Re: [PATCH] open(2): document O_PATH

Re: [PATCH] open(2): document O_PATH

[Michael Kerrisk (man-pages)]

Hi Mike,

[Al, Aneesh, there is a question for you below]

On Sun, Apr 29, 2012 at 3:25 PM, Mike Frysinger <vapier@gentoo.org> wrote:
> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
> ---
>  man2/open.2 |   16 +++++++++++++++-
>  1 file changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/man2/open.2 b/man2/open.2
> index a655fae..61689cf 100644
> --- a/man2/open.2
> +++ b/man2/open.2
> @@ -47,7 +47,6 @@
>  .\" FIXME . Apr 08: The next POSIX revision has O_EXEC, O_SEARCH, and
>  .\" O_TTYINIT.  Eventually these may need to be documented.  --mtk
>  .\" FIXME Linux 2.6.33 has O_DSYNC, and a hidden __O_SYNC.
> -.\" FIXME: Linux 2.6.39 added O_PATH
>  .\"
>  .TH OPEN 2 2012-02-27 "Linux" "Linux Programmer's Manual"
>  .SH NAME
> @@ -428,6 +427,21 @@ For a discussion of the effect of
>  in conjunction with mandatory file locks and with file leases, see
>  .BR fcntl (2).
>  .TP
> +.B O_PATH
> +The path is opened for accessing its file attributes only.  Since the file
> +itself is not opened, most operations (such as
> +.BR read (2)
> +or
> +.BR write (2))
> +will return
> +.BR EBADF .
> +You may however use functions that operate on the file descriptor itself
> +such as
> +.BR close (2),
> +functions that duplicate file descriptors, and as the dirfd argument with
> +all the *at style of functions (e.g.
> +.BR openat (2)).
> +.TP
>  .B O_SYNC
>  The file is opened for synchronous I/O.
>  Any

Thanks for the prod. Adding this has been on my list for a while.
There's actually quite a lot more to say, and I've written the patch
below. Could you check it over.

Al, Aneesh, there is one question for you in a FIXME below. Could you
take a look please?

Thanks,

Michael


--- a/man2/open.2
+++ b/man2/open.2
@@ -428,6 +427,66 @@ For a discussion of the effect of
 in conjunction with mandatory file locks and with file leases, see
 .BR fcntl (2).
 .TP
+.BR O_PATH " (since Linux 2.6.39)"
+.\" commit 1abf0c718f15a56a0a435588d1b104c7a37dc9bd
+Obtain a file descriptor that is used only for fetching file attributes.
+The file itself is not opened, and most file operations (e.g.,
+.BR read (2),
+.BR write (2))
+fail with the error
+.BR EBADF .
+The following operations
+.I can
+be performed on the resulting file descriptor:
+.RS
+.IP * 3
+Closing the file descriptor
+.RB ( close (2)).
+.\" FIXME Commit 1abf0c718f15a56a0a435588d1b104c7a37dc9bdcw
+.\" message says that closing the file descriptor does not affect
+.\" POSIX locks or dnotify.
+.\" However, my testing shows that it DOES affect dnotify (and inotify).
+.\" Does close() affect POSIX locks?
+.IP *
+Duplicating the file descriptor
+.RB ( dup (2),
+.BR fcntl (2)
+.BR F_DUPFD ,
+etc.).
+.IP *
+Getting and setting file descriptor flags
+.RB ( fcntl (2)
+.BR F_GETFD
+and
+.BR F_SETFD ).
+.IP *
+Passing the file descriptor as the
+.IR dirfd
+argument of
+.BR openat (2)
+and the other "*at()" system calls.
+.IP *
+Passing the file descriptor to another process via a UNIX domain socket
+(see
+.BR SCM_RIGHTS
+in
+.BR unix (7)).
+.RE
+.IP
+When
+.B O_PATH
+is specified in
+.IR flags ,
+flag bits other than
+.BR O_DIRECTORY
+and
+.BR O_NOFOLLOW
+are ignored.
+If the
+.BR O_NOFOLLOW
+flag is specified,
+then the call returns a file descriptor referring to the symbolic link.
+.TP
 .B O_SYNC
 The file is opened for synchronous I/O.
 Any
@@ -612,8 +671,9 @@ SVr4, 4.3BSD, POSIX.1-2001.
 The
 .BR O_DIRECTORY ,
 .BR O_NOATIME ,
+.BR O_NOFOLLOW ,
 and
-.B O_NOFOLLOW
+.BR O_PATH
 flags are Linux-specific, and one may need to define
 .B _GNU_SOURCE
 (before including




-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Author of "The Linux Programming Interface"; http://man7.org/tlpi/

Re: [PATCH] open(2): document O_PATH

[Aneesh Kumar K.V]

"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:

> Hi Mike,
>
> [Al, Aneesh, there is a question for you below]
>
> On Sun, Apr 29, 2012 at 3:25 PM, Mike Frysinger <vapier@gentoo.org> wrote:
>> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
>> ---
>>  man2/open.2 |   16 +++++++++++++++-
>>  1 file changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/man2/open.2 b/man2/open.2
>> index a655fae..61689cf 100644
>> --- a/man2/open.2
>> +++ b/man2/open.2
>> @@ -47,7 +47,6 @@
>>  .\" FIXME . Apr 08: The next POSIX revision has O_EXEC, O_SEARCH, and
>>  .\" O_TTYINIT.  Eventually these may need to be documented.  --mtk
>>  .\" FIXME Linux 2.6.33 has O_DSYNC, and a hidden __O_SYNC.
>> -.\" FIXME: Linux 2.6.39 added O_PATH
>>  .\"
>>  .TH OPEN 2 2012-02-27 "Linux" "Linux Programmer's Manual"
>>  .SH NAME
>> @@ -428,6 +427,21 @@ For a discussion of the effect of
>>  in conjunction with mandatory file locks and with file leases, see
>>  .BR fcntl (2).
>>  .TP
>> +.B O_PATH
>> +The path is opened for accessing its file attributes only.  Since the file
>> +itself is not opened, most operations (such as
>> +.BR read (2)
>> +or
>> +.BR write (2))
>> +will return
>> +.BR EBADF .
>> +You may however use functions that operate on the file descriptor itself
>> +such as
>> +.BR close (2),
>> +functions that duplicate file descriptors, and as the dirfd argument with
>> +all the *at style of functions (e.g.
>> +.BR openat (2)).
>> +.TP
>>  .B O_SYNC
>>  The file is opened for synchronous I/O.
>>  Any
>
> Thanks for the prod. Adding this has been on my list for a while.
> There's actually quite a lot more to say, and I've written the patch
> below. Could you check it over.
>
> Al, Aneesh, there is one question for you in a FIXME below. Could you
> take a look please?
>
> Thanks,
>
> Michael
>
>
> --- a/man2/open.2
> +++ b/man2/open.2
> @@ -428,6 +427,66 @@ For a discussion of the effect of
>  in conjunction with mandatory file locks and with file leases, see
>  .BR fcntl (2).
>  .TP
> +.BR O_PATH " (since Linux 2.6.39)"
> +.\" commit 1abf0c718f15a56a0a435588d1b104c7a37dc9bd
> +Obtain a file descriptor that is used only for fetching file attributes.
> +The file itself is not opened, and most file operations (e.g.,
> +.BR read (2),
> +.BR write (2))
> +fail with the error
> +.BR EBADF .
> +The following operations
> +.I can
> +be performed on the resulting file descriptor:
> +.RS
> +.IP * 3
> +Closing the file descriptor
> +.RB ( close (2)).
> +.\" FIXME Commit 1abf0c718f15a56a0a435588d1b104c7a37dc9bdcw
> +.\" message says that closing the file descriptor does not affect
> +.\" POSIX locks or dnotify.
> +.\" However, my testing shows that it DOES affect dnotify (and inotify).
> +.\" Does close() affect POSIX locks?
> +.IP *


IIUC what an O_PATH descritor doesn't do is to flush dnotify markers

	if (likely(!(filp->f_mode & FMODE_PATH))) {
		dnotify_flush(filp, id);
		locks_remove_posix(filp, id);
	}

I don't know much about markers, but as per fsnotify_backend.h

/*
 * a mark is simply an object attached to an in core inode which allows an
 * fsnotify listener to indicate they are either no longer interested in events
 * of a type matching mask or only interested in those events.
 *
 * these are flushed when an inode is evicted from core and may be flushed
 * when the inode is modified (as seen by fsnotify_access).  Some fsnotify users
 * (such as dnotify) will flush these when the open fd is closed and not at
 * inode eviction or modification.
 */
struct fsnotify_mark {

It also doesn't remove posix locks. I tested this with a test prg

    struct flock flock;
    flock.l_type = F_WRLCK;
    flock.l_whence = SEEK_SET;
    flock.l_start = 0;
    flock.l_len = 0;
    fd = open(argv[1], O_RDWR);
    fcntl(fd, F_SETLKW, &flock);
    fd = open(argv[1], O_PATH);
    close(fd);

The close doesn't result in lock release.

> +Duplicating the file descriptor
> +.RB ( dup (2),
> +.BR fcntl (2)
> +.BR F_DUPFD ,
> +etc.).
> +.IP *

-aneesh

Re: [PATCH] open(2): document O_PATH

[Ted Ts'o]

It might also be a good idea to document explicitly whether or not
things like fstat() and the syscalls to manipulate extended attributes
are expected to work.

Thanks,

					- Ted

Re: [PATCH] open(2): document O_PATH

[Michael Kerrisk (man-pages)]

Aneesh,

[...]

>> --- a/man2/open.2
>> +++ b/man2/open.2
>> @@ -428,6 +427,66 @@ For a discussion of the effect of
>>  in conjunction with mandatory file locks and with file leases, see
>>  .BR fcntl (2).
>>  .TP
>> +.BR O_PATH " (since Linux 2.6.39)"
>> +.\" commit 1abf0c718f15a56a0a435588d1b104c7a37dc9bd
>> +Obtain a file descriptor that is used only for fetching file attributes.
>> +The file itself is not opened, and most file operations (e.g.,
>> +.BR read (2),
>> +.BR write (2))
>> +fail with the error
>> +.BR EBADF .
>> +The following operations
>> +.I can
>> +be performed on the resulting file descriptor:
>> +.RS
>> +.IP * 3
>> +Closing the file descriptor
>> +.RB ( close (2)).
>> +.\" FIXME Commit 1abf0c718f15a56a0a435588d1b104c7a37dc9bdcw
>> +.\" message says that closing the file descriptor does not affect
>> +.\" POSIX locks or dnotify.
>> +.\" However, my testing shows that it DOES affect dnotify (and inotify).
>> +.\" Does close() affect POSIX locks?
>> +.IP *
>
>
> IIUC what an O_PATH descritor doesn't do is to flush dnotify markers
>
>        if (likely(!(filp->f_mode & FMODE_PATH))) {
>                dnotify_flush(filp, id);
>                locks_remove_posix(filp, id);
>        }
>
> I don't know much about markers, but as per fsnotify_backend.h
>
> /*
>  * a mark is simply an object attached to an in core inode which allows an
>  * fsnotify listener to indicate they are either no longer interested in events
>  * of a type matching mask or only interested in those events.
>  *
>  * these are flushed when an inode is evicted from core and may be flushed
>  * when the inode is modified (as seen by fsnotify_access).  Some fsnotify users
>  * (such as dnotify) will flush these when the open fd is closed and not at
>  * inode eviction or modification.
>  */
> struct fsnotify_mark {

Unfortunately, I'm still none the wiser about what this means for
O_PATH file descriptors...

> It also doesn't remove posix locks. I tested this with a test prg
>
>    struct flock flock;
>    flock.l_type = F_WRLCK;
>    flock.l_whence = SEEK_SET;
>    flock.l_start = 0;
>    flock.l_len = 0;
>    fd = open(argv[1], O_RDWR);
>    fcntl(fd, F_SETLKW, &flock);
>    fd = open(argv[1], O_PATH);
>    close(fd);
>
> The close doesn't result in lock release.

Okay -- I'll add mention of this to the O_PATH description.

Thanks,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Author of "The Linux Programming Interface"; http://man7.org/tlpi/

Re: [PATCH] open(2): document O_PATH

[Michael Kerrisk (man-pages)]

Ted,

On Mon, Apr 30, 2012 at 11:44 PM, Ted Ts'o <tytso@mit.edu> wrote:
> It might also be a good idea to document explicitly whether or not
> things like fstat() and the syscalls to manipulate extended attributes
> are expected to work.

Good point. From some testing, it appears that syscalls such as
fstat() and fgetxattr() fail with EBADF on O_PATH fds. I'll add that
to the text.

Thanks,

Michael


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Author of "The Linux Programming Interface"; http://man7.org/tlpi/

Re: [PATCH] open(2): document O_PATH

[Aneesh Kumar K.V]

Ted Ts'o <tytso@mit.edu> writes:

> It might also be a good idea to document explicitly whether or not
> things like fstat() and the syscalls to manipulate extended attributes
> are expected to work.
>

fstat won't work, but fstatat with an empty path name would work. O_PATH
descriptors are suppose to be used as "location only descriptors". 
We then extended the *at syscalls to work with EMPTY pathnames so that
O_PATH descriptors can be used with readlink, fchownat and fstatat().
This was done to enable us to do these operation on symlinks.
(65cfc6722361570bfe255698d9cd4dccaf47570d)

Examples for O_PATH and handle syscall can be found in qemu and
handle-test repo 

http://git.qemu.org/?p=qemu.git;a=blob;f=hw/9pfs/virtio-9p-handle.c;h=f96d17a9749a6f672741ff4dcb98da81d1dcc3ce;hb=HEAD
https://github.com/kvaneesh/handle-test/blob/master/handle.h

-aneesh

Re: [PATCH] open(2): document O_PATH

[Ted Ts'o]

On Thu, May 03, 2012 at 01:57:21PM +0530, Aneesh Kumar K.V wrote:
> 
> fstat won't work, but fstatat with an empty path name would work. O_PATH
> descriptors are suppose to be used as "location only descriptors". 
> We then extended the *at syscalls to work with EMPTY pathnames so that
> O_PATH descriptors can be used with readlink, fchownat and fstatat().
> This was done to enable us to do these operation on symlinks.
> (65cfc6722361570bfe255698d9cd4dccaf47570d)

Could you define explicitly what you mean by "EMPTY" pathnames?  Do
you mean a path name that doesn't exist?  (i.e., one of the
directories specified in the pathname does not currently exist in the
directory hierarchy visible to the process).

					- Ted

Re: [PATCH] open(2): document O_PATH

[Al Viro]

On Thu, May 03, 2012 at 09:07:07AM -0400, Ted Ts'o wrote:
> On Thu, May 03, 2012 at 01:57:21PM +0530, Aneesh Kumar K.V wrote:
> > 
> > fstat won't work, but fstatat with an empty path name would work. O_PATH
> > descriptors are suppose to be used as "location only descriptors". 
> > We then extended the *at syscalls to work with EMPTY pathnames so that
> > O_PATH descriptors can be used with readlink, fchownat and fstatat().
> > This was done to enable us to do these operation on symlinks.
> > (65cfc6722361570bfe255698d9cd4dccaf47570d)
> 
> Could you define explicitly what you mean by "EMPTY" pathnames?

"".  Normally yields -EINVAL when used as a relative pathname in ...at()
syscalls.

Re: [PATCH] open(2): document O_PATH

[Aneesh Kumar K.V]

"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> writes:

> Aneesh,
>
>>
>> I don't know much about markers, but as per fsnotify_backend.h
>>
>> /*
>>  * a mark is simply an object attached to an in core inode which allows an
>>  * fsnotify listener to indicate they are either no longer interested in events
>>  * of a type matching mask or only interested in those events.
>>  *
>>  * these are flushed when an inode is evicted from core and may be flushed
>>  * when the inode is modified (as seen by fsnotify_access).  Some fsnotify users
>>  * (such as dnotify) will flush these when the open fd is closed and not at
>>  * inode eviction or modification.
>>  */
>> struct fsnotify_mark {
>
> Unfortunately, I'm still none the wiser about what this means for
> O_PATH file descriptors...
>

I looked at dnotify_flush, they remove markers on an inode.
But then it also checks for filp to match. So I am not sure
whether skipping dnotify_flush for O_PATH descriptor have any impact. We
can't use O_PATH descriptor for dnotify fcntl any way. So in
dnotify_flush we will not match the filp.

Viro,

Any reason why we skip dnotify_flush  ?


-aneesh

Re: [PATCH] open(2): document O_PATH

[Al Viro]

On Thu, May 03, 2012 at 07:34:35PM +0530, Aneesh Kumar K.V wrote:

> I looked at dnotify_flush, they remove markers on an inode.
> But then it also checks for filp to match. So I am not sure
> whether skipping dnotify_flush for O_PATH descriptor have any impact. We
> can't use O_PATH descriptor for dnotify fcntl any way. So in
> dnotify_flush we will not match the filp.
> 
> Viro,
> 
> Any reason why we skip dnotify_flush  ?

See your last sentence above - why bother finding the mark, scanning the
list, etc. when we know that there won't be any matches?

Re: [PATCH] open(2): document O_PATH

[Michael Kerrisk (man-pages)]

On Fri, May 4, 2012 at 2:11 AM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Thu, May 03, 2012 at 07:34:35PM +0530, Aneesh Kumar K.V wrote:
>
>> I looked at dnotify_flush, they remove markers on an inode.
>> But then it also checks for filp to match. So I am not sure
>> whether skipping dnotify_flush for O_PATH descriptor have any impact. We
>> can't use O_PATH descriptor for dnotify fcntl any way. So in
>> dnotify_flush we will not match the filp.
>>
>> Viro,
>>
>> Any reason why we skip dnotify_flush  ?
>
> See your last sentence above - why bother finding the mark, scanning the
> list, etc. when we know that there won't be any matches?

So, am I correct to understand that O_PATH has no interaction with dnotify?

Thanks,

Michael

-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Author of "The Linux Programming Interface"; http://man7.org/tlpi/

Re: [PATCH] open(2): document O_PATH

[H. Peter Anvin]

On 05/03/2012 01:27 AM, Aneesh Kumar K.V wrote:
> 
> fstat won't work, but fstatat with an empty path name would work.

Why the h... make *such* a distinction?

	-hpa

Re: [PATCH] open(2): document O_PATH

[Al Viro]

On Thu, May 03, 2012 at 03:11:56PM +0100, Al Viro wrote:
> On Thu, May 03, 2012 at 07:34:35PM +0530, Aneesh Kumar K.V wrote:
> 
> > I looked at dnotify_flush, they remove markers on an inode.
> > But then it also checks for filp to match. So I am not sure
> > whether skipping dnotify_flush for O_PATH descriptor have any impact. We
> > can't use O_PATH descriptor for dnotify fcntl any way. So in
> > dnotify_flush we will not match the filp.
> > 
> > Viro,
> > 
> > Any reason why we skip dnotify_flush  ?
> 
> See your last sentence above - why bother finding the mark, scanning the
> list, etc. when we know that there won't be any matches?

[Apologies for replying to the wrong posting, but this is the closest thing
thread-wise to what I wanted to reply to that I've got sitting in my mailbox]

The rules are:
	* syscalls acting purely on descriptor level are allowed - close(),
dup(), dup2(), dup3(), fcntl(F_DUPFD{,_CLOEXEC}), fcntl(F_[SG]ETFD),
fcntl(F_GETFL), passing descriptors in SCM_RIGHTS datagrams)
	* syscalls using the descriptor just to indicate a location in
the tree - *at() family, fchdir(), fstat()
The list might get expanded - for example, fstatfs() arguably belongs to the
second group.  The approach had been conservative - the second group gets
expanded on per-case basis.  E.g. anything requiring the file to have
been opened for write is *not* a candidate, so it really has to be reviewed
separately for each syscall of that sort.

As far as dnotify and POSIX locks go, close() (and replacing dup2(), etc.)
are irrelevant - the rules are exactly as usual.  All dnotify watches or
POSIX locks associated with that opened file get evicted; it's just that
there is no way to *set* them on O_PATH descriptors in the first place.
We might eventually allow fcntl(F_NOTIFY) on them, but I'm not sure there's
any good reason to do so; allowing to use them for setting POSIX locks is
almost certainly a bad idea wrt security.

The test in filp_close() is just an optimization - if/when we allow F_NOTIFY
on O_PATH descriptors, the same commit will need to make the call of
dnotify_flush() in filp_open() unconditional.  All there is to it...

Re: [PATCH] open(2): document O_PATH

[Michael Kerrisk (man-pages)]

On 07/22/13 10:46, Peter Schiffer wrote:
> On 07/20/2013 10:56 PM, Michael Kerrisk wrote:
>> On 07/20/13 13:40, Al Viro wrote:
>>> On Thu, Mar 14, 2013 at 10:35:59AM +0100, Michael Kerrisk (man-pages) wrote:
>>>> Hello Al et al,
>>>>
>>>> Documenting O_PATH fell by the wayside last year
>>>> (http://thread.gmane.org/gmane.linux.man/2790) as I got distracted
>>>> with other tasks. A recent prod or two have reminded me restart this.
>>>> I have the following patch queued to document O_PATH.
>>>>
>>>> Could you please review. I've provided the O_PATH doc both as
>>>> formatted text, for ease of reviewing, and as a patch and entire file
>>>> (attached).
>>>
>>> Seems to be mostly correct; the only thing missing is that F_GETFL is also
>>> allowed (and return value will contain O_PATH for such descriptors).  Had
>>> been there since the very beginning...
>>
>> Thanks, Al. I have added that piece.
>>
> 
> Michael,
> 
> there is a typo within added piece:

Thanks, Peter. Applied.

Cheers,

Michael



> diff --git a/man2/open.2 b/man2/open.2
> index c61ea7f..ef0f664 100644
> --- a/man2/open.2
> +++ b/man2/open.2
> @@ -489,7 +489,7 @@ and
>   .IP *
>   Retrieving open file status flags using the
>   .BR fcntl (2)
> -.BR F_GETFD
> +.BR F_GETFL
>   operation: the returned flags will include the bit
>   .BR O_PATH .
> 
> 
> 

Re: [PATCH] open(2): document O_PATH

[Peter Schiffer]

On 07/20/2013 10:56 PM, Michael Kerrisk wrote:
> On 07/20/13 13:40, Al Viro wrote:
>> On Thu, Mar 14, 2013 at 10:35:59AM +0100, Michael Kerrisk (man-pages) wrote:
>>> Hello Al et al,
>>>
>>> Documenting O_PATH fell by the wayside last year
>>> (http://thread.gmane.org/gmane.linux.man/2790) as I got distracted
>>> with other tasks. A recent prod or two have reminded me restart this.
>>> I have the following patch queued to document O_PATH.
>>>
>>> Could you please review. I've provided the O_PATH doc both as
>>> formatted text, for ease of reviewing, and as a patch and entire file
>>> (attached).
>>
>> Seems to be mostly correct; the only thing missing is that F_GETFL is also
>> allowed (and return value will contain O_PATH for such descriptors).  Had
>> been there since the very beginning...
>
> Thanks, Al. I have added that piece.
>

Michael,

there is a typo within added piece:

diff --git a/man2/open.2 b/man2/open.2
index c61ea7f..ef0f664 100644
--- a/man2/open.2
+++ b/man2/open.2
@@ -489,7 +489,7 @@ and
  .IP *
  Retrieving open file status flags using the
  .BR fcntl (2)
-.BR F_GETFD
+.BR F_GETFL
  operation: the returned flags will include the bit
  .BR O_PATH .

Re: [PATCH] open(2): document O_PATH

[Michael Kerrisk]

On 07/20/13 13:40, Al Viro wrote:
> On Thu, Mar 14, 2013 at 10:35:59AM +0100, Michael Kerrisk (man-pages) wrote:
>> Hello Al et al,
>>
>> Documenting O_PATH fell by the wayside last year
>> (http://thread.gmane.org/gmane.linux.man/2790) as I got distracted
>> with other tasks. A recent prod or two have reminded me restart this.
>> I have the following patch queued to document O_PATH.
>>
>> Could you please review. I've provided the O_PATH doc both as
>> formatted text, for ease of reviewing, and as a patch and entire file
>> (attached).
> 
> Seems to be mostly correct; the only thing missing is that F_GETFL is also
> allowed (and return value will contain O_PATH for such descriptors).  Had
> been there since the very beginning...

Thanks, Al. I have added that piece.

Cheers,

Michael

Re: [PATCH] open(2): document O_PATH

[Al Viro]

On Thu, Mar 14, 2013 at 10:35:59AM +0100, Michael Kerrisk (man-pages) wrote:
> Hello Al et al,
> 
> Documenting O_PATH fell by the wayside last year
> (http://thread.gmane.org/gmane.linux.man/2790) as I got distracted
> with other tasks. A recent prod or two have reminded me restart this.
> I have the following patch queued to document O_PATH.
> 
> Could you please review. I've provided the O_PATH doc both as
> formatted text, for ease of reviewing, and as a patch and entire file
> (attached).

Seems to be mostly correct; the only thing missing is that F_GETFL is also
allowed (and return value will contain O_PATH for such descriptors).  Had
been there since the very beginning...

[PATCH] open(2): document O_PATH

[Michael Kerrisk (man-pages)]

[-- Attachment #1: Type: text/plain, Size: 5216 bytes --]

Hello Al et al,

Documenting O_PATH fell by the wayside last year
(http://thread.gmane.org/gmane.linux.man/2790) as I got distracted
with other tasks. A recent prod or two have reminded me restart this.
I have the following patch queued to document O_PATH.

Could you please review. I've provided the O_PATH doc both as
formatted text, for ease of reviewing, and as a patch and entire file
(attached).

Thanks,

Michael


       O_PATH (since Linux 2.6.39)
              Obtain a file descriptor that can be used for  two  pur‐
              poses:  to  indicate  a location in the file-system tree
              and to perform operations that act purely  at  the  file
              descriptor  level.   The  file itself is not opened, and
              other file operations  (e.g.,  read(2),  write(2),  fch‐
              mod(2),  fchown(2),  fgetxattr(2))  fail  with the error
              EBADF.

              The following operations can be performed on the result‐
              ing file descriptor:

              *  close(2);   fchdir(2)  (since  Linux  3.5);  fstat(2)
                 (since Linux 3.6).

              *  Duplicating the  file  descriptor  (dup(2),  fcntl(2)
                 F_DUPFD, etc.).

              *  Getting  and  setting file descriptor flags (fcntl(2)
                 F_GETFD and F_SETFD).

              *  Passing the file descriptor as the dirfd argument  of
                 openat(2) and the other "*at()" system calls.

              *  Passing  the file descriptor to another process via a
                 UNIX domain socket (see SCM_RIGHTS in unix(7)).

              When O_PATH is specified in flags, flag bits other  than
              O_DIRECTORY and O_NOFOLLOW are ignored.

              If  the O_NOFOLLOW flag is also specified, then the call
              returns a file  descriptor  referring  to  the  symbolic
              link.   This  file  descriptor  can be used as the dirfd
              argument in calls to fchownat(2), fstatat(2), linkat(2),
              and  readlinkat(2)  with  an  empty pathname to have the
              calls operate on the symbolic link.


diff --git a/man2/open.2 b/man2/open.2
index e518c1f..c27be8f 100644
--- a/man2/open.2
+++ b/man2/open.2
@@ -424,6 +423,9 @@ If \fIpathname\fP is a symbolic link, then the open fails.
 This is a FreeBSD extension, which was added to Linux in version 2.1.126.
 Symbolic links in earlier components of the pathname will still be
 followed.
+See also
+.BR O_NOPATH
+below.
 .\" The headers from glibc 2.0.100 and later include a
 .\" definition of this flag; \fIkernels before 2.1.126 will ignore it if
 .\" used\fP.
@@ -441,6 +443,89 @@ For a discussion of the effect of
 in conjunction with mandatory file locks and with file leases, see
 .BR fcntl (2).
 .TP
+.BR O_PATH " (since Linux 2.6.39)"
+.\" commit 1abf0c718f15a56a0a435588d1b104c7a37dc9bd
+.\" commit 326be7b484843988afe57566b627fb7a70beac56
+.\" commit 65cfc6722361570bfe255698d9cd4dccaf47570d
+.\"
+.\" http://thread.gmane.org/gmane.linux.man/2790/focus=3496
+.\"	Subject: Re: [PATCH] open(2): document O_PATH
+.\"	Newsgroups: gmane.linux.man, gmane.linux.kernel
+.\"
+Obtain a file descriptor that can be used for two purposes:
+to indicate a location in the file-system tree and
+to perform operations that act purely at the file descriptor level.
+The file itself is not opened, and other file operations (e.g.,
+.BR read (2),
+.BR write (2),
+.BR fchmod (2),
+.BR fchown (2),
+.BR fgetxattr (2))
+fail with the error
+.BR EBADF .
+
+The following operations
+.I can
+be performed on the resulting file descriptor:
+.RS
+.IP * 3
+.BR close (2);
+.BR fchdir (2)
+(since Linux 3.5);
+.\" commit 332a2e1244bd08b9e3ecd378028513396a004a24
+.BR fstat (2)
+(since Linux 3.6).
+.\" fstat(): commit 55815f70147dcfa3ead5738fd56d3574e2e3c1c2
+.IP *
+Duplicating the file descriptor
+.RB ( dup (2),
+.BR fcntl (2)
+.BR F_DUPFD ,
+etc.).
+.IP *
+Getting and setting file descriptor flags
+.RB ( fcntl (2)
+.BR F_GETFD
+and
+.BR F_SETFD ).
+.IP *
+Passing the file descriptor as the
+.IR dirfd
+argument of
+.BR openat (2)
+and the other "*at()" system calls.
+.IP *
+Passing the file descriptor to another process via a UNIX domain socket
+(see
+.BR SCM_RIGHTS
+in
+.BR unix (7)).
+.RE
+.IP
+When
+.B O_PATH
+is specified in
+.IR flags ,
+flag bits other than
+.BR O_DIRECTORY
+and
+.BR O_NOFOLLOW
+are ignored.
+
+If the
+.BR O_NOFOLLOW
+flag is also specified,
+then the call returns a file descriptor referring to the symbolic link.
+This file descriptor can be used as the
+.I dirfd
+argument in calls to
+.BR fchownat (2),
+.BR fstatat (2),
+.BR linkat (2),
+and
+.BR readlinkat (2)
+with an empty pathname to have the calls operate on the symbolic link.
+.TP
 .B O_SYNC
 The file is opened for synchronous I/O.
 Any
@@ -631,8 +716,9 @@ SVr4, 4.3BSD, POSIX.1-2001.
 The
 .BR O_DIRECTORY ,
 .BR O_NOATIME ,
+.BR O_NOFOLLOW ,
 and
-.B O_NOFOLLOW
+.BR O_PATH
 flags are Linux-specific, and one may need to define
 .B _GNU_SOURCE
 (before including

[-- Attachment #2: open.2 --]
[-- Type: application/octet-stream, Size: 27453 bytes --]

.\" This manpage is Copyright (C) 1992 Drew Eckhardt;
.\"                               1993 Michael Haardt, Ian Jackson.
.\"                               2008 Greg Banks
.\"
.\" %%%LICENSE_START(VERBATIM)
.\" Permission is granted to make and distribute verbatim copies of this
.\" manual provided the copyright notice and this permission notice are
.\" preserved on all copies.
.\"
.\" Permission is granted to copy and distribute modified versions of this
.\" manual under the conditions for verbatim copying, provided that the
.\" entire resulting derived work is distributed under the terms of a
.\" permission notice identical to this one.
.\"
.\" Since the Linux kernel and libraries are constantly changing, this
.\" manual page may be incorrect or out-of-date.  The author(s) assume no
.\" responsibility for errors or omissions, or for damages resulting from
.\" the use of the information contained herein.  The author(s) may not
.\" have taken the same level of care in the production of this manual,
.\" which is licensed free of charge, as they might when working
.\" professionally.
.\"
.\" Formatted or processed versions of this manual, if unaccompanied by
.\" the source, must acknowledge the copyright and authors of this work.
.\" %%%LICENSE_END
.\"
.\" Modified 1993-07-21 by Rik Faith <faith@cs.unc.edu>
.\" Modified 1994-08-21 by Michael Haardt
.\" Modified 1996-04-13 by Andries Brouwer <aeb@cwi.nl>
.\" Modified 1996-05-13 by Thomas Koenig
.\" Modified 1996-12-20 by Michael Haardt
.\" Modified 1999-02-19 by Andries Brouwer <aeb@cwi.nl>
.\" Modified 1998-11-28 by Joseph S. Myers <jsm28@hermes.cam.ac.uk>
.\" Modified 1999-06-03 by Michael Haardt
.\" Modified 2002-05-07 by Michael Kerrisk <mtk.manpages@gmail.com>
.\" Modified 2004-06-23 by Michael Kerrisk <mtk.manpages@gmail.com>
.\" 2004-12-08, mtk, reordered flags list alphabetically
.\" 2004-12-08, Martin Pool <mbp@sourcefrog.net> (& mtk), added O_NOATIME
.\" 2007-09-18, mtk, Added description of O_CLOEXEC + other minor edits
.\" 2008-01-03, mtk, with input from Trond Myklebust
.\"     <trond.myklebust@fys.uio.no> and Timo Sirainen <tss@iki.fi>
.\"     Rewrite description of O_EXCL.
.\" 2008-01-11, Greg Banks <gnb@melbourne.sgi.com>: add more detail
.\"     on O_DIRECT.
.\" 2008-02-26, Michael Haardt: Reorganized text for O_CREAT and mode
.\"
.\" FIXME . Apr 08: The next POSIX revision has O_EXEC, O_SEARCH, and
.\" O_TTYINIT.  Eventually these may need to be documented.  --mtk
.\" FIXME Linux 2.6.33 has O_DSYNC, and a hidden __O_SYNC.
.\"
.TH OPEN 2 2013-02-18 "Linux" "Linux Programmer's Manual"
.SH NAME
open, creat \- open and possibly create a file or device
.SH SYNOPSIS
.nf
.B #include <sys/types.h>
.B #include <sys/stat.h>
.B #include <fcntl.h>
.sp
.BI "int open(const char *" pathname ", int " flags );
.BI "int open(const char *" pathname ", int " flags ", mode_t " mode );

.BI "int creat(const char *" pathname ", mode_t " mode );
.fi
.SH DESCRIPTION
Given a
.I pathname
for a file,
.BR open ()
returns a file descriptor, a small, nonnegative integer
for use in subsequent system calls
.RB ( read "(2), " write "(2), " lseek "(2), " fcntl "(2), etc.)."
The file descriptor returned by a successful call will be
the lowest-numbered file descriptor not currently open for the process.
.PP
By default, the new file descriptor is set to remain open across an
.BR execve (2)
(i.e., the
.B FD_CLOEXEC
file descriptor flag described in
.BR fcntl (2)
is initially disabled; the
.B O_CLOEXEC
flag, described below, can be used to change this default).
The file offset is set to the beginning of the file (see
.BR lseek (2)).
.PP
A call to
.BR open ()
creates a new
.IR "open file description" ,
an entry in the system-wide table of open files.
This entry records the file offset and the file status flags
(modifiable via the
.BR fcntl (2)
.B F_SETFL
operation).
A file descriptor is a reference to one of these entries;
this reference is unaffected if
.I pathname
is subsequently removed or modified to refer to a different file.
The new open file description is initially not shared
with any other process,
but sharing may arise via
.BR fork (2).
.PP
The argument
.I flags
must include one of the following
.IR "access modes" :
.BR O_RDONLY ", " O_WRONLY ", or " O_RDWR .
These request opening the file read-only, write-only, or read/write,
respectively.

In addition, zero or more file creation flags and file status flags
can be
.RI bitwise- or 'd
in
.IR flags .
The
.I file creation flags
are
.BR O_CLOEXEC ,
.BR O_CREAT ,
.BR O_DIRECTORY ,
.BR O_EXCL ,
.BR O_NOCTTY ,
.BR O_NOFOLLOW ,
.BR O_TRUNC ,
and
.BR O_TTY_INIT .
The
.I file status flags
are all of the remaining flags listed below.
.\" SUSv4 divides the flags into:
.\" * Access mode
.\" * File creation
.\" * File status
.\" * Other (O_CLOEXEC, O_DIRECTORY, O_NOFOLLOW)
.\" though it's not clear what the difference between "other" and
.\" "File creation" flags is.  I raised an Aardvark to see if this
.\" can be clarified in SUSv4; 10 Oct 2008.
.\" http://thread.gmane.org/gmane.comp.standards.posix.austin.general/64/focus=67
.\" TC1 (balloted in 2013), resolved this, so that those three constants
.\" are also categorized" as file status flags.
.\"
The distinction between these two groups of flags is that
the file status flags can be retrieved and (in some cases)
modified using
.BR fcntl (2).
The full list of file creation flags and file status flags is as follows:
.TP
.B O_APPEND
The file is opened in append mode.
Before each
.BR write (2),
the file offset is positioned at the end of the file,
as if with
.BR lseek (2).
.B O_APPEND
may lead to corrupted files on NFS file systems if more than one process
appends data to a file at once.
.\" For more background, see
.\" http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=453946
.\" http://nfs.sourceforge.net/
This is because NFS does not support
appending to a file, so the client kernel has to simulate it, which
can't be done without a race condition.
.TP
.B O_ASYNC
Enable signal-driven I/O:
generate a signal
.RB ( SIGIO
by default, but this can be changed via
.BR fcntl (2))
when input or output becomes possible on this file descriptor.
This feature is only available for terminals, pseudoterminals,
sockets, and (since Linux 2.6) pipes and FIFOs.
See
.BR fcntl (2)
for further details.
.TP
.BR O_CLOEXEC " (Since Linux 2.6.23)"
Enable the close-on-exec flag for the new file descriptor.
Specifying this flag permits a program to avoid additional
.BR fcntl (2)
.B F_SETFD
operations to set the
.B FD_CLOEXEC
flag.
Additionally,
use of this flag is essential in some multithreaded programs
since using a separate
.BR fcntl (2)
.B F_SETFD
operation to set the
.B FD_CLOEXEC
flag does not suffice to avoid race conditions
where one thread opens a file descriptor at the same
time as another thread does a
.BR fork (2)
plus
.BR execve (2).
.\" This flag fixes only one form of the race condition;
.\" The race can also occur with, for example, descriptors
.\" returned by accept(), pipe(), etc.
.TP
.B O_CREAT
If the file does not exist it will be created.
The owner (user ID) of the file is set to the effective user ID
of the process.
The group ownership (group ID) is set either to
the effective group ID of the process or to the group ID of the
parent directory (depending on file system type and mount options,
and the mode of the parent directory, see the mount options
.I bsdgroups
and
.I sysvgroups
described in
.BR mount (8)).
.\" As at 2.6.25, bsdgroups is supported by ext2, ext3, ext4, and
.\" XFS (since 2.6.14).
.RS
.PP
.I mode
specifies the permissions to use in case a new file is created.
This argument must be supplied when
.B O_CREAT
is specified in
.IR flags ;
if
.B O_CREAT
is not specified, then
.I mode
is ignored.
The effective permissions are modified by
the process's
.I umask
in the usual way: The permissions of the created file are
.IR "(mode\ &\ ~umask)" .
Note that this mode only applies to future accesses of the
newly created file; the
.BR open ()
call that creates a read-only file may well return a read/write
file descriptor.
.PP
The following symbolic constants are provided for
.IR mode :
.TP 9
.B S_IRWXU
00700 user (file owner) has read, write and execute permission
.TP
.B S_IRUSR
00400 user has read permission
.TP
.B S_IWUSR
00200 user has write permission
.TP
.B S_IXUSR
00100 user has execute permission
.TP
.B S_IRWXG
00070 group has read, write and execute permission
.TP
.B S_IRGRP
00040 group has read permission
.TP
.B S_IWGRP
00020 group has write permission
.TP
.B S_IXGRP
00010 group has execute permission
.TP
.B S_IRWXO
00007 others have read, write and execute permission
.TP
.B S_IROTH
00004 others have read permission
.TP
.B S_IWOTH
00002 others have write permission
.TP
.B S_IXOTH
00001 others have execute permission
.RE
.TP
.BR O_DIRECT " (Since Linux 2.4.10)"
Try to minimize cache effects of the I/O to and from this file.
In general this will degrade performance, but it is useful in
special situations, such as when applications do their own caching.
File I/O is done directly to/from user-space buffers.
The
.B O_DIRECT
flag on its own makes an effort to transfer data synchronously,
but does not give the guarantees of the
.B O_SYNC
flag that data and necessary metadata are transferred.
To guarantee synchronous I/O,
.B O_SYNC
must be used in addition to
.BR O_DIRECT .
See NOTES below for further discussion.
.sp
A semantically similar (but deprecated) interface for block devices
is described in
.BR raw (8).
.TP
.B O_DIRECTORY
If \fIpathname\fP is not a directory, cause the open to fail.
.\" But see the following and its replies:
.\" http://marc.theaimsgroup.com/?t=112748702800001&r=1&w=2
.\" [PATCH] open: O_DIRECTORY and O_CREAT together should fail
.\" O_DIRECTORY | O_CREAT causes O_DIRECTORY to be ignored.
This flag is Linux-specific, and was added in kernel version 2.1.126, to
avoid denial-of-service problems if
.BR opendir (3)
is called on a
FIFO or tape device, but should not be used outside of the
implementation of
.BR opendir (3).
.TP
.B O_EXCL
Ensure that this call creates the file:
if this flag is specified in conjunction with
.BR O_CREAT ,
and
.I pathname
already exists, then
.BR open ()
will fail.

When these two flags are specified, symbolic links are not followed:
.\" POSIX.1-2001 explicitly requires this behavior.
if
.I pathname
is a symbolic link, then
.BR open ()
fails regardless of where the symbolic link points to.

In general, the behavior of
.B O_EXCL
is undefined if it is used without
.BR O_CREAT .
There is one exception: on Linux 2.6 and later,
.B O_EXCL
can be used without
.B O_CREAT
if
.I pathname
refers to a block device.
If the block device is in use by the system (e.g., mounted),
.BR open ()
fails with the error
.BR EBUSY .

On NFS,
.B O_EXCL
is only supported when using NFSv3 or later on kernel 2.6 or later.
In NFS environments where
.B O_EXCL
support is not provided, programs that rely on it
for performing locking tasks will contain a race condition.
Portable programs that want to perform atomic file locking using a lockfile,
and need to avoid reliance on NFS support for
.BR O_EXCL ,
can create a unique file on
the same file system (e.g., incorporating hostname and PID), and use
.BR link (2)
to make a link to the lockfile.
If
.BR link (2)
returns 0, the lock is successful.
Otherwise, use
.BR stat (2)
on the unique file to check if its link count has increased to 2,
in which case the lock is also successful.
.TP
.B O_LARGEFILE
(LFS)
Allow files whose sizes cannot be represented in an
.I off_t
(but can be represented in an
.IR off64_t )
to be opened.
The
.B _LARGEFILE64_SOURCE
macro must be defined
(before including
.I any
header files)
in order to obtain this definition.
Setting the
.B _FILE_OFFSET_BITS
feature test macro to 64 (rather than using
.BR O_LARGEFILE )
is the preferred
method of accessing large files on 32-bit systems (see
.BR feature_test_macros (7)).
.TP
.BR O_NOATIME " (Since Linux 2.6.8)"
Do not update the file last access time
.RI ( st_atime
in the inode)
when the file is
.BR read (2).
This flag is intended for use by indexing or backup programs,
where its use can significantly reduce the amount of disk activity.
This flag may not be effective on all file systems.
One example is NFS, where the server maintains the access time.
.\" The O_NOATIME flag also affects the treatment of st_atime
.\" by mmap() and readdir(2), MTK, Dec 04.
.TP
.B O_NOCTTY
If
.I pathname
refers to a terminal device\(emsee
.BR tty (4)\(emit
will not become the process's controlling terminal even if the
process does not have one.
.TP
.B O_NOFOLLOW
If \fIpathname\fP is a symbolic link, then the open fails.
This is a FreeBSD extension, which was added to Linux in version 2.1.126.
Symbolic links in earlier components of the pathname will still be
followed.
See also
.BR O_NOPATH
below.
.\" The headers from glibc 2.0.100 and later include a
.\" definition of this flag; \fIkernels before 2.1.126 will ignore it if
.\" used\fP.
.TP
.BR O_NONBLOCK " or " O_NDELAY
When possible, the file is opened in nonblocking mode.
Neither the
.BR open ()
nor any subsequent operations on the file descriptor which is
returned will cause the calling process to wait.
For the handling of FIFOs (named pipes), see also
.BR fifo (7).
For a discussion of the effect of
.B O_NONBLOCK
in conjunction with mandatory file locks and with file leases, see
.BR fcntl (2).
.TP
.BR O_PATH " (since Linux 2.6.39)"
.\" commit 1abf0c718f15a56a0a435588d1b104c7a37dc9bd
.\" commit 326be7b484843988afe57566b627fb7a70beac56
.\" commit 65cfc6722361570bfe255698d9cd4dccaf47570d
.\"
.\" http://thread.gmane.org/gmane.linux.man/2790/focus=3496
.\"	Subject: Re: [PATCH] open(2): document O_PATH
.\"	Newsgroups: gmane.linux.man, gmane.linux.kernel
.\"
Obtain a file descriptor that can be used for two purposes:
to indicate a location in the file-system tree and
to perform operations that act purely at the file descriptor level.
The file itself is not opened, and other file operations (e.g.,
.BR read (2),
.BR write (2),
.BR fchmod (2),
.BR fchown (2),
.BR fgetxattr (2))
fail with the error
.BR EBADF .

The following operations
.I can
be performed on the resulting file descriptor:
.RS
.IP * 3
.BR close (2);
.BR fchdir (2)
(since Linux 3.5);
.\" commit 332a2e1244bd08b9e3ecd378028513396a004a24
.BR fstat (2)
(since Linux 3.6).
.\" fstat(): commit 55815f70147dcfa3ead5738fd56d3574e2e3c1c2
.IP *
Duplicating the file descriptor
.RB ( dup (2),
.BR fcntl (2)
.BR F_DUPFD ,
etc.).
.IP *
Getting and setting file descriptor flags
.RB ( fcntl (2)
.BR F_GETFD
and
.BR F_SETFD ).
.IP *
Passing the file descriptor as the
.IR dirfd
argument of
.BR openat (2)
and the other "*at()" system calls.
.IP *
Passing the file descriptor to another process via a UNIX domain socket
(see
.BR SCM_RIGHTS
in
.BR unix (7)).
.RE
.IP
When
.B O_PATH
is specified in
.IR flags ,
flag bits other than
.BR O_DIRECTORY
and
.BR O_NOFOLLOW
are ignored.

If the
.BR O_NOFOLLOW
flag is also specified,
then the call returns a file descriptor referring to the symbolic link.
This file descriptor can be used as the
.I dirfd
argument in calls to
.BR fchownat (2),
.BR fstatat (2),
.BR linkat (2),
and
.BR readlinkat (2)
with an empty pathname to have the calls operate on the symbolic link.
.TP
.B O_SYNC
The file is opened for synchronous I/O.
Any
.BR write (2)s
on the resulting file descriptor will block the calling process until
the data has been physically written to the underlying hardware.
.IR "But see NOTES below" .
.TP
.B O_TRUNC
If the file already exists and is a regular file and the open mode allows
writing (i.e., is
.B O_RDWR
or
.BR O_WRONLY )
it will be truncated to length 0.
If the file is a FIFO or terminal device file, the
.B O_TRUNC
flag is ignored.
Otherwise the effect of
.B O_TRUNC
is unspecified.
.PP
Some of these optional flags can be altered using
.BR fcntl (2)
after the file has been opened.

.BR creat ()
is equivalent to
.BR open ()
with
.I flags
equal to
.BR O_CREAT|O_WRONLY|O_TRUNC .
.SH RETURN VALUE
.BR open ()
and
.BR creat ()
return the new file descriptor, or \-1 if an error occurred
(in which case,
.I errno
is set appropriately).
.SH ERRORS
.TP
.B EACCES
The requested access to the file is not allowed, or search permission
is denied for one of the directories in the path prefix of
.IR pathname ,
or the file did not exist yet and write access to the parent directory
is not allowed.
(See also
.BR path_resolution (7).)
.TP
.B EDQUOT
Where
.B O_CREAT
is specified, the file does not exist, and the user's quota of disk
blocks or inodes on the file system has been exhausted.
.TP
.B EEXIST
.I pathname
already exists and
.BR O_CREAT " and " O_EXCL
were used.
.TP
.B EFAULT
.I pathname
points outside your accessible address space.
.TP
.B EFBIG
See
.BR EOVERFLOW .
.TP
.B EINTR
While blocked waiting to complete an open of a slow device
(e.g., a FIFO; see
.BR fifo (7)),
the call was interrupted by a signal handler; see
.BR signal (7).
.TP
.B EISDIR
.I pathname
refers to a directory and the access requested involved writing
(that is,
.B O_WRONLY
or
.B O_RDWR
is set).
.TP
.B ELOOP
Too many symbolic links were encountered in resolving
.IR pathname ,
or \fBO_NOFOLLOW\fP was specified but
.I pathname
was a symbolic link.
.TP
.B EMFILE
The process already has the maximum number of files open.
.TP
.B ENAMETOOLONG
.I pathname
was too long.
.TP
.B ENFILE
The system limit on the total number of open files has been reached.
.TP
.B ENODEV
.I pathname
refers to a device special file and no corresponding device exists.
(This is a Linux kernel bug; in this situation
.B ENXIO
must be returned.)
.TP
.B ENOENT
.B O_CREAT
is not set and the named file does not exist.
Or, a directory component in
.I pathname
does not exist or is a dangling symbolic link.
.TP
.B ENOMEM
Insufficient kernel memory was available.
.TP
.B ENOSPC
.I pathname
was to be created but the device containing
.I pathname
has no room for the new file.
.TP
.B ENOTDIR
A component used as a directory in
.I pathname
is not, in fact, a directory, or \fBO_DIRECTORY\fP was specified and
.I pathname
was not a directory.
.TP
.B ENXIO
.BR O_NONBLOCK " | " O_WRONLY
is set, the named file is a FIFO and
no process has the file open for reading.
Or, the file is a device special file and no corresponding device exists.
.TP
.B EOVERFLOW
.I pathname
refers to a regular file that is too large to be opened.
The usual scenario here is that an application compiled
on a 32-bit platform without
.I -D_FILE_OFFSET_BITS=64
tried to open a file whose size exceeds
.I (2<<31)-1
bits;
see also
.B O_LARGEFILE
above.
This is the error specified by POSIX.1-2001;
in kernels before 2.6.24, Linux gave the error
.B EFBIG
for this case.
.\" See http://bugzilla.kernel.org/show_bug.cgi?id=7253
.\" "Open of a large file on 32-bit fails with EFBIG, should be EOVERFLOW"
.\" Reported 2006-10-03
.TP
.B EPERM
The
.B O_NOATIME
flag was specified, but the effective user ID of the caller
.\" Strictly speaking, it's the file system UID... (MTK)
did not match the owner of the file and the caller was not privileged
.RB ( CAP_FOWNER ).
.TP
.B EROFS
.I pathname
refers to a file on a read-only file system and write access was
requested.
.TP
.B ETXTBSY
.I pathname
refers to an executable image which is currently being executed and
write access was requested.
.TP
.B EWOULDBLOCK
The
.B O_NONBLOCK
flag was specified, and an incompatible lease was held on the file
(see
.BR fcntl (2)).
.SH CONFORMING TO
SVr4, 4.3BSD, POSIX.1-2001.
The
.BR O_DIRECTORY ,
.BR O_NOATIME ,
.BR O_NOFOLLOW ,
and
.BR O_PATH
flags are Linux-specific, and one may need to define
.B _GNU_SOURCE
(before including
.I any
header files)
to obtain their definitions.

The
.BR O_CLOEXEC
flag is not specified in POSIX.1-2001,
but is specified in POSIX.1-2008.

.B O_DIRECT
is not specified in POSIX; one has to define
.B _GNU_SOURCE
(before including
.I any
header files)
to get its definition.
.SH NOTES
Under Linux, the
.B O_NONBLOCK
flag indicates that one wants to open
but does not necessarily have the intention to read or write.
This is typically used to open devices in order to get a file descriptor
for use with
.BR ioctl (2).

Unlike the other values that can be specified in
.IR flags ,
the
.I "access mode"
values
.BR O_RDONLY ", " O_WRONLY ", and " O_RDWR ,
do not specify individual bits.
Rather, they define the low order two bits of
.IR flags ,
and are defined respectively as 0, 1, and 2.
In other words, the combination
.B "O_RDONLY | O_WRONLY"
is a logical error, and certainly does not have the same meaning as
.BR O_RDWR .
Linux reserves the special, nonstandard access mode 3 (binary 11) in
.I flags
to mean:
check for read and write permission on the file and return a descriptor
that can't be used for reading or writing.
This nonstandard access mode is used by some Linux drivers to return a
descriptor that is only to be used for device-specific
.BR ioctl (2)
operations.
.\" See for example util-linux's disk-utils/setfdprm.c
.\" For some background on access mode 3, see
.\" http://thread.gmane.org/gmane.linux.kernel/653123
.\" "[RFC] correct flags to f_mode conversion in __dentry_open"
.\" LKML, 12 Mar 2008
.LP
The (undefined) effect of
.B O_RDONLY | O_TRUNC
varies among implementations.
On many systems the file is actually truncated.
.\" Linux 2.0, 2.5: truncate
.\" Solaris 5.7, 5.8: truncate
.\" Irix 6.5: truncate
.\" Tru64 5.1B: truncate
.\" HP-UX 11.22: truncate
.\" FreeBSD 4.7: truncate
.PP
There are many infelicities in the protocol underlying NFS, affecting
amongst others
.BR O_SYNC " and " O_NDELAY .

POSIX provides for three different variants of synchronized I/O,
corresponding to the flags
.BR O_SYNC ,
.BR O_DSYNC ,
and
.BR O_RSYNC .
Currently (2.6.31), Linux only implements
.BR O_SYNC ,
but glibc maps
.B O_DSYNC
and
.B O_RSYNC
to the same numerical value as
.BR O_SYNC .
Most Linux file systems don't actually implement the POSIX
.B O_SYNC
semantics, which require all metadata updates of a write
to be on disk on returning to user space, but only the
.B O_DSYNC
semantics, which require only actual file data and metadata necessary
to retrieve it to be on disk by the time the system call returns.

Note that
.BR open ()
can open device special files, but
.BR creat ()
cannot create them; use
.BR mknod (2)
instead.
.LP
On NFS file systems with UID mapping enabled,
.BR open ()
may
return a file descriptor but, for example,
.BR read (2)
requests are denied
with \fBEACCES\fP.
This is because the client performs
.BR open ()
by checking the
permissions, but UID mapping is performed by the server upon
read and write requests.

If the file is newly created, its
.IR st_atime ,
.IR st_ctime ,
.I st_mtime
fields
(respectively, time of last access, time of last status change, and
time of last modification; see
.BR stat (2))
are set
to the current time, and so are the
.I st_ctime
and
.I st_mtime
fields of the
parent directory.
Otherwise, if the file is modified because of the
.B O_TRUNC
flag, its st_ctime and st_mtime fields are set to the current time.
.SS O_DIRECT
.LP
The
.B O_DIRECT
flag may impose alignment restrictions on the length and address
of user-space buffers and the file offset of I/Os.
In Linux alignment
restrictions vary by file system and kernel version and might be
absent entirely.
However there is currently no file system\-independent
interface for an application to discover these restrictions for a given
file or file system.
Some file systems provide their own interfaces
for doing so, for example the
.B XFS_IOC_DIOINFO
operation in
.BR xfsctl (3).
.LP
Under Linux 2.4, transfer sizes, and the alignment of the user buffer
and the file offset must all be multiples of the logical block size
of the file system.
Under Linux 2.6, alignment to 512-byte boundaries suffices.
.LP
.B O_DIRECT
I/Os should never be run concurrently with the
.BR fork (2)
system call,
if the memory buffer is a private mapping
(i.e., any mapping created with the
.BR mmap (2)
.BR MAP_PRIVATE
flag;
this includes memory allocated on the heap and statically allocated buffers).
Any such I/Os, whether submitted via an asynchronous I/O interface or from
another thread in the process,
should be completed before
.BR fork (2)
is called.
Failure to do so can result in data corruption and undefined behavior in
parent and child processes.
This restriction does not apply when the memory buffer for the
.B O_DIRECT
I/Os was created using
.BR shmat (2)
or
.BR mmap (2)
with the
.B MAP_SHARED
flag.
Nor does this restriction apply when the memory buffer has been advised as
.B MADV_DONTFORK
with
.BR madvise (2),
ensuring that it will not be available
to the child after
.BR fork (2).
.LP
The
.B O_DIRECT
flag was introduced in SGI IRIX, where it has alignment
restrictions similar to those of Linux 2.4.
IRIX has also a
.BR fcntl (2)
call to query appropriate alignments, and sizes.
FreeBSD 4.x introduced
a flag of the same name, but without alignment restrictions.
.LP
.B O_DIRECT
support was added under Linux in kernel version 2.4.10.
Older Linux kernels simply ignore this flag.
Some file systems may not implement the flag and
.BR open ()
will fail with
.B EINVAL
if it is used.
.LP
Applications should avoid mixing
.B O_DIRECT
and normal I/O to the same file,
and especially to overlapping byte regions in the same file.
Even when the file system correctly handles the coherency issues in
this situation, overall I/O throughput is likely to be slower than
using either mode alone.
Likewise, applications should avoid mixing
.BR mmap (2)
of files with direct I/O to the same files.
.LP
The behaviour of
.B O_DIRECT
with NFS will differ from local file systems.
Older kernels, or
kernels configured in certain ways, may not support this combination.
The NFS protocol does not support passing the flag to the server, so
.B O_DIRECT
I/O will only bypass the page cache on the client; the server may
still cache the I/O.
The client asks the server to make the I/O
synchronous to preserve the synchronous semantics of
.BR O_DIRECT .
Some servers will perform poorly under these circumstances, especially
if the I/O size is small.
Some servers may also be configured to
lie to clients about the I/O having reached stable storage; this
will avoid the performance penalty at some risk to data integrity
in the event of server power failure.
The Linux NFS client places no alignment restrictions on
.B O_DIRECT
I/O.
.PP
In summary,
.B O_DIRECT
is a potentially powerful tool that should be used with caution.
It is recommended that applications treat use of
.B O_DIRECT
as a performance option which is disabled by default.
.PP
.RS
"The thing that has always disturbed me about O_DIRECT is that the whole
interface is just stupid, and was probably designed by a deranged monkey
on some serious mind-controlling substances."\(emLinus
.RE
.SH BUGS
Currently, it is not possible to enable signal-driven
I/O by specifying
.B O_ASYNC
when calling
.BR open ();
use
.BR fcntl (2)
to enable this flag.
.\" FIXME . Check bugzilla report on open(O_ASYNC)
.\" See http://bugzilla.kernel.org/show_bug.cgi?id=5993
.SH SEE ALSO
.BR chmod (2),
.BR chown (2),
.BR close (2),
.BR dup (2),
.BR fcntl (2),
.BR link (2),
.BR lseek (2),
.BR mknod (2),
.BR mmap (2),
.BR mount (2),
.BR openat (2),
.BR read (2),
.BR socket (2),
.BR stat (2),
.BR umask (2),
.BR unlink (2),
.BR write (2),
.BR fopen (3),
.BR fifo (7),
.BR path_resolution (7),
.BR symlink (7)