1 .\" Copyright (c) 2006, 2014, Michael Kerrisk
3 .\" SPDX-License-Identifier: Linux-man-pages-copyleft
5 .TH FEXECVE 3 2021-03-22 "Linux man-pages (unreleased)"
7 fexecve \- execute program specified via file descriptor
10 .RI ( libc ", " \-lc )
13 .B #include <unistd.h>
15 .BI "int fexecve(int " fd ", char *const " argv "[], char *const " envp []);
19 Feature Test Macro Requirements for glibc (see
20 .BR feature_test_macros (7)):
26 _POSIX_C_SOURCE >= 200809L
32 performs the same task as
34 with the difference that the file to be executed
35 is specified via a file descriptor,
37 rather than via a pathname.
40 must be opened read-only
45 and the caller must have permission to execute the file that it refers to.
50 On error, the function does return, with a result value of \-1, and
52 is set to indicate the error.
56 with the following additions:
60 is not a valid file descriptor, or
67 The close-on-exec flag is set on
75 The kernel does not provide the
79 filesystem could not be accessed.
82 is implemented since glibc 2.3.2.
84 For an explanation of the terms used in this section, see
92 Interface Attribute Value
95 T} Thread safety MT-Safe
102 This function is not specified in POSIX.1-2001,
103 and is not widely available on other systems.
104 It is specified in POSIX.1-2008.
106 On Linux with glibc versions 2.26 and earlier,
108 is implemented using the
112 needs to be mounted and available at the time of the call.
114 .\" glibc commit 43ffc53a352a67672210c9dd4959f6c6b7407e60
115 if the underlying kernel supports the
119 is implemented using that system call, with the benefit that
121 does not need to be mounted.
125 is to allow the caller to verify (checksum) the contents of
126 an executable before executing it.
127 Simply opening the file, checksumming the contents, and then doing an
129 would not suffice, since, between the two steps, the filename,
130 or a directory prefix of the pathname, could have been exchanged
131 (by, for example, modifying the target of a symbolic link).
133 does not mitigate the problem that the
135 of a file could be changed between the checksumming and the call to
137 for that, the solution is to ensure that the permissions on the file
138 prevent it from being modified by malicious users.
140 The natural idiom when using
142 is to set the close-on-exec flag on
144 so that the file descriptor does not leak through to the program
146 This approach is natural for two reasons.
147 First, it prevents file descriptors being consumed unnecessarily.
148 (The executed program normally has no need of a file descriptor
149 that refers to the program itself.)
153 employing the close-on-exec flag prevents the file descriptor exhaustion
154 that would result from the fact that each step in the recursion would
155 cause one more file descriptor to be passed to the new program.
160 refers to a script (i.e., it is an executable text file that names
161 a script interpreter with a first line that begins with the characters
163 and the close-on-exec flag has been set for
169 This error occurs because,
170 by the time the script interpreter is executed,
172 has already been closed because of the close-on-exec flag.
173 Thus, the close-on-exec flag can't be set on
175 if it refers to a script, leading to the problems described in NOTES.