1.\" Copyright (c) 1980, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)open.2 8.2 (Berkeley) 11/16/93 29.\" $FreeBSD$ 30.\" 31.Dd March 18, 2021 32.Dt OPEN 2 33.Os 34.Sh NAME 35.Nm open , openat 36.Nd open or create a file for reading, writing or executing 37.Sh LIBRARY 38.Lb libc 39.Sh SYNOPSIS 40.In fcntl.h 41.Ft int 42.Fn open "const char *path" "int flags" "..." 43.Ft int 44.Fn openat "int fd" "const char *path" "int flags" "..." 45.Sh DESCRIPTION 46The file name specified by 47.Fa path 48is opened 49for either execution or reading and/or writing as specified by the 50argument 51.Fa flags 52and the file descriptor returned to the calling process. 53The 54.Fa flags 55argument may indicate the file is to be 56created if it does not exist (by specifying the 57.Dv O_CREAT 58flag). 59In this case 60.Fn open 61and 62.Fn openat 63require an additional argument 64.Fa "mode_t mode" , 65and the file is created with mode 66.Fa mode 67as described in 68.Xr chmod 2 69and modified by the process' umask value (see 70.Xr umask 2 ) . 71.Pp 72The 73.Fn openat 74function is equivalent to the 75.Fn open 76function except in the case where the 77.Fa path 78specifies a relative path. 79For 80.Fn openat 81and relative 82.Fa path , 83the file to be opened is determined relative to the directory 84associated with the file descriptor 85.Fa fd 86instead of the current working directory. 87The 88.Fa flag 89parameter and the optional fourth parameter correspond exactly to 90the parameters of 91.Fn open . 92If 93.Fn openat 94is passed the special value 95.Dv AT_FDCWD 96in the 97.Fa fd 98parameter, the current working directory is used 99and the behavior is identical to a call to 100.Fn open . 101.Pp 102When 103.Fn openat 104is called with an absolute 105.Fa path , 106it ignores the 107.Fa fd 108argument. 109.Pp 110In 111.Xr capsicum 4 112capability mode, 113.Fn open 114is not permitted. 115The 116.Fa path 117argument to 118.Fn openat 119must be strictly relative to a file descriptor 120.Fa fd . 121.Fa path 122must not be an absolute path and must not contain ".." components 123which cause the path resolution to escape the directory hierarchy 124starting at 125.Fa fd . 126Additionally, no symbolic link in 127.Fa path 128may target absolute path or contain escaping ".." components. 129.Fa fd 130must not be 131.Dv AT_FDCWD . 132.Pp 133If the 134.Dv vfs.lookup_cap_dotdot 135.Xr sysctl 3 136MIB is set to zero, ".." components in the paths, 137used in capability mode, 138are completely disabled. 139If the 140.Dv vfs.lookup_cap_dotdot_nonlocal 141MIB is set to zero, ".." is not allowed if found on non-local filesystem. 142.Pp 143The flags specified are formed by 144.Em or Ns 'ing 145the following values 146.Pp 147.Bd -literal -offset indent -compact 148O_RDONLY open for reading only 149O_WRONLY open for writing only 150O_RDWR open for reading and writing 151O_EXEC open for execute only 152O_SEARCH open for search only, an alias for O_EXEC 153O_NONBLOCK do not block on open 154O_APPEND append on each write 155O_CREAT create file if it does not exist 156O_TRUNC truncate size to 0 157O_EXCL error if create and file exists 158O_SHLOCK atomically obtain a shared lock 159O_EXLOCK atomically obtain an exclusive lock 160O_DIRECT eliminate or reduce cache effects 161O_FSYNC synchronous writes (historical synonym for O_SYNC) 162O_SYNC synchronous writes 163O_DSYNC synchronous data writes 164O_NOFOLLOW do not follow symlinks 165O_NOCTTY ignored 166O_TTY_INIT ignored 167O_DIRECTORY error if file is not a directory 168O_CLOEXEC set FD_CLOEXEC upon open 169O_VERIFY verify the contents of the file 170O_RESOLVE_BENEATH path resolution must not cross the fd directory 171O_PATH record only the target path in the opened descriptor 172.Ed 173.Pp 174Opening a file with 175.Dv O_APPEND 176set causes each write on the file 177to be appended to the end. 178If 179.Dv O_TRUNC 180is specified and the 181file exists, the file is truncated to zero length. 182If 183.Dv O_EXCL 184is set with 185.Dv O_CREAT 186and the file already 187exists, 188.Fn open 189returns an error. 190This may be used to 191implement a simple exclusive access locking mechanism. 192If 193.Dv O_EXCL 194is set and the last component of the pathname is 195a symbolic link, 196.Fn open 197will fail even if the symbolic 198link points to a non-existent name. 199If the 200.Dv O_NONBLOCK 201flag is specified and the 202.Fn open 203system call would result 204in the process being blocked for some reason (e.g., waiting for 205carrier on a dialup line), 206.Fn open 207returns immediately. 208The descriptor remains in non-blocking mode for subsequent operations. 209.Pp 210If 211.Dv O_SYNC 212is used in the mask, all writes will 213immediately and synchronously be written to disk. 214.Dv O_FSYNC 215is an historical synonym for 216.Dv O_SYNC . 217.Pp 218If 219.Dv O_DSYNC 220is used in the mask, all data and metadata required to read the data will be 221synchronously written to disk, but changes to metadata such as file access and 222modification timestamps may be written later. 223.Pp 224If 225.Dv O_NOFOLLOW 226is used in the mask and the target file passed to 227.Fn open 228is a symbolic link then the 229.Fn open 230will fail. 231.Pp 232When opening a file, a lock with 233.Xr flock 2 234semantics can be obtained by setting 235.Dv O_SHLOCK 236for a shared lock, or 237.Dv O_EXLOCK 238for an exclusive lock. 239If creating a file with 240.Dv O_CREAT , 241the request for the lock will never fail 242(provided that the underlying file system supports locking). 243.Pp 244.Dv O_DIRECT 245may be used to minimize or eliminate the cache effects of reading and writing. 246The system will attempt to avoid caching the data you read or write. 247If it cannot avoid caching the data, 248it will minimize the impact the data has on the cache. 249Use of this flag can drastically reduce performance if not used with care. 250.Pp 251.Dv O_NOCTTY 252may be used to ensure the OS does not assign this file as the 253controlling terminal when it opens a tty device. 254This is the default on 255.Fx , 256but is present for 257.Tn POSIX 258compatibility. 259The 260.Fn open 261system call will not assign controlling terminals on 262.Fx . 263.Pp 264.Dv O_TTY_INIT 265may be used to ensure the OS restores the terminal attributes when 266initially opening a TTY. 267This is the default on 268.Fx , 269but is present for 270.Tn POSIX 271compatibility. 272The initial call to 273.Fn open 274on a TTY will always restore default terminal attributes on 275.Fx . 276.Pp 277.Dv O_DIRECTORY 278may be used to ensure the resulting file descriptor refers to a 279directory. 280This flag can be used to prevent applications with elevated privileges 281from opening files which are even unsafe to open with 282.Dv O_RDONLY , 283such as device nodes. 284.Pp 285.Dv O_CLOEXEC 286may be used to set 287.Dv FD_CLOEXEC 288flag for the newly returned file descriptor. 289.Pp 290.Dv O_VERIFY 291may be used to indicate to the kernel that the contents of the file should 292be verified before allowing the open to proceed. 293The details of what 294.Dq verified 295means is implementation specific. 296The run-time linker (rtld) uses this flag to ensure shared objects have 297been verified before operating on them. 298.Pp 299.Dv O_RESOLVE_BENEATH 300returns 301.Er ENOTCAPABLE 302if any intermediate component of the specified relative path does not 303reside in the directory hierarchy beneath the starting directory. 304Absolute paths or even the temporal escape from beneath of the starting 305directory is not allowed. 306.Pp 307When 308.Fa fd 309is opened with 310.Dv O_SEARCH , 311execute permissions are checked at open time. 312The 313.Fa fd 314may not be used for any read operations like 315.Xr getdirentries 2 . 316The primary use for this descriptor will be as the lookup descriptor for the 317.Fn *at 318family of functions. 319.Pp 320.Dv O_PATH 321returns a file descriptor that can be used as a directory file descriptor for 322.Xr openat 2 323and other system calls taking a file descriptor argument, like 324.Xr fstatat 2 325and others. 326The other functionality of the returned file descriptor is limited to 327the descriptor-level operations. 328It can be used for 329.Bl -tag -width SCM_RIGHTS -offset indent -compact 330.It Xr fcntl 2 331but advisory locking is not allowed 332.It Xr dup 2 333.It Xr close 2 334.It Xr fstat 2 335.It Xr fexecve 2 336requires that 337.Dv O_EXEC 338was also specified at open time 339.It Dv SCM_RIGHTS 340can be passed over a 341.Xr unix 4 342socket using a 343.Dv SCM_RIGHTS 344message 345.It Xr kqueue 2 346using for 347.Dv EVFILT_VNODE 348.El 349But operations like 350.Xr read 2 , 351.Xr ftruncate 2 , 352and any other that operate on file and not on file descriptor (except 353.Xr fstat 2 ), 354are not allowed. 355File opened with the 356.Dv O_PATH 357flag does not prevent non-forced unmount of the volume it belongs to. 358See also the description of 359.Dv AT_EMPTY_PATH 360flag for 361.Xr fstatat 2 362and related syscalls. 363.Pp 364If successful, 365.Fn open 366returns a non-negative integer, termed a file descriptor. 367It returns \-1 on failure. 368The file pointer used to mark the current position within the 369file is set to the beginning of the file. 370.Pp 371If a sleeping open of a device node from 372.Xr devfs 5 373is interrupted by a signal, the call always fails with 374.Er EINTR , 375even if the 376.Dv SA_RESTART 377flag is set for the signal. 378A sleeping open of a fifo (see 379.Xr mkfifo 2 ) 380is restarted as normal. 381.Pp 382When a new file is created it is given the group of the directory 383which contains it. 384.Pp 385Unless 386.Dv O_CLOEXEC 387flag was specified, 388the new descriptor is set to remain open across 389.Xr execve 2 390system calls; see 391.Xr close 2 , 392.Xr fcntl 2 393and 394.Dv O_CLOEXEC 395description. 396.Pp 397The system imposes a limit on the number of file descriptors 398open simultaneously by one process. 399The 400.Xr getdtablesize 2 401system call returns the current system limit. 402.Sh RETURN VALUES 403If successful, 404.Fn open 405and 406.Fn openat 407return a non-negative integer, termed a file descriptor. 408They return \-1 on failure, and set 409.Va errno 410to indicate the error. 411.Sh ERRORS 412The named file is opened unless: 413.Bl -tag -width Er 414.It Bq Er ENOTDIR 415A component of the path prefix is not a directory. 416.It Bq Er ENAMETOOLONG 417A component of a pathname exceeded 255 characters, 418or an entire path name exceeded 1023 characters. 419.It Bq Er ENOENT 420.Dv O_CREAT 421is not set and the named file does not exist. 422.It Bq Er ENOENT 423A component of the path name that must exist does not exist. 424.It Bq Er EACCES 425Search permission is denied for a component of the path prefix. 426.It Bq Er EACCES 427The required permissions (for reading and/or writing) 428are denied for the given flags. 429.It Bq Er EACCES 430.Dv O_TRUNC 431is specified and write permission is denied. 432.It Bq Er EACCES 433.Dv O_CREAT 434is specified, 435the file does not exist, 436and the directory in which it is to be created 437does not permit writing. 438.It Bq Er EPERM 439.Dv O_CREAT 440is specified, the file does not exist, and the directory in which it is to be 441created has its immutable flag set, see the 442.Xr chflags 2 443manual page for more information. 444.It Bq Er EPERM 445The named file has its immutable flag set and the file is to be modified. 446.It Bq Er EPERM 447The named file has its append-only flag set, the file is to be modified, and 448.Dv O_TRUNC 449is specified or 450.Dv O_APPEND 451is not specified. 452.It Bq Er ELOOP 453Too many symbolic links were encountered in translating the pathname. 454.It Bq Er EISDIR 455The named file is a directory, and the arguments specify 456it is to be modified. 457.It Bq Er EISDIR 458The named file is a directory, and the flags specified 459.Dv O_CREAT 460without 461.Dv O_DIRECTORY . 462.It Bq Er EROFS 463The named file resides on a read-only file system, 464and the file is to be modified. 465.It Bq Er EROFS 466.Dv O_CREAT 467is specified and the named file would reside on a read-only file system. 468.It Bq Er EMFILE 469The process has already reached its limit for open file descriptors. 470.It Bq Er ENFILE 471The system file table is full. 472.It Bq Er EMLINK 473.Dv O_NOFOLLOW 474was specified and the target is a symbolic link. 475.It Bq Er ENXIO 476The named file is a character special or block 477special file, and the device associated with this special file 478does not exist. 479.It Bq Er ENXIO 480.Dv O_NONBLOCK 481is set, the named file is a fifo, 482.Dv O_WRONLY 483is set, and no process has the file open for reading. 484.It Bq Er EINTR 485The 486.Fn open 487operation was interrupted by a signal. 488.It Bq Er EOPNOTSUPP 489.Dv O_SHLOCK 490or 491.Dv O_EXLOCK 492is specified but the underlying file system does not support locking. 493.It Bq Er EOPNOTSUPP 494The named file is a special file mounted through a file system that 495does not support access to it (e.g.\& NFS). 496.It Bq Er EWOULDBLOCK 497.Dv O_NONBLOCK 498and one of 499.Dv O_SHLOCK 500or 501.Dv O_EXLOCK 502is specified and the file is locked. 503.It Bq Er ENOSPC 504.Dv O_CREAT 505is specified, 506the file does not exist, 507and the directory in which the entry for the new file is being placed 508cannot be extended because there is no space left on the file 509system containing the directory. 510.It Bq Er ENOSPC 511.Dv O_CREAT 512is specified, 513the file does not exist, 514and there are no free inodes on the file system on which the 515file is being created. 516.It Bq Er EDQUOT 517.Dv O_CREAT 518is specified, 519the file does not exist, 520and the directory in which the entry for the new file 521is being placed cannot be extended because the 522user's quota of disk blocks on the file system 523containing the directory has been exhausted. 524.It Bq Er EDQUOT 525.Dv O_CREAT 526is specified, 527the file does not exist, 528and the user's quota of inodes on the file system on 529which the file is being created has been exhausted. 530.It Bq Er EIO 531An I/O error occurred while making the directory entry or 532allocating the inode for 533.Dv O_CREAT . 534.It Bq Er EINTEGRITY 535Corrupted data was detected while reading from the file system. 536.It Bq Er ETXTBSY 537The file is a pure procedure (shared text) file that is being 538executed and the 539.Fn open 540system call requests write access. 541.It Bq Er EFAULT 542The 543.Fa path 544argument 545points outside the process's allocated address space. 546.It Bq Er EEXIST 547.Dv O_CREAT 548and 549.Dv O_EXCL 550were specified and the file exists. 551.It Bq Er EOPNOTSUPP 552An attempt was made to open a socket (not currently implemented). 553.It Bq Er EINVAL 554An attempt was made to open a descriptor with an illegal combination 555of 556.Dv O_RDONLY , 557.Dv O_WRONLY , 558or 559.Dv O_RDWR , 560and 561.Dv O_EXEC 562or 563.Dv O_SEARCH . 564.It Bq Er EINVAL 565The 566.Dv O_RESOLVE_BENEATH 567flag is specified and 568.Dv path 569is absolute. 570.It Bq Er EBADF 571The 572.Fa path 573argument does not specify an absolute path and the 574.Fa fd 575argument is 576neither 577.Dv AT_FDCWD 578nor a valid file descriptor open for searching. 579.It Bq Er ENOTDIR 580The 581.Fa path 582argument is not an absolute path and 583.Fa fd 584is neither 585.Dv AT_FDCWD 586nor a file descriptor associated with a directory. 587.It Bq Er ENOTDIR 588.Dv O_DIRECTORY 589is specified and the file is not a directory. 590.It Bq Er ECAPMODE 591.Dv AT_FDCWD 592is specified and the process is in capability mode. 593.It Bq Er ECAPMODE 594.Fn open 595was called and the process is in capability mode. 596.It Bq Er ENOTCAPABLE 597.Fa path 598is an absolute path, 599or contained a ".." component leading to a 600directory outside of the directory hierarchy specified by 601.Fa fd , 602and the process is in capability mode. 603.It Bq Er ENOTCAPABLE 604The 605.Dv O_RESOLVE_BENEATH 606flag was provided, and the relative 607.Fa path 608escapes the 609.Ar fd 610directory. 611.El 612.Sh SEE ALSO 613.Xr chmod 2 , 614.Xr close 2 , 615.Xr dup 2 , 616.Xr fexecve 2 , 617.Xr fhopen 2 , 618.Xr getdtablesize 2 , 619.Xr getfh 2 , 620.Xr lgetfh 2 , 621.Xr lseek 2 , 622.Xr read 2 , 623.Xr umask 2 , 624.Xr write 2 , 625.Xr fopen 3 , 626.Xr capsicum 4 627.Sh STANDARDS 628These functions are specified by 629.St -p1003.1-2008 . 630.Fx 631sets 632.Va errno 633to 634.Er EMLINK instead of 635.Er ELOOP 636as specified by 637.Tn POSIX 638when 639.Dv O_NOFOLLOW 640is set in flags and the final component of pathname is a symbolic link 641to distinguish it from the case of too many symbolic link traversals 642in one of its non-final components. 643.Sh HISTORY 644The 645.Fn open 646function appeared in 647.At v1 . 648The 649.Fn openat 650function was introduced in 651.Fx 8.0 . 652.Dv O_DSYNC 653appeared in 13.0. 654.Sh BUGS 655The Open Group Extended API Set 2 specification requires that the test 656for whether 657.Fa fd 658is searchable is based on whether 659.Fa fd 660is open for searching, not whether the underlying directory currently 661permits searches. 662The present implementation of the 663.Fa openat 664checks the current permissions of directory instead. 665.Pp 666The 667.Fa mode 668argument is variadic and may result in different calling conventions 669than might otherwise be expected. 670