|FEXECVE(3)||Linux Programmer's Manual||FEXECVE(3)|
int fexecve(int fd, char *const argv, char *const envp);
Feature Test Macro Requirements for glibc (see feature_test_macros(7)):
- Since glibc 2.10:
- _POSIX_C_SOURCE >= 200809L
- Before glibc 2.10:
- fd is not a valid file descriptor, or argv is NULL, or envp is NULL.
- The close-on-exec flag is set on fd, and fd refers to a script. See BUGS.
- The kernel does not provide the execveat(2) system call, and the /proc filesystem could not be accessed.
|fexecve ()||Thread safety||MT-Safe|
The idea behind fexecve() is to allow the caller to verify (checksum) the contents of an executable before executing it. Simply opening the file, checksumming the contents, and then doing an execve(2) would not suffice, since, between the two steps, the filename, or a directory prefix of the pathname, could have been exchanged (by, for example, modifying the target of a symbolic link). fexecve() does not mitigate the problem that the contents of a file could be changed between the checksumming and the call to fexecve(); for that, the solution is to ensure that the permissions on the file prevent it from being modified by malicious users.
The natural idiom when using fexecve() is to set the close-on-exec flag on fd, so that the file descriptor does not leak through to the program that is executed. This approach is natural for two reasons. First, it prevents file descriptors being consumed unnecessarily. (The executed program normally has no need of a file descriptor that refers to the program itself.) Second, if fexecve() is used recursively, employing the close-on-exec flag prevents the file descriptor exhaustion that would result from the fact that each step in the recursion would cause one more file descriptor to be passed to the new program. (But see BUGS.)