_p_a_t_h points to a path name that identifies the new process file.
_f_i_l_e, which is only used with _eeee_xxxx_eeee_cccc_llll_pppp and _eeee_xxxx_eeee_cccc_vvvv_pppp, points to the new
process file. If _f_i_l_e does not contain a slash character, the path
prefix for this file is obtained by a search of the directories passed in
the _PPPP_AAAA_TTTT_HHHH environment variable [see _eeee_nnnn_vvvv_iiii_rrrr_oooo_nnnn(5)]. The environment is
supplied typically by the shell [see _ssss_hhhh(1)].
If the new process file is not an executable object file, _eeee_xxxx_eeee_cccc_llll_pppp and
_eeee_xxxx_eeee_cccc_vvvv_pppp use the contents of that file as standard input to _ssss_hhhh(1).
However, if the new process file is setuid or setgid, the input is passed
via /_d_e_v/_f_d/_N (see below for details).
The arguments _a_r_g_0_,,,, ..._,,,, _a_r_g_n point to null-terminated character strings.
These strings constitute the argument list available to the new process
image. Minimally, _a_r_g_0 must be present. It will become the name of the
process, as displayed by the _pppp_ssss command. Conventionally, _a_r_g_0 points to
a string that is the same as _p_a_t_h (or the last component of _p_a_t_h). The
list of argument strings is terminated by a _((((_cccc_hhhh_aaaa_rrrr _****_))))_0000 argument.
_a_r_g_v is an array of character pointers to null-terminated strings. These
strings constitute the argument list available to the new process image.
By convention, _a_r_g_v must have at least one member, and it should point to
a string that is the same as _p_a_t_h (or its last component). _a_r_g_v is
terminated by a null pointer.
_e_n_v_p is an array of character pointers to null-terminated strings. These
strings constitute the environment for the new process image. _e_n_v_p is
terminated by a null pointer. For _eeee_xxxx_eeee_cccc_llll, _eeee_xxxx_eeee_cccc_vvvv, _eeee_xxxx_eeee_cccc_vvvv_pppp, and _eeee_xxxx_eeee_cccc_llll_pppp, the
C run-time start-off routine places a pointer to the environment of the
calling process in the global object _eeee_xxxx_tttt_eeee_rrrr_nnnn _cccc_hhhh_aaaa_rrrr _****_****______eeee_nnnn_vvvv_iiii_rrrr_oooo_nnnn, and it is
used to pass the environment of the calling process to the new process.
Unless compilation is done in a pure ANSI environment (see _cccc_cccc(1)), the
global variable ____eeeennnnvvvviiiirrrroooonnnn is aliased to the well-known (but non-ANSI-
compliant) name eeeennnnvvvviiiirrrroooonnnn.
File descriptors open in the calling process remain open in the new
process, except for those whose close-on-exec flag is set; [see
_ffff_cccc_nnnn_tttt_llll(2)]. For those file descriptors that remain open, the file pointer
is unchanged.
Signals that are being caught by the calling process are set to the
default disposition in the new process image [see _ssss_iiii_gggg_nnnn_aaaa_llll(2)]. Otherwise,
the new process image inherits the signal dispositions of the calling
process.
For signals set by _ssss_iiii_gggg_ssss_eeee_tttt(2), _ssss_iiii_gggg_aaaa_cccc_tttt_iiii_oooo_nnnn(2), or _ssss_iiii_gggg_vvvv_eeee_cccc(3B), _eeee_xxxx_eeee_cccc will
ensure that the new process has the same system signal action for each
signal type whose action is SIG_DFL, SIG_IGN, or SIG_HOLD as the calling
process. However, if the action is to catch the signal, then the action
will be reset to SIG_DFL. All signal masks associated with handlers are
If the file resides on a file system which has been mounted with the
_n_o_s_u_i_d option [see _ffff_ssss_tttt_aaaa_bbbb(4)] then the effective user ID, the effective
group ID and the current capability set [see _cccc_aaaa_pppp_aaaa_bbbb_iiii_llll_iiii_tttt_iiii_eeee_ssss(4)] will remain
unchanged. Otherwise, if the set-user-ID (SUID) mode bit of the new
process file is set [see _cccc_hhhh_mmmm_oooo_dddd(2)], _eeee_xxxx_eeee_cccc sets the effective user ID of
the new process to the owner ID of the new process file. Similarly, if
the set-group-ID (SGID) mode bit of the new process file is set, the
effective group ID of the new process is set to the group ID of the new
process file. And finally, if attributes for the file are accessible
[see _aaaa_tttt_tttt_rrrr______gggg_eeee_tttt(2)] and the _SSSS_GGGG_IIII______CCCC_AAAA_PPPP______FFFF_IIII_LLLL_EEEE attribute is attached to the file
(SCAP), then this is used to change the process' capabilities (see
The real user ID, real group ID, and supplementary group IDs of the new
process remain the same as those of the calling process.
The saved user and group IDs of the new process are set to the effective
user and group IDs of the calling process.
If the effective user-ID is _0000, the set-user-ID (SUID) and set-group-ID
(SGID) file mode bits and any capabilities attached to the file (SCAP)
will be honored when the process is being controlled by _pppp_tttt_rrrr_aaaa_cccc_eeee.
When an image with set-user-ID (SUID), set-group-ID (SGID) or attached
capabilities (SCAP) is executed it is dangerous from a security
standpoint to respect certain environment variables which may allow
arbitrary code to be linked into the new process image. Examples include
_rrrr_llll_dddd's ______RRRR_LLLL_DDDD_****______LLLL_IIII_SSSS_TTTT and _LLLL_DDDD______LLLL_IIII_BBBB_RRRR_AAAA_RRRR_YYYY_****______PPPP_AAAA_TTTT_HHHH environment variables and the Image
Format Library's _IIII_FFFF_LLLL______DDDD_AAAA_TTTT_AAAA_BBBB_AAAA_SSSS_EEEE environment variable (see _rrrr_llll_dddd(1) and
_iiii_ffff_llll(1)), and _cccc_aaaa_tttt_oooo_pppp_eeee_nnnn's _NNNN_LLLL_SSSS_PPPP_AAAA_TTTT_HHHH environment variable, which allows user
control of message formatting (see _cccc_aaaa_tttt_oooo_pppp_eeee_nnnn(3C)). As a result, these
environment variables are ignored when such an image is executed. The
semantics for determining when it is dangerous to respect such
environment variables are: the real and effective user IDs are different,
or the real and effective group IDs are different or if a process has _a_n_y
effective or permitted capabilities.
Allowing such environment variables to be used in these circumstances is
dangerous because an unprivileged user may execute an image which has
privileges associated with it. Allowing the user to specify arbitrary
code to be linked into the new privileged process image would give the
user the ability to circumvent the security policies instituted by the
system administrator. For instance, if an arbitrary dynamic linked
object (DSO) were linked in which provided a resolution for the symbol
_ssss_tttt_rrrr_cccc_pppp_yyyy, the priviledge process could call the _ssss_tttt_rrrr_cccc_pppp_yyyy() function thinking
that it was making a ``safe'' call to a standard library routine.
Because of the above security restrictions, a dynamic executable with
attached permissions (SUID, SGID, and/or SCAP) will not be able to use
the _LLLL_DDDD______LLLL_IIII_BBBB_RRRR_AAAA_RRRR_YYYY_****______PPPP_AAAA_TTTT_HHHH environment variables to find dynamic shared objects
(DSO's) in non-standard library locations. Instead, the executable must
either explicitly specify the locations of the DSO's it wants to load in
Upon successful completion, _eeee_xxxx_eeee_cccc marks for update the _ssss_tttt______aaaa_tttt_iiii_mmmm_eeee field of
the file. Should the _eeee_xxxx_eeee_cccc succeed, the process image file is considered
to have been _oooo_pppp_eeee_nnnn_((((_))))-ed. The corresponding _cccc_llll_oooo_ssss_eeee_((((_)))) is considered to occur
at a time after this open, but before process termination or successful
completion of a subsequent call to _eeee_xxxx_eeee_cccc.
_eeee_xxxx_eeee_cccc will fail and return to the calling process if one or more of the
following are true:
_EEEE_AAAA_CCCC_CCCC_EEEE_SSSS Search permission is denied for a directory listed in the
new process file's path prefix.
_EEEE_AAAA_CCCC_CCCC_EEEE_SSSS The new process file is not an ordinary file.
_EEEE_AAAA_CCCC_CCCC_EEEE_SSSS Execute permission on the new process file is denied.
_EEEE_2222_BBBB_IIII_GGGG The number of bytes in the new process's argument list is
greater than the system-imposed limit {_A_R_G__M_A_X} [see
_ssss_yyyy_ssss_cccc_oooo_nnnn_ffff(2), _iiii_nnnn_tttt_rrrr_oooo(2), and _llll_iiii_mmmm_iiii_tttt_ssss_...._hhhh]. The argument list
limit is the sum of the size of the argument list plus the
size of the environment's exported shell variables.
_EEEE_2222_BBBB_IIII_GGGG The number of bytes in the first line of an interpreter
file is greater than 256 bytes.
_EEEE_AAAA_GGGG_AAAA_IIII_NNNN Not enough memory.
_EEEE_FFFF_AAAA_UUUU_LLLL_TTTT An argument points to an illegal address.
_EEEE_LLLL_IIII_BBBB_AAAA_CCCC_CCCC Required shared library does not have execute permission.
_EEEE_LLLL_IIII_BBBB_EEEE_XXXX_EEEE_CCCC Trying to _eeee_xxxx_eeee_cccc(2) a shared library directly.
_EEEE_LLLL_IIII_BBBB_MMMM_AAAA_XXXX The required number of shared libraries exceeds the system
imposed maximum {_S_H_L_I_B__M_A_X} [see _iiii_nnnn_tttt_rrrr_oooo(2)].
_EEEE_LLLL_OOOO_OOOO_PPPP Too many symbolic links were encountered in translating
_p_a_t_h or _f_i_l_e.
_EEEE_NNNN_AAAA_MMMM_EEEE_TTTT_OOOO_OOOO_LLLL_OOOO_NNNN_GGGG The length of the _f_i_l_e or _p_a_t_h argument exceeds {_PPPP_AAAA_TTTT_HHHH______MMMM_AAAA_XXXX},
or the length of a _f_i_l_e or _p_a_t_h component exceeds
{_NNNN_AAAA_MMMM_EEEE______MMMM_AAAA_XXXX} while ______PPPP_OOOO_SSSS_IIII_XXXX______NNNN_OOOO______TTTT_RRRR_UUUU_NNNN_CCCC is in effect.
_EEEE_NNNN_OOOO_EEEE_NNNN_TTTT One or more components of the new process path name of the
file do not exist or is a null pathname.
_EEEE_NNNN_OOOO_TTTT_DDDD_IIII_RRRR A component of the new process path of the file prefix is
not a directory.
_EEEE_NNNN_OOOO_EEEE_XXXX_EEEE_CCCC The _eeee_xxxx_eeee_cccc is not an _eeee_xxxx_eeee_cccc_llll_pppp or _eeee_xxxx_eeee_cccc_vvvv_pppp, and the new process
file has the appropriate access permission but an invalid
