1.\" $OpenBSD: execve.2,v 1.54 2020/04/10 07:31:45 jca Exp $ 2.\" $NetBSD: execve.2,v 1.9 1995/02/27 12:32:25 cgd Exp $ 3.\" 4.\" Copyright (c) 1980, 1991, 1993 5.\" The Regents of the University of California. All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. Neither the name of the University nor the names of its contributors 16.\" may be used to endorse or promote products derived from this software 17.\" without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" @(#)execve.2 8.3 (Berkeley) 1/24/94 32.\" 33.Dd $Mdocdate: April 10 2020 $ 34.Dt EXECVE 2 35.Os 36.Sh NAME 37.Nm execve 38.Nd execute a file 39.Sh SYNOPSIS 40.In unistd.h 41.Ft int 42.Fn execve "const char *path" "char *const argv[]" "char *const envp[]" 43.Sh DESCRIPTION 44.Fn execve 45transforms the calling process into a new process. 46The new process is constructed from an ordinary file, 47whose name is pointed to by 48.Fa path , 49called the 50.Em new process file . 51This file is either an executable object file, 52or a file of data for an interpreter. 53An executable object file consists of an identifying header, 54followed by pages of data representing the initial program (text) 55and initialized data pages. 56Additional pages may be specified by the header to be initialized 57with zero data; see 58.Xr elf 5 . 59.Pp 60An interpreter file begins with a line of the form: 61.Bd -filled -offset indent 62.Sy #!\& 63.Em interpreter 64.Bq Em arg 65.Ed 66.Pp 67When an interpreter file is passed to 68.Fn execve 69the system instead calls 70.Fn execve 71with the specified 72.Em interpreter . 73If the optional 74.Em arg 75is specified, it becomes the first argument to the 76.Em interpreter , 77and the original 78.Ar path 79becomes the second argument; 80otherwise, 81.Ar path 82becomes the first argument. 83The original arguments are shifted over to become the subsequent arguments. 84The zeroth argument, normally the name of the file being executed, is left 85unchanged. 86.Pp 87The argument 88.Fa argv 89is a pointer to a null-terminated array of 90character pointers to NUL-terminated character strings. 91These strings construct the argument list to be made available to the new 92process. 93At least one non-null argument must be present in the array; 94by custom, the first element should be 95the name of the executed program (for example, the last component of 96.Fa path ) . 97.Pp 98The argument 99.Fa envp 100is also a pointer to a null-terminated array of 101character pointers to NUL-terminated strings. 102A pointer to this array is normally stored in the global variable 103.Va environ . 104These strings pass information to the 105new process that is not directly an argument to the command (see 106.Xr environ 7 ) . 107.Pp 108File descriptors open in the calling process image remain open in 109the new process image, except for those for which the close-on-exec 110flag is set (see 111.Xr close 2 112and 113.Xr fcntl 2 ) . 114Descriptors that remain open are unaffected by 115.Fn execve . 116In the case of a new setuid or setgid executable being executed, if 117file descriptors 0, 1, or 2 (representing stdin, stdout, and stderr) 118are currently unallocated, these descriptors will be opened to point to 119some system file like 120.Pa /dev/null . 121The intent is to ensure these descriptors are not unallocated, since 122many libraries make assumptions about the use of these 3 file descriptors. 123.Pp 124Signals set to be ignored in the calling process, 125with the exception of 126.Dv SIGCHLD , 127are set to be ignored in 128the 129new process. 130Other signals 131are set to default action in the new process image. 132Blocked signals remain blocked regardless of changes to the signal action. 133The signal stack is reset to be undefined (see 134.Xr sigaction 2 135for more information). 136.Pp 137If the set-user-ID mode bit of the new process image file is set 138(see 139.Xr chmod 2 ) , 140the effective user ID of the new process image is set to the owner ID 141of the new process image file. 142If the set-group-ID mode bit of the new process image file is set, 143the effective group ID of the new process image is set to the group ID 144of the new process image file. 145(The effective group ID is the first element of the group list.) 146The real user ID, real group ID and 147other group IDs of the new process image remain the same as the calling 148process image. 149After any set-user-ID and set-group-ID processing, 150the effective user ID is recorded as the saved set-user-ID, 151and the effective group ID is recorded as the saved set-group-ID. 152These values may be used in changing the effective IDs later (see 153.Xr setuid 2 ) . 154The set-user-ID and set-group-ID bits have no effect if the 155new process image file is located on a file system mounted with 156the nosuid flag. 157The process will be started without the new permissions. 158.Pp 159The new process also inherits the following attributes from 160the calling process: 161.Pp 162.Bl -tag -width parent_process_ID -offset indent -compact 163.It process ID 164see 165.Xr getpid 2 166.It parent process ID 167see 168.Xr getppid 2 169.It process group ID 170see 171.Xr getpgrp 2 172.It session ID 173see 174.Xr getsid 2 175.It access groups 176see 177.Xr getgroups 2 178.It working directory 179see 180.Xr chdir 2 181.It root directory 182see 183.Xr chroot 2 184.It control terminal 185see 186.Xr termios 4 187.It resource usages 188see 189.Xr getrusage 2 190.It interval timers 191see 192.Xr getitimer 2 193(unless process image file is setuid or setgid, 194in which case all timers are disabled) 195.It resource limits 196see 197.Xr getrlimit 2 198.It file mode mask 199see 200.Xr umask 2 201.It signal mask 202see 203.Xr sigaction 2 , 204.Xr sigprocmask 2 205.El 206.Pp 207When a program is executed as a result of an 208.Fn execve 209call, it is entered as follows: 210.Bd -literal -offset indent 211main(int argc, char **argv, char **envp) 212.Ed 213.Pp 214where 215.Fa argc 216is the number of elements in 217.Fa argv 218(the 219.Dq arg count ) 220and 221.Fa argv 222points to the array of character pointers 223to the arguments themselves. 224.Sh RETURN VALUES 225As the 226.Fn execve 227function overlays the current process image 228with a new process image the successful call 229has no process to return to. 230If 231.Fn execve 232does return to the calling process an error has occurred; the 233return value will be \-1 and the global variable 234.Va errno 235is set to indicate the error. 236.Sh ERRORS 237.Fn execve 238will fail and return to the calling process if: 239.Bl -tag -width Er 240.It Bq Er ENOTDIR 241A component of the path prefix is not a directory. 242.It Bq Er ENAMETOOLONG 243A component of a pathname exceeded 244.Dv NAME_MAX 245characters, or an entire pathname (including the terminating NUL) 246exceeded 247.Dv PATH_MAX 248bytes. 249.It Bq Er ENOENT 250The new process file does not exist. 251.It Bq Er ELOOP 252Too many symbolic links were encountered in translating the pathname. 253.It Bq Er EACCES 254Search permission is denied for a component of the path prefix. 255.It Bq Er EACCES 256The new process file is not an ordinary file. 257.It Bq Er EACCES 258The new process file mode denies execute permission. 259.It Bq Er EACCES 260The new process file is on a filesystem mounted with execution 261disabled 262.Pf ( Dv MNT_NOEXEC 263in 264.In sys/mount.h ) . 265.It Bq Er EACCES 266The new process file is marked with 267.Xr ld 1 268.Fl z Cm wxneeded 269to perform W^X violating operations, but it is located on a file 270system not allowing such operations, being mounted without the 271.Xr mount 8 272.Fl o Cm wxallowed 273flag. 274.It Bq Er EACCES 275The parent used 276.Xr pledge 2 277to declare an 278.Va execpromise , 279and that is not permitted for setuid or setgid images. 280.It Bq Er ENOEXEC 281The new process file has the appropriate access 282permission, but has an invalid magic number in its header. 283.It Bq Er ETXTBSY 284The new process file is a pure procedure (shared text) 285file that is currently open for writing by some process. 286.It Bq Er ENOMEM 287The new process requires more virtual memory than 288is allowed by the imposed maximum 289.Pq Xr getrlimit 2 . 290.It Bq Er E2BIG 291The number of bytes in the new process's argument list 292is larger than the system-imposed limit. 293The limit in the system as released is 524288 bytes 294.Pf ( Dv ARG_MAX ) . 295.It Bq Er EFAULT 296The new process file is not as long as indicated by 297the size values in its header. 298.It Bq Er EFAULT 299.Fa path , 300.Fa argv , 301or 302.Fa envp 303point 304to an illegal address. 305.It Bq Er EINVAL 306.Fa argv 307did not contain at least one element. 308.It Bq Er EIO 309An I/O error occurred while reading from the file system. 310.It Bq Er ENFILE 311During startup of an 312.Em interpreter , 313the system file table was found to be full. 314.El 315.Sh SEE ALSO 316.Xr _exit 2 , 317.Xr fork 2 , 318.Xr execl 3 , 319.Xr exit 3 , 320.Xr elf 5 , 321.Xr environ 7 322.Sh STANDARDS 323The 324.Fn execve 325function is expected to conform to 326.St -p1003.1-2008 . 327.Sh HISTORY 328The predecessor of these functions, the former 329.Fn exec 330system call, first appeared in 331.At v1 . 332The 333.Fn execve 334function first appeared in 335.At v7 . 336.Sh CAVEATS 337If a program is 338.Em setuid 339to a non-superuser, but is executed when the real 340.Em uid 341is 342.Dq root , 343then the process has some of the powers of a superuser as well. 344.Pp 345.St -p1003.1-2008 346permits 347.Nm 348to leave 349.Dv SIGCHLD 350as ignored in the new process; portable programs cannot rely on 351.Nm 352resetting it to the default disposition. 353