1.\" Copyright (c) 1980, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 4. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)execve.2 8.5 (Berkeley) 6/1/94 29.\" $FreeBSD$ 30.\" 31.Dd April 10, 2008 32.Dt EXECVE 2 33.Os 34.Sh NAME 35.Nm execve , 36.Nm fexecve 37.Nd execute a file 38.Sh LIBRARY 39.Lb libc 40.Sh SYNOPSIS 41.In unistd.h 42.Ft int 43.Fn execve "const char *path" "char *const argv[]" "char *const envp[]" 44.Ft int 45.Fn fexecve "int fd" "char *const argv[]" "char *const envp[]" 46.Sh DESCRIPTION 47The 48.Fn execve 49system call 50transforms the calling process into a new process. 51The new process is constructed from an ordinary file, 52whose name is pointed to by 53.Fa path , 54called the 55.Em new process file . 56The 57.Fn fexecve 58system call is equivalent to 59.Fn execve 60except that the file to be executed is determined by the file 61descriptor 62.Fa fd 63instead of a 64.Fa path . 65This file is either an executable object file, 66or a file of data for an interpreter. 67An executable object file consists of an identifying header, 68followed by pages of data representing the initial program (text) 69and initialized data pages. 70Additional pages may be specified 71by the header to be initialized with zero data; see 72.Xr elf 5 73and 74.Xr a.out 5 . 75.Pp 76An interpreter file begins with a line of the form: 77.Pp 78.Bd -ragged -offset indent -compact 79.Sy \&#! 80.Em interpreter 81.Bq Em arg 82.Ed 83.Pp 84When an interpreter file is 85.Sy execve Ap d , 86the system actually 87.Sy execve Ap s 88the specified 89.Em interpreter . 90If the optional 91.Em arg 92is specified, it becomes the first argument to the 93.Em interpreter , 94and the name of the originally 95.Sy execve Ap d 96file becomes the second argument; 97otherwise, the name of the originally 98.Sy execve Ap d 99file becomes the first argument. 100The original arguments are shifted over to 101become the subsequent arguments. 102The zeroth argument is set to the specified 103.Em interpreter . 104.Pp 105The argument 106.Fa argv 107is a pointer to a null-terminated array of 108character pointers to null-terminated character strings. 109These strings construct the argument list to be made available to the new 110process. 111At least one argument must be present in 112the array; by custom, the first element should be 113the name of the executed program (for example, the last component of 114.Fa path ) . 115.Pp 116The argument 117.Fa envp 118is also a pointer to a null-terminated array of 119character pointers to null-terminated strings. 120A pointer to this array is normally stored in the global variable 121.Va environ . 122These strings pass information to the 123new process that is not directly an argument to the command (see 124.Xr environ 7 ) . 125.Pp 126File descriptors open in the calling process image remain open in 127the new process image, except for those for which the close-on-exec 128flag is set (see 129.Xr close 2 130and 131.Xr fcntl 2 ) . 132Descriptors that remain open are unaffected by 133.Fn execve . 134If any of the standard descriptors (0, 1, and/or 2) are closed at the 135time 136.Fn execve 137is called, and the process will gain privilege as a result of set-id 138semantics, those descriptors will be re-opened automatically. 139No programs, whether privileged or not, should assume that these descriptors 140will remain closed across a call to 141.Fn execve . 142.Pp 143Signals set to be ignored in the calling process are set to be ignored in 144the 145new process. 146Signals which are set to be caught in the calling process image 147are set to default action in the new process image. 148Blocked signals remain blocked regardless of changes to the signal action. 149The signal stack is reset to be undefined (see 150.Xr sigaction 2 151for more information). 152.Pp 153If the set-user-ID mode bit of the new process image file is set 154(see 155.Xr chmod 2 ) , 156the effective user ID of the new process image is set to the owner ID 157of the new process image file. 158If the set-group-ID mode bit of the new process image file is set, 159the effective group ID of the new process image is set to the group ID 160of the new process image file. 161(The effective group ID is the first element of the group list.) 162The real user ID, real group ID and 163other group IDs of the new process image remain the same as the calling 164process image. 165After any set-user-ID and set-group-ID processing, 166the effective user ID is recorded as the saved set-user-ID, 167and the effective group ID is recorded as the saved set-group-ID. 168These values may be used in changing the effective IDs later (see 169.Xr setuid 2 ) . 170.Pp 171The set-ID bits are not honored if the respective file system has the 172.Cm nosuid 173option enabled or if the new process file is an interpreter file. 174Syscall 175tracing is disabled if effective IDs are changed. 176.Pp 177The new process also inherits the following attributes from 178the calling process: 179.Pp 180.Bl -column parent_process_ID -offset indent -compact 181.It process ID Ta see Xr getpid 2 182.It parent process ID Ta see Xr getppid 2 183.It process group ID Ta see Xr getpgrp 2 184.It access groups Ta see Xr getgroups 2 185.It working directory Ta see Xr chdir 2 186.It root directory Ta see Xr chroot 2 187.It control terminal Ta see Xr termios 4 188.It resource usages Ta see Xr getrusage 2 189.It interval timers Ta see Xr getitimer 2 190.It resource limits Ta see Xr getrlimit 2 191.It file mode mask Ta see Xr umask 2 192.It signal mask Ta see Xr sigvec 2 , 193.Xr sigsetmask 2 194.El 195.Pp 196When a program is executed as a result of an 197.Fn execve 198system call, it is entered as follows: 199.Bd -literal -offset indent 200main(argc, argv, envp) 201int argc; 202char **argv, **envp; 203.Ed 204.Pp 205where 206.Fa argc 207is the number of elements in 208.Fa argv 209(the ``arg count'') 210and 211.Fa argv 212points to the array of character pointers 213to the arguments themselves. 214.Pp 215The 216.Fn fexecve 217ignores the file offset of 218.Fa fd . 219Since execute permission is checked by 220.Fn fexecve , 221the file descriptor 222.Fa fd 223need not have been 224opened with the 225.Dv O_EXEC 226flag. 227However, if the file to be executed denies read and write 228permission for the process preparing to do the exec, the only way to 229provide the 230.Fa fd 231to 232.Fn fexecve 233is to use the 234.Dv O_EXEC 235flag when opening 236.Fa fd . 237.Sh RETURN VALUES 238As the 239.Fn execve 240system call overlays the current process image 241with a new process image the successful call 242has no process to return to. 243If 244.Fn execve 245does return to the calling process an error has occurred; the 246return value will be -1 and the global variable 247.Va errno 248is set to indicate the error. 249.Sh ERRORS 250The 251.Fn execve 252system call 253will fail and return to the calling process if: 254.Bl -tag -width Er 255.It Bq Er ENOTDIR 256A component of the path prefix is not a directory. 257.It Bq Er ENAMETOOLONG 258A component of a pathname exceeded 255 characters, 259or an entire path name exceeded 1023 characters. 260.It Bq Er ENAMETOOLONG 261When invoking an interpreted script, the interpreter name 262exceeds 263.Dv MAXSHELLCMDLEN 264characters. 265.It Bq Er ENOENT 266The new process file does not exist. 267.It Bq Er ELOOP 268Too many symbolic links were encountered in translating the pathname. 269.It Bq Er EACCES 270Search permission is denied for a component of the path prefix. 271.It Bq Er EACCES 272The new process file is not an ordinary file. 273.It Bq Er EACCES 274The new process file mode denies execute permission. 275.It Bq Er ENOEXEC 276The new process file has the appropriate access 277permission, but has an invalid magic number in its header. 278.It Bq Er ETXTBSY 279The new process file is a pure procedure (shared text) 280file that is currently open for writing or reading by some process. 281.It Bq Er ENOMEM 282The new process requires more virtual memory than 283is allowed by the imposed maximum 284.Pq Xr getrlimit 2 . 285.It Bq Er E2BIG 286The number of bytes in the new process' argument list 287is larger than the system-imposed limit. 288This limit is specified by the 289.Xr sysctl 3 290MIB variable 291.Dv KERN_ARGMAX . 292.It Bq Er EFAULT 293The new process file is not as long as indicated by 294the size values in its header. 295.It Bq Er EFAULT 296The 297.Fa path , 298.Fa argv , 299or 300.Fa envp 301arguments 302point 303to an illegal address. 304.It Bq Er EIO 305An I/O error occurred while reading from the file system. 306.El 307.Pp 308In addition, the 309.Fn fexecve 310will fail and return to the calling process if: 311.Bl -tag -width Er 312.It Bq Er EBADF 313The 314.Fa fd 315argument is not a valid file descriptor open for executing. 316.El 317.Sh CAVEAT 318If a program is 319.Em setuid 320to a non-super-user, but is executed when 321the real 322.Em uid 323is ``root'', then the program has some of the powers 324of a super-user as well. 325.Sh SEE ALSO 326.Xr ktrace 1 , 327.Xr _exit 2 , 328.Xr fork 2 , 329.Xr open 2 , 330.Xr execl 3 , 331.Xr exit 3 , 332.Xr sysctl 3 , 333.Xr a.out 5 , 334.Xr elf 5 , 335.Xr environ 7 , 336.Xr mount 8 337.Sh STANDARDS 338The 339.Fn execve 340system call conforms to 341.St -p1003.1-2001 , 342with the exception of reopening descriptors 0, 1, and/or 2 in certain 343circumstances. 344A future update of the Standard is expected to require this behavior, 345and it may become the default for non-privileged processes as well. 346.\" NB: update this caveat when TC1 is blessed. 347The support for executing interpreted programs is an extension. 348The 349.Fn fexecve 350system call conforms to The Open Group Extended API Set 2 specification. 351.Sh HISTORY 352The 353.Fn execve 354system call appeared in 355.Bx 4.2 . 356The 357.Fn fexecve 358system call appeared in 359.Fx 8.0 . 360