 2 , 192.Xr sigprocmask 2 193.El 194.Pp 195When a program is executed as a result of an 196.Fn execve 197system call, it is entered as follows: 198.Bd -literal -offset indent 199main(argc, argv, envp) 200int argc; 201char **argv, **envp; 202.Ed 203.Pp 204where 205.Fa argc 206is the number of elements in 207.Fa argv 208(the ``arg count'') 209and 210.Fa argv 211points to the array of character pointers 212to the arguments themselves. 213.Pp 214The 215.Fn fexecve 216ignores the file offset of 217.Fa fd . 218Since execute permission is checked by 219.Fn fexecve , 220the file descriptor 221.Fa fd 222need not have been opened with the 223.Dv O_EXEC 224flag. 225However, if the file to be executed denies read permission for the process 226preparing to do the exec, the only way to provide the 227.Fa fd 228to 229.Fn fexecve 230is to use the 231.Dv O_EXEC 232flag when opening 233.Fa fd . 234Note that the file to be executed can not be open for writing. 235.Sh RETURN VALUES 236As the 237.Fn execve 238system call overlays the current process image 239with a new process image the successful call 240has no process to return to. 241If 242.Fn execve 243does return to the calling process an error has occurred; the 244return value will be -1 and the global variable 245.Va errno 246is set to indicate the error. 247.Sh ERRORS 248The 249.Fn execve 250system call 251will fail and return to the calling process if: 252.Bl -tag -width Er 253.It Bq Er ENOTDIR 254A component of the path prefix is not a directory. 255.It Bq Er ENAMETOOLONG 256A component of a pathname exceeded 255 characters, 257or an entire path name exceeded 1023 characters. 258.It Bq Er ENOEXEC 259When invoking an interpreted script, the length of the first line, 260inclusive of the 261.Sy \&#! 262prefix and terminating newline, exceeds 263.Dv MAXSHELLCMDLEN 264characters. 265.It Bq Er ENOENT 266The new process file does not exist. 267.It Bq Er ELOOP 268Too many symbolic links were encountered in translating the pathname. 269.It Bq Er EACCES 270Search permission is denied for a component of the path prefix. 271.It Bq Er EACCES 272The new process file is not an ordinary file. 273.It Bq Er EACCES 274The new process file mode denies execute permission. 275.It Bq Er EINVAL 276.Fa argv 277did not contain at least one element. 278.It Bq Er ENOEXEC 279The new process file has the appropriate access 280permission, but has an invalid magic number in its header. 281.It Bq Er ETXTBSY 282The new process file is a pure procedure (shared text) 283file that is currently open for writing by some process. 284.It Bq Er ENOMEM 285The new process requires more virtual memory than 286is allowed by the imposed maximum 287.Pq Xr getrlimit 2 . 288.It Bq Er E2BIG 289The number of bytes in the new process' argument list 290is larger than the system-imposed limit. 291This limit is specified by the 292.Xr sysctl 3 293MIB variable 294.Dv KERN_ARGMAX . 295.It Bq Er EFAULT 296The new process file is not as long as indicated by 297the size values in its header. 298.It Bq Er EFAULT 299The 300.Fa path , 301.Fa argv , 302or 303.Fa envp 304arguments 305point 306to an illegal address. 307.It Bq Er EIO 308An I/O error occurred while reading from the file system. 309.It Bq Er EINTEGRITY 310Corrupted data was detected while reading from the file system. 311.El 312.Pp 313In addition, the 314.Fn fexecve 315will fail and return to the calling process if: 316.Bl -tag -width Er 317.It Bq Er EBADF 318The 319.Fa fd 320argument is not a valid file descriptor open for executing. 321.El 322.Sh SEE ALSO 323.Xr ktrace 1 , 324.Xr _exit 2 , 325.Xr fork 2 , 326.Xr open 2 , 327.Xr execl 3 , 328.Xr exit 3 , 329.Xr sysctl 3 , 330.Xr a.out 5 , 331.Xr elf 5 , 332.Xr fdescfs 5 , 333.Xr environ 7 , 334.Xr mount 8 335.Sh STANDARDS 336The 337.Fn execve 338system call conforms to 339.St -p1003.1-2001 , 340with the exception of reopening descriptors 0, 1, and/or 2 in certain 341circumstances. 342A future update of the Standard is expected to require this behavior, 343and it may become the default for non-privileged processes as well. 344.\" NB: update this caveat when TC1 is blessed. 345The support for executing interpreted programs is an extension. 346The 347.Fn fexecve 348system call conforms to The Open Group Extended API Set 2 specification. 349.Sh HISTORY 350The 351.Fn execve 352system call appeared in 353.At v7 . 354The 355.Fn fexecve 356system call appeared in 357.Fx 8.0 . 358.Sh CAVEATS 359If a program is 360.Em setuid 361to a non-super-user, but is executed when 362the real 363.Em uid 364is ``root'', then the program has some of the powers 365of a super-user as well. 366.Pp 367When executing an interpreted program through 368.Fn fexecve , 369kernel supplies 370.Pa /dev/fd/n 371as a second argument to the interpreter, 372where 373.Ar n 374is the file descriptor passed in the 375.Fa fd 376argument to 377.Fn fexecve . 378For this construction to work correctly, the 379.Xr fdescfs 5 380filesystem shall be mounted on 381.Pa /dev/fd . 382