| blob | 3b6bca39c87edca661d3f6747570f3430a74798a |
1 .\" Copyright (c) 2006, 2014, Michael Kerrisk
2 .\"
3 .\" %%%LICENSE_START(VERBATIM)
4 .\" Permission is granted to make and distribute verbatim copies of this
5 .\" manual provided the copyright notice and this permission notice are
6 .\" preserved on all copies.
7 .\"
8 .\" Permission is granted to copy and distribute modified versions of this
9 .\" manual under the conditions for verbatim copying, provided that the
10 .\" entire resulting derived work is distributed under the terms of a
11 .\" permission notice identical to this one.
12 .\"
13 .\" Since the Linux kernel and libraries are constantly changing, this
14 .\" manual page may be incorrect or out-of-date. The author(s) assume no
15 .\" responsibility for errors or omissions, or for damages resulting from
16 .\" the use of the information contained herein. The author(s) may not
17 .\" have taken the same level of care in the production of this manual,
18 .\" which is licensed free of charge, as they might when working
19 .\" professionally.
20 .\"
21 .\" Formatted or processed versions of this manual, if unaccompanied by
22 .\" the source, must acknowledge the copyright and authors of this work.
23 .\" %%%LICENSE_END
24 .\"
25 .TH FEXECVE 3 2021-03-22 "Linux" "Linux Programmer's Manual"
26 .SH NAME
27 fexecve \- execute program specified via file descriptor
28 .SH SYNOPSIS
29 .nf
30 .B #include <unistd.h>
31 .PP
32 .BI "int fexecve(int " fd ", char *const " argv "[], char *const " envp []);
33 .fi
34 .PP
35 .RS -4
36 Feature Test Macro Requirements for glibc (see
37 .BR feature_test_macros (7)):
38 .RE
39 .PP
40 .BR fexecve ():
41 .nf
42 Since glibc 2.10:
43 _POSIX_C_SOURCE >= 200809L
44 Before glibc 2.10:
45 _GNU_SOURCE
46 .fi
47 .SH DESCRIPTION
48 .BR fexecve ()
49 performs the same task as
50 .BR execve (2),
51 with the difference that the file to be executed
52 is specified via a file descriptor,
53 .IR fd ,
54 rather than via a pathname.
55 The file descriptor
56 .I fd
57 must be opened read-only
58 .RB ( O_RDONLY )
59 or with the
60 .B O_PATH
61 flag
62 and the caller must have permission to execute the file that it refers to.
63 .SH RETURN VALUE
64 A successful call to
65 .BR fexecve ()
66 never returns.
67 On error, the function does return, with a result value of \-1, and
68 .I errno
69 is set to indicate the error.
70 .SH ERRORS
71 Errors are as for
72 .BR execve (2),
73 with the following additions:
74 .TP
75 .B EINVAL
76 .I fd
77 is not a valid file descriptor, or
78 .I argv
79 is NULL, or
80 .I envp
81 is NULL.
82 .TP
83 .B ENOENT
84 The close-on-exec flag is set on
85 .IR fd ,
86 and
87 .I fd
88 refers to a script.
89 See BUGS.
90 .TP
91 .B ENOSYS
92 The kernel does not provide the
93 .BR execveat (2)
94 system call, and the
95 .I /proc
96 filesystem could not be accessed.
97 .SH VERSIONS
98 .BR fexecve ()
99 is implemented since glibc 2.3.2.
100 .SH ATTRIBUTES
101 For an explanation of the terms used in this section, see
102 .BR attributes (7).
103 .ad l
104 .nh
105 .TS
106 allbox;
107 lbx lb lb
108 l l l.
109 Interface Attribute Value
110 T{
111 .BR fexecve ()
112 T} Thread safety MT-Safe
113 .TE
114 .hy
115 .ad
116 .sp 1
117 .SH CONFORMING TO
118 POSIX.1-2008.
119 This function is not specified in POSIX.1-2001,
120 and is not widely available on other systems.
121 It is specified in POSIX.1-2008.
122 .SH NOTES
123 On Linux with glibc versions 2.26 and earlier,
124 .BR fexecve ()
125 is implemented using the
126 .BR proc (5)
127 filesystem, so
128 .I /proc
129 needs to be mounted and available at the time of the call.
130 Since glibc 2.27,
131 .\" glibc commit 43ffc53a352a67672210c9dd4959f6c6b7407e60
132 if the underlying kernel supports the
133 .BR execveat (2)
134 system call, then
135 .BR fexecve ()
136 is implemented using that system call, with the benefit that
137 .IR /proc
138 does not need to be mounted.
139 .PP
140 The idea behind
141 .BR fexecve ()
142 is to allow the caller to verify (checksum) the contents of
143 an executable before executing it.
144 Simply opening the file, checksumming the contents, and then doing an
145 .BR execve (2)
146 would not suffice, since, between the two steps, the filename,
147 or a directory prefix of the pathname, could have been exchanged
148 (by, for example, modifying the target of a symbolic link).
149 .BR fexecve ()
150 does not mitigate the problem that the
151 .I contents
152 of a file could be changed between the checksumming and the call to
153 .BR fexecve ();
154 for that, the solution is to ensure that the permissions on the file
155 prevent it from being modified by malicious users.
156 .PP
157 The natural idiom when using
158 .BR fexecve ()
159 is to set the close-on-exec flag on
160 .IR fd ,
161 so that the file descriptor does not leak through to the program
162 that is executed.
163 This approach is natural for two reasons.
164 First, it prevents file descriptors being consumed unnecessarily.
165 (The executed program normally has no need of a file descriptor
166 that refers to the program itself.)
167 Second, if
168 .BR fexecve ()
169 is used recursively,
170 employing the close-on-exec flag prevents the file descriptor exhaustion
171 that would result from the fact that each step in the recursion would
172 cause one more file descriptor to be passed to the new program.
173 (But see BUGS.)
174 .SH BUGS
175 If
176 .I fd
177 refers to a script (i.e., it is an executable text file that names
178 a script interpreter with a first line that begins with the characters
179 .IR #! )
180 and the close-on-exec flag has been set for
181 .IR fd ,
182 then
183 .BR fexecve ()
184 fails with the error
185 .BR ENOENT .
186 This error occurs because,
187 by the time the script interpreter is executed,
188 .I fd
189 has already been closed because of the close-on-exec flag.
190 Thus, the close-on-exec flag can't be set on
191 .I fd
192 if it refers to a script, leading to the problems described in NOTES.
193 .SH SEE ALSO
194 .BR execve (2),
195 .BR execveat (2)