man3/fexecve.3

   1 .\" Copyright (c) 2006, 2014, Michael Kerrisk
   2 .\"
   3 .\" %%%LICENSE_START(VERBATIM)
   4 .\" Permission is granted to make and distribute verbatim copies of this
   5 .\" manual provided the copyright notice and this permission notice are
   6 .\" preserved on all copies.
   7 .\"
   8 .\" Permission is granted to copy and distribute modified versions of this
   9 .\" manual under the conditions for verbatim copying, provided that the
  10 .\" entire resulting derived work is distributed under the terms of a
  11 .\" permission notice identical to this one.
  12 .\"
  13 .\" Since the Linux kernel and libraries are constantly changing, this
  14 .\" manual page may be incorrect or out-of-date.  The author(s) assume no
  15 .\" responsibility for errors or omissions, or for damages resulting from
  16 .\" the use of the information contained herein.  The author(s) may not
  17 .\" have taken the same level of care in the production of this manual,
  18 .\" which is licensed free of charge, as they might when working
  19 .\" professionally.
  20 .\"
  21 .\" Formatted or processed versions of this manual, if unaccompanied by
  22 .\" the source, must acknowledge the copyright and authors of this work.
  23 .\" %%%LICENSE_END
  24 .\"
  25 .TH FEXECVE 3 2014-04-20 "Linux" "Linux Programmer's Manual"
  26 .SH NAME
  27 fexecve \- execute program specified via file descriptor
  28 .SH SYNOPSIS
  29 .nf
  30 .B #include <unistd.h>
  31 .sp
  32 .BI "int fexecve(int " fd ", char *const " argv "[], char *const " envp []);
  33 .fi
  34 .sp
  35 .in -4n
  36 Feature Test Macro Requirements for glibc (see
  37 .BR feature_test_macros (7)):
  38 .in
  39 .sp
  40 .BR fexecve ():
  41 .PD 0
  42 .ad l
  43 .RS 4
  44 .TP 4
  45 Since glibc 2.10:
  46 _XOPEN_SOURCE\ >=\ 700 || _POSIX_C_SOURCE\ >=\ 200809L
  47 .TP
  48 Before glibc 2.10:
  49 _GNU_SOURCE
  50 .RE
  51 .ad
  52 .PD
  53 .SH DESCRIPTION
  54 .BR fexecve ()
  55 performs the same task as
  56 .BR execve (2),
  57 with the difference that the file to be executed
  58 is specified via a file descriptor,
  59 .IR fd ,
  60 rather than via a pathname.
  61 The file descriptor
  62 .I fd
  63 must be opened read-only,
  64 and the caller must have permission to execute the file that it refers to.
  65 .\" POSIX.1-2008 specifies the O_EXEC flag for open as an alternative,
  66 .\" but Linux doesn't support this flag yet.
  67 .SH RETURN VALUE
  68 A successful call to
  69 .BR fexecve ()
  70 never returns.
  71 On error, the function does return, with a result value of \-1, and
  72 .I errno
  73 is set appropriately.
  74 .SH ERRORS
  75 Errors are as for
  76 .BR execve (2),
  77 with the following additions:
  78 .TP
  79 .B EINVAL
  80 .I fd
  81 is not a valid file descriptor, or
  82 .I argv
  83 is NULL, or
  84 .I envp
  85 is NULL.
  86 .TP
  87 .B ENOSYS
  88 The
  89 .I /proc
  90 filesystem could not be accessed.
  91 .SH VERSIONS
  92 .BR fexecve ()
  93 is implemented since glibc 2.3.2.
  94 .SH CONFORMING TO
  95 POSIX.1-2008.
  96 This function is not specified in POSIX.1-2001,
  97 and is not widely available on other systems.
  98 It is specified in POSIX.1-2008.
  99 .SH NOTES
 100 On Linux,
 101 .BR fexecve ()
 102 is implemented using the
 103 .BR proc (5)
 104 filesystem, so
 105 .I /proc
 106 needs to be mounted and available at the time of the call.
 107 .\" FIXME .
 108 .\" With the addition of the execveat(2), fexecve() can be implemented
 109 .\" even where /proc is unavailable. Review future glibc releases to
 110 .\" see if the implementation is changed to use execveat(2).
 111
 112 If
 113 .I fd
 114 is a file descriptor that refers to an interpreter script
 115 and has been marked as close-on-exec (see the discussion of the
 116 .BR FD_CLOEXEC
 117 in
 118 .BR fcntl (2)),
 119 .BR fexecve ()
 120 will fail to execute the script, since,
 121 by the time the script interpreter tries to access the script file,
 122 .I fd
 123 has already been closed.
 124
 125 The idea behind
 126 .BR fexecve ()
 127 is to allow the caller to verify (checksum) the contents of
 128 an executable before executing it.
 129 Simply opening the file, checksumming the contents, and then doing an
 130 .BR execve (2)
 131 would not suffice, since, between the two steps, the filename,
 132 or a directory prefix of the pathname, could have been exchanged
 133 (by, for example, modifying the target of a symbolic link).
 134 .BR fexecve ()
 135 does not mitigate the problem that the
 136 .I contents
 137 of a file could be changed between the checksumming and the call to
 138 .BR fexecve ();
 139 for that, the solution is to ensure that the permissions on the file
 140 prevent it from being modified by malicious users.
 141
 142 The natural idiom when using
 143 .BR fexecve ()
 144 is to set the close-on-exec flag on
 145 .IR fd ,
 146 so that the file descriptor does not leak through to the program
 147 that is executed.
 148 This approach is natural for two reasons.
 149 First, it prevents file descriptors being consumed unnecessarily.
 150 (The executed program normally has no need of a file descriptor
 151 that refers to the program itself.)
 152 Second, if
 153 .BR fexecve ()
 154 is used recursively,
 155 employing the close-on-exec flag prevents the file descriptor exhaustion
 156 that would result from the fact that each step in the recursion would
 157 cause one more file descriptor to be passed to the new program.
 158 .SH SEE ALSO
 159 .BR execve (2),
 160 .BR execveat (2)