xref: /freebsd-14.2/lib/libc/sys/open.2 (revision d8aaf097)
1.\" Copyright (c) 1980, 1991, 1993
2.\"	The Regents of the University of California.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\" 3. Neither the name of the University nor the names of its contributors
13.\"    may be used to endorse or promote products derived from this software
14.\"    without specific prior written permission.
15.\"
16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26.\" SUCH DAMAGE.
27.\"
28.\"     @(#)open.2	8.2 (Berkeley) 11/16/93
29.\"
30.Dd May 29, 2023
31.Dt OPEN 2
32.Os
33.Sh NAME
34.Nm open , openat
35.Nd open or create a file for reading, writing or executing
36.Sh LIBRARY
37.Lb libc
38.Sh SYNOPSIS
39.In fcntl.h
40.Ft int
41.Fn open "const char *path" "int flags" "..."
42.Ft int
43.Fn openat "int fd" "const char *path" "int flags" "..."
44.Sh DESCRIPTION
45The file name specified by
46.Fa path
47is opened
48for either execution or reading and/or writing as specified by the
49argument
50.Fa flags
51and the file descriptor returned to the calling process.
52The
53.Fa flags
54argument may indicate the file is to be
55created if it does not exist (by specifying the
56.Dv O_CREAT
57flag).
58In this case
59.Fn open
60and
61.Fn openat
62require an additional argument
63.Fa "mode_t mode" ,
64and the file is created with mode
65.Fa mode
66as described in
67.Xr chmod 2
68and modified by the process' umask value (see
69.Xr umask 2 ) .
70.Pp
71The
72.Fn openat
73function is equivalent to the
74.Fn open
75function except in the case where the
76.Fa path
77specifies a relative path.
78For
79.Fn openat
80and relative
81.Fa path ,
82the file to be opened is determined relative to the directory
83associated with the file descriptor
84.Fa fd
85instead of the current working directory.
86The
87.Fa flag
88parameter and the optional fourth parameter correspond exactly to
89the parameters of
90.Fn open .
91If
92.Fn openat
93is passed the special value
94.Dv AT_FDCWD
95in the
96.Fa fd
97parameter, the current working directory is used
98and the behavior is identical to a call to
99.Fn open .
100.Pp
101When
102.Fn openat
103is called with an absolute
104.Fa path ,
105it ignores the
106.Fa fd
107argument.
108.Pp
109In
110.Xr capsicum 4
111capability mode,
112.Fn open
113is not permitted.
114The
115.Fa path
116argument to
117.Fn openat
118must be strictly relative to a file descriptor
119.Fa fd .
120.Fa path
121must not be an absolute path and must not contain ".." components
122which cause the path resolution to escape the directory hierarchy
123starting at
124.Fa fd .
125Additionally, no symbolic link in
126.Fa path
127may target absolute path or contain escaping ".." components.
128.Fa fd
129must not be
130.Dv AT_FDCWD .
131.Pp
132If the
133.Dv vfs.lookup_cap_dotdot
134.Xr sysctl 3
135MIB is set to zero, ".." components in the paths,
136used in capability mode,
137are completely disabled.
138If the
139.Dv vfs.lookup_cap_dotdot_nonlocal
140MIB is set to zero, ".." is not allowed if found on non-local filesystem.
141.Pp
142The flags specified are formed by
143.Em or Ns 'ing
144the following values
145.Pp
146.Bd -literal -offset indent -compact
147O_RDONLY	open for reading only
148O_WRONLY	open for writing only
149O_RDWR		open for reading and writing
150O_EXEC		open for execute only
151O_SEARCH	open for search only, an alias for O_EXEC
152O_NONBLOCK	do not block on open
153O_APPEND	append on each write
154O_CREAT		create file if it does not exist
155O_TRUNC		truncate size to 0
156O_EXCL		error if create and file exists
157O_SHLOCK	atomically obtain a shared lock
158O_EXLOCK	atomically obtain an exclusive lock
159O_DIRECT	eliminate or reduce cache effects
160O_FSYNC		synchronous writes (historical synonym for O_SYNC)
161O_SYNC		synchronous writes
162O_DSYNC		synchronous data writes
163O_NOFOLLOW	do not follow symlinks
164O_NOCTTY	ignored
165O_TTY_INIT	ignored
166O_DIRECTORY	error if file is not a directory
167O_CLOEXEC	set FD_CLOEXEC upon open
168O_VERIFY	verify the contents of the file
169O_RESOLVE_BENEATH	path resolution must not cross the fd directory
170O_PATH		record only the target path in the opened descriptor
171O_EMPTY_PATH	openat, open file referenced by fd if path is empty
172.Ed
173.Pp
174Opening a file with
175.Dv O_APPEND
176set causes each write on the file
177to be appended to the end.
178If
179.Dv O_TRUNC
180is specified and the
181file exists, the file is truncated to zero length.
182If
183.Dv O_EXCL
184is set with
185.Dv O_CREAT
186and the file already
187exists,
188.Fn open
189returns an error.
190This may be used to
191implement a simple exclusive access locking mechanism.
192If
193.Dv O_EXCL
194is set and the last component of the pathname is
195a symbolic link,
196.Fn open
197will fail even if the symbolic
198link points to a non-existent name.
199If the
200.Dv O_NONBLOCK
201flag is specified and the
202.Fn open
203system call would result
204in the process being blocked for some reason (e.g., waiting for
205carrier on a dialup line),
206.Fn open
207returns immediately.
208The descriptor remains in non-blocking mode for subsequent operations.
209.Pp
210If
211.Dv O_SYNC
212is used in the mask, all writes will
213immediately and synchronously be written to disk.
214.Dv O_FSYNC
215is an historical synonym for
216.Dv O_SYNC .
217.Pp
218If
219.Dv O_DSYNC
220is used in the mask, all data and metadata required to read the data will be
221synchronously written to disk, but changes to metadata such as file access and
222modification timestamps may be written later.
223.Pp
224If
225.Dv O_NOFOLLOW
226is used in the mask and the target file passed to
227.Fn open
228is a symbolic link then the
229.Fn open
230will fail.
231.Pp
232When opening a file, a lock with
233.Xr flock 2
234semantics can be obtained by setting
235.Dv O_SHLOCK
236for a shared lock, or
237.Dv O_EXLOCK
238for an exclusive lock.
239If creating a file with
240.Dv O_CREAT ,
241the request for the lock will never fail
242(provided that the underlying file system supports locking).
243.Pp
244.Dv O_DIRECT
245may be used to minimize or eliminate the cache effects of reading and writing.
246The system will attempt to avoid caching the data you read or write.
247If it cannot avoid caching the data,
248it will minimize the impact the data has on the cache.
249Use of this flag can drastically reduce performance if not used with care.
250.Pp
251.Dv O_NOCTTY
252may be used to ensure the OS does not assign this file as the
253controlling terminal when it opens a tty device.
254This is the default on
255.Fx ,
256but is present for
257.Tn POSIX
258compatibility.
259The
260.Fn open
261system call will not assign controlling terminals on
262.Fx .
263.Pp
264.Dv O_TTY_INIT
265may be used to ensure the OS restores the terminal attributes when
266initially opening a TTY.
267This is the default on
268.Fx ,
269but is present for
270.Tn POSIX
271compatibility.
272The initial call to
273.Fn open
274on a TTY will always restore default terminal attributes on
275.Fx .
276.Pp
277.Dv O_DIRECTORY
278may be used to ensure the resulting file descriptor refers to a
279directory.
280This flag can be used to prevent applications with elevated privileges
281from opening files which are even unsafe to open with
282.Dv O_RDONLY ,
283such as device nodes.
284.Pp
285.Dv O_CLOEXEC
286may be used to set
287.Dv FD_CLOEXEC
288flag for the newly returned file descriptor.
289.Pp
290.Dv O_VERIFY
291may be used to indicate to the kernel that the contents of the file should
292be verified before allowing the open to proceed.
293The details of what
294.Dq verified
295means is implementation specific.
296The run-time linker (rtld) uses this flag to ensure shared objects have
297been verified before operating on them.
298.Pp
299.Dv O_RESOLVE_BENEATH
300returns
301.Er ENOTCAPABLE
302if any intermediate component of the specified relative path does not
303reside in the directory hierarchy beneath the starting directory.
304Absolute paths or even the temporal escape from beneath of the starting
305directory is not allowed.
306.Pp
307When
308.Fa fd
309is opened with
310.Dv O_SEARCH ,
311execute permissions are checked at open time.
312The
313.Fa fd
314may not be used for any read operations like
315.Xr getdirentries 2 .
316The primary use for this descriptor will be as the lookup descriptor for the
317.Fn *at
318family of functions.
319.Pp
320.Dv O_PATH
321returns a file descriptor that can be used as a directory file descriptor for
322.Xr openat 2
323and other system calls taking a file descriptor argument, like
324.Xr fstatat 2
325and others.
326The other functionality of the returned file descriptor is limited to
327the descriptor-level operations.
328It can be used for
329.Bl -tag -width readlinkat(2) -offset indent -compact
330.It Xr fcntl 2
331but advisory locking is not allowed
332.It Xr dup 2
333.It Xr close 2
334.It Xr fstat 2
335.It Xr fexecve 2
336.It Dv SCM_RIGHTS
337can be passed over a
338.Xr unix 4
339socket using a
340.Dv SCM_RIGHTS
341message
342.It Xr kqueue 2
343using for
344.Dv EVFILT_VNODE
345.It Xr readlinkat 2
346.It Xr __acl_get_fd 2 , Xr __acl_aclcheck_fd 2
347.El
348But operations like
349.Xr read 2 ,
350.Xr ftruncate 2 ,
351and any other that operate on file and not on file descriptor (except
352.Xr fstat 2 ),
353are not allowed.
354.Pp
355A file descriptor created with the
356.Dv O_PATH
357flag can be opened into normal (operable) file descriptor by
358specifying it as the
359.Fa fd
360argument to
361.Fn openat
362with empty
363.Fa path
364and flag
365.Dv O_EMPTY_PATH .
366Such an open behaves as if the current path of the file referenced by
367.Fa fd
368is passed, except that the path walk permissions are not checked.
369See also the description of
370.Dv AT_EMPTY_PATH
371flag for
372.Xr fstatat 2
373and related syscalls.
374.Pp
375If successful,
376.Fn open
377returns a non-negative integer, termed a file descriptor.
378It returns \-1 on failure.
379The file pointer used to mark the current position within the
380file is set to the beginning of the file.
381.Pp
382If a sleeping open of a device node from
383.Xr devfs 5
384is interrupted by a signal, the call always fails with
385.Er EINTR ,
386even if the
387.Dv SA_RESTART
388flag is set for the signal.
389A sleeping open of a fifo (see
390.Xr mkfifo 2 )
391is restarted as normal.
392.Pp
393When a new file is created it is given the group of the directory
394which contains it.
395.Pp
396Unless
397.Dv O_CLOEXEC
398flag was specified,
399the new descriptor is set to remain open across
400.Xr execve 2
401system calls; see
402.Xr close 2 ,
403.Xr fcntl 2
404and
405.Dv O_CLOEXEC
406description.
407.Pp
408The system imposes a limit on the number of file descriptors
409open simultaneously by one process.
410The
411.Xr getdtablesize 2
412system call returns the current system limit.
413.Sh RETURN VALUES
414If successful,
415.Fn open
416and
417.Fn openat
418return a non-negative integer, termed a file descriptor.
419They return \-1 on failure, and set
420.Va errno
421to indicate the error.
422.Sh ERRORS
423The named file is opened unless:
424.Bl -tag -width Er
425.It Bq Er ENOTDIR
426A component of the path prefix is not a directory.
427.It Bq Er ENAMETOOLONG
428A component of a pathname exceeded 255 characters,
429or an entire path name exceeded 1023 characters.
430.It Bq Er ENOENT
431.Dv O_CREAT
432is not set and the named file does not exist.
433.It Bq Er ENOENT
434A component of the path name that must exist does not exist.
435.It Bq Er EACCES
436Search permission is denied for a component of the path prefix.
437.It Bq Er EACCES
438The required permissions (for reading and/or writing)
439are denied for the given flags.
440.It Bq Er EACCES
441.Dv O_TRUNC
442is specified and write permission is denied.
443.It Bq Er EACCES
444.Dv O_CREAT
445is specified,
446the file does not exist,
447and the directory in which it is to be created
448does not permit writing.
449.It Bq Er EPERM
450.Dv O_CREAT
451is specified, the file does not exist, and the directory in which it is to be
452created has its immutable flag set, see the
453.Xr chflags 2
454manual page for more information.
455.It Bq Er EPERM
456The named file has its immutable flag set and the file is to be modified.
457.It Bq Er EPERM
458The named file has its append-only flag set, the file is to be modified, and
459.Dv O_TRUNC
460is specified or
461.Dv O_APPEND
462is not specified.
463.It Bq Er ELOOP
464Too many symbolic links were encountered in translating the pathname.
465.It Bq Er EISDIR
466The named file is a directory, and the arguments specify
467it is to be modified.
468.It Bq Er EISDIR
469The named file is a directory, and the flags specified
470.Dv O_CREAT
471without
472.Dv O_DIRECTORY .
473.It Bq Er EROFS
474The named file resides on a read-only file system,
475and the file is to be modified.
476.It Bq Er EROFS
477.Dv O_CREAT
478is specified and the named file would reside on a read-only file system.
479.It Bq Er EMFILE
480The process has already reached its limit for open file descriptors.
481.It Bq Er ENFILE
482The system file table is full.
483.It Bq Er EMLINK
484.Dv O_NOFOLLOW
485was specified and the target is a symbolic link.
486.It Bq Er ENXIO
487The named file is a character special or block
488special file, and the device associated with this special file
489does not exist.
490.It Bq Er ENXIO
491.Dv O_NONBLOCK
492is set, the named file is a fifo,
493.Dv O_WRONLY
494is set, and no process has the file open for reading.
495.It Bq Er EINTR
496The
497.Fn open
498operation was interrupted by a signal.
499.It Bq Er EOPNOTSUPP
500.Dv O_SHLOCK
501or
502.Dv O_EXLOCK
503is specified but the underlying file system does not support locking.
504.It Bq Er EOPNOTSUPP
505The named file is a special file mounted through a file system that
506does not support access to it (e.g.\& NFS).
507.It Bq Er EWOULDBLOCK
508.Dv O_NONBLOCK
509and one of
510.Dv O_SHLOCK
511or
512.Dv O_EXLOCK
513is specified and the file is locked.
514.It Bq Er ENOSPC
515.Dv O_CREAT
516is specified,
517the file does not exist,
518and the directory in which the entry for the new file is being placed
519cannot be extended because there is no space left on the file
520system containing the directory.
521.It Bq Er ENOSPC
522.Dv O_CREAT
523is specified,
524the file does not exist,
525and there are no free inodes on the file system on which the
526file is being created.
527.It Bq Er EDQUOT
528.Dv O_CREAT
529is specified,
530the file does not exist,
531and the directory in which the entry for the new file
532is being placed cannot be extended because the
533user's quota of disk blocks on the file system
534containing the directory has been exhausted.
535.It Bq Er EDQUOT
536.Dv O_CREAT
537is specified,
538the file does not exist,
539and the user's quota of inodes on the file system on
540which the file is being created has been exhausted.
541.It Bq Er EIO
542An I/O error occurred while making the directory entry or
543allocating the inode for
544.Dv O_CREAT .
545.It Bq Er EINTEGRITY
546Corrupted data was detected while reading from the file system.
547.It Bq Er ETXTBSY
548The file is a pure procedure (shared text) file that is being
549executed and the
550.Fn open
551system call requests write access.
552.It Bq Er EFAULT
553The
554.Fa path
555argument
556points outside the process's allocated address space.
557.It Bq Er EEXIST
558.Dv O_CREAT
559and
560.Dv O_EXCL
561were specified and the file exists.
562.It Bq Er EOPNOTSUPP
563An attempt was made to open a socket (not currently implemented).
564.It Bq Er EINVAL
565An attempt was made to open a descriptor with an illegal combination
566of
567.Dv O_RDONLY ,
568.Dv O_WRONLY ,
569or
570.Dv O_RDWR ,
571and
572.Dv O_EXEC
573or
574.Dv O_SEARCH .
575.It Bq Er EBADF
576The
577.Fa path
578argument does not specify an absolute path and the
579.Fa fd
580argument is
581neither
582.Dv AT_FDCWD
583nor a valid file descriptor open for searching.
584.It Bq Er ENOTDIR
585The
586.Fa path
587argument is not an absolute path and
588.Fa fd
589is neither
590.Dv AT_FDCWD
591nor a file descriptor associated with a directory.
592.It Bq Er ENOTDIR
593.Dv O_DIRECTORY
594is specified and the file is not a directory.
595.It Bq Er ECAPMODE
596.Dv AT_FDCWD
597is specified and the process is in capability mode.
598.It Bq Er ECAPMODE
599.Fn open
600was called and the process is in capability mode.
601.It Bq Er ENOTCAPABLE
602.Fa path
603is an absolute path and the process is in capability mode.
604.It Bq Er ENOTCAPABLE
605.Fa path
606is an absolute path and
607.Dv O_RESOLVE_BENEATH
608is specified.
609.It Bq Er ENOTCAPABLE
610.Fa path
611contains a ".." component leading to a directory outside
612of the directory hierarchy specified by
613.Fa fd
614and the process is in capability mode.
615.It Bq Er ENOTCAPABLE
616.Fa path
617contains a ".." component leading to a directory outside
618of the directory hierarchy specified by
619.Fa fd
620and
621.Dv O_RESOLVE_BENEATH
622is specified.
623.It Bq Er ENOTCAPABLE
624.Fa path
625contains a ".." component, the
626.Dv vfs.lookup_cap_dotdot
627.Xr sysctl 3
628is set, and the process is in capability mode.
629.El
630.Sh SEE ALSO
631.Xr chmod 2 ,
632.Xr close 2 ,
633.Xr dup 2 ,
634.Xr fexecve 2 ,
635.Xr fhopen 2 ,
636.Xr getdtablesize 2 ,
637.Xr getfh 2 ,
638.Xr lgetfh 2 ,
639.Xr lseek 2 ,
640.Xr read 2 ,
641.Xr umask 2 ,
642.Xr write 2 ,
643.Xr fopen 3 ,
644.Xr capsicum 4
645.Sh STANDARDS
646These functions are specified by
647.St -p1003.1-2008 .
648.Fx
649sets
650.Va errno
651to
652.Er EMLINK instead of
653.Er ELOOP
654as specified by
655.Tn POSIX
656when
657.Dv O_NOFOLLOW
658is set in flags and the final component of pathname is a symbolic link
659to distinguish it from the case of too many symbolic link traversals
660in one of its non-final components.
661.Sh HISTORY
662The
663.Fn open
664function appeared in
665.At v1 .
666The
667.Fn openat
668function was introduced in
669.Fx 8.0 .
670.Dv O_DSYNC
671appeared in 13.0.
672.Sh BUGS
673The Open Group Extended API Set 2 specification requires that the test
674for whether
675.Fa fd
676is searchable is based on whether
677.Fa fd
678is open for searching, not whether the underlying directory currently
679permits searches.
680The present implementation of the
681.Fa openat
682checks the current permissions of directory instead.
683.Pp
684The
685.Fa mode
686argument is variadic and may result in different calling conventions
687than might otherwise be expected.
688