Home | History | Annotate | Download | only in rm
History log of /src/bin/rm/rm.c
RevisionDateAuthorComments
 1.55  12-May-2025  kim Remove unnecessary initialization to zero of static int option flags

This results in uniform handling of all of them, instead of some being
explicitly initialized and some not. Reduces confusion in the reader.
 1.54  10-Sep-2021  rillig bin: remove unnecessary lint comment CONSTCOND

Since 2021-01-31, lint no longer warns about 'do ... while (0)'.

No functional change.
 1.53  26-Apr-2013  christos branches: 1.53.30;
PR/47770: Eitan Adler: add x flag to rm to avoid cross mount points
 1.52  13-Jun-2012  dholland branches: 1.52.2;
Rectify race condition in rm -P processing by checking that the file
we opened is the one we expected to get. Also use O_NOFOLLOW to help
avoid even opening devices, which sometimes produce side effects.

Reported by Radoslaw A. Zarzynski.
 1.51  21-Jan-2012  christos branches: 1.51.2;
Siginfo support from Daniel Loffgren
 1.50  29-Aug-2011  joerg branches: 1.50.2;
static + __dead
 1.49  14-Feb-2009  lukem fix -Wsign-compare issues
 1.48  20-Jul-2008  lukem branches: 1.48.4; 1.48.6;
Remove the \n and tabs from the __COPYRIGHT() strings.
 1.47  26-May-2008  christos PR/38754: murray armfield: Rm prints diagnostic messages when invoked with -f
and no other arguments, contrary to POSIX. Also cosmetic fixes.
 1.46  24-Jun-2007  christos branches: 1.46.10; 1.46.12;
PR/36535: Greg A. Woods: rm(1) should present user:group the same way as
chown(8) et al
 1.45  25-Aug-2006  liamjfoy branches: 1.45.2;
Only remove the file if the file can be successfully
overwritten. Old code would remove the file regardless of
whether the overwrite was successful or not.

New behaviour:

carpy: {12} touch moo ; chmod 444 moo
carpy: {13} ls
moo
carpy: {14} rm -P moo
rm: moo: -P was specified but file could not be overwritten
carpy: {15} ls
moo
carpy: {16}

ok: christos@, joerg@ & tech-userlevel@
 1.44  14-Aug-2006  tls Fix sentence fragment that somehow got into the long comment about rm -P.
 1.43  17-Mar-2006  peter Call fts_close() at the end of rm_tree().

Fixes Coverity CID 1670.
 1.42  11-Jan-2004  wiz Fix typo.
 1.41  11-Jan-2004  tls Adjust comment to indicate what this code is actually useful for, and that
it's not really "cheap".
 1.40  11-Jan-2004  tls Change behaviour of -P option to conform generally to DoD 5220.22-M
standard. This change inspired by Apple's "Secure Empty Trash" functionality
in MacOS 10.3. However, it is important to understand that this change
does not -- and can not -- actually achieve conformance to the current
revision of the standard. To quote the manual page:

The -P option attempts to conform to U.S. DoD 5220-22.M, "National Indus-
trial Security Program Operating Manual" ("NISPOM") as updated by Change
2 and the July 23, 2003 "Clearing & Sanitization Matrix". However,
unlike earlier revisions of NISPOM, the 2003 matrix imposes requirements
which make it clear that the standard does not and can not apply to the
erasure of individual files, in particular requirements relating to spare
sector management for an entire magnetic disk. Because these
requirements are not met, the -P option does not conform to the standard.

This also makes the -P option a *lot* more expensive than it used to be.
It used to overwrite with 0xff, overwrite with 0x00, overwrite with 0xff,
with an fsync after each write. Now it overwrites with a random character,
overwrites with 0xff, overwrites with 0x00, reads to validate the 0x00
overwrite, then overwrites with random data -- calling sync() after every
operation in an attempt to force seeks that will clear the data from the
cache of disks that lie about whether data has been committed to the
platters. Also, the file's opened with O_SYNC|O_RSYNC to cause metadata
updates on every read/write, which should cause still more seeks.

This is better than it used to be, but it's by no means adequate if you
have data you really don't want read by an adversary who can pull the
disk apart.
 1.39  04-Jan-2004  jschauma remove unused code left from printescaped() backput as pointed out by Jeff
Ito in PR bin/23969 and PR bin/23970.
 1.38  14-Sep-2003  jschauma Following private discussion with kleink@ and hubertf@ and public discussion
on tech-userlevel@, back out printescaped() functionality.
kleink: ``We sell rope.''
 1.37  13-Aug-2003  itojun use bounded string op
 1.36  07-Aug-2003  agc Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22249, verified by myself.
 1.35  04-Aug-2003  jschauma As discusses a little while back on tech-userlevel:

If stdout is a tty, use vis(3) to print any filenames to prevent garbage
from being printed if the filename contains control- or other non-printable
characters.

While here, sprinkle some EXIT_FAILURE and NOTREACHED where appropriate.
 1.34  01-Mar-2003  enami Remove space at the end of line.
 1.33  13-Feb-2003  jrf Note: Original change approved by Enami.
Accidentally left eval = 1 when I was adding the extension which caused the rm command to return a 1 when it successfully removed a directory. Thanks to tron for catching it.
 1.32  12-Feb-2003  jrf Added the -v flag.
 1.31  05-Nov-2002  enami - Remove the last __P.
- Don't put space between function name and () op.
 1.30  02-May-2002  enami - Use four space to indent continuation line.
- Put a space after the C language keyword ``switch''.
- Put an empty line if a function doesn't have local variable.
- Use do { } while (/*CONSTCOND*/ 0) instead of { } to protect a multi
statement macro
 1.29  20-Dec-2001  soren Sync getopt() / man page with actual getopt options.
 1.28  22-Nov-2001  jmc Patch from mycroft to fix case of rm -rf nonexistant on a r/o fs would still
report errors. Checking the fts_errno for ENOENT before attempting removal
fixes this.
 1.27  16-Sep-2001  wiz ANSIfy, KNF, [gs]etprogname, by Petri Koistinen.
 1.26  09-Nov-1999  drochner branches: 1.26.4;
Since our gcc doesn't warn about NULL format strings anymore, we can
fix the incorrect err(1, "%s", "") et al.
Closes PR bin/7592 by cgd.
 1.25  30-Jun-1999  is branches: 1.25.4;
Don't ask for permission to unlink a file if the access error is ETXTBSY.
This needs vfs_syscalls.c 1.138 to really work.
Fixes pr 4134 by Johan Danielsson.
 1.24  28-Jul-1998  mycroft Be more retentive about use of NOTREACHED and noreturn.
 1.23  28-Jul-1998  mycroft Delint.
 1.22  28-Jul-1998  mycroft Delint.
 1.21  21-Dec-1997  kleink Per 1003.2, no warnings shall be generated for attempts to remove non-existent
files in case the `-f' option has been specified:
Extend the definition of `non-existent' to include ENAMETOOLONG and ENOTDIR
cases, since file names failing with these errors can safely assumed to be
non-existent. Fixes PR bin/2993.
 1.20  20-Jul-1997  christos Fix compiler warnings.
Add WARNS=1
 1.19  07-Sep-1995  jtc Sync with 4.4lite2
 1.18  21-Mar-1995  cgd convert to new RCS id conventions.
 1.17  28-Dec-1994  mycroft Mostly sync with CSRG.
 1.16  02-Nov-1994  jtc Strip trailing slashes of operands in checkdot().

POSIX.2 requires that if "." or ".." are specified as the basename
portion of an operand, a diagnostic message be written to standard
error, etc. We strip the slashes because POSIX.2 defines basename
as the final portion of a pathname after trailing slashes have been
removed.

This also makes rm "perform actions equivalent to" the POSIX.1
rmdir() and unlink() functions when removing directories and files,
even when they do not follow POSIX.1's pathname resolution semantics
(which require trailing slashes be ignored).
 1.15  20-Sep-1994  mycroft Merge with 4.4-Lite version.
 1.14  16-Mar-1994  jtc Fix bug where two messages were printed when a directory could not
be removed due to some error.
 1.13  28-Jan-1994  jtc The -f flag suppresses error messages and changes to the exit value if
a file specified on the command line does not exist. This is the _only_
case where error messages/exit value are effected by the -f flag.
 1.12  29-Nov-1993  jtc Change order of conditional so that a possible null pointer is not
dereferenced. This case would only occur when stdin was not a tty.
Thanks to Dan Muntz for discovering this bug.
 1.11  16-Nov-1993  jtc Some minor fixes:
If all the arguments have a "." or ".." basename, the exit value should be
modified whether or not the -f flag was specified.
Don't exit if a file can not be read or there is another error (FTS_DNR or
FTS_ERR), there are probably other files that we can process successfully.
 1.10  16-Nov-1993  jtc Check user's response against both 'Y' and 'y' --- this is really supposed
to be a locale specific regular expression. This change hard codes POSIX
locale behavior, and will be replaced by a locale independant equivalent
as soon as locales are fully implemented.
 1.9  25-Oct-1993  jtc Don't ask about each directory twice when using -r and -i flags.
Exit value is not always zero when using -f flag, only if all files were
removed or non-existant.
 1.8  25-Oct-1993  jtc Changed conditional from "iflag && check(...)" to "!fflag && check(...)".
Removed the !fflag from conditionals in check() ... the check function
is never executed if !fflag.
 1.7  25-Oct-1993  jtc Changed so that rm without -r or -R is 1003.2 compliant --- I haven't
had time to look at the recursive code, but it probably has the same
types of problems.
Added code to set the default locale, so it will work correctly when
our locale code is more than just stubs.
Added prototypes, etc. to make gcc -Wall happier.
 1.6  06-Aug-1993  deraadt change for new fts library
 1.5  01-Aug-1993  mycroft Add RCS identifiers.
 1.4  10-Apr-1993  mycroft Be silent if -f specified.
 1.3  23-Mar-1993  cgd changed "Id" to "Header" for rcsids
 1.2  22-Mar-1993  cgd added rcs ids to all files
 1.1  21-Mar-1993  cgd branches: 1.1.1;
Initial revision
 1.1.1.3  07-Sep-1995  jtc imported from 44lite2
 1.1.1.2  19-Sep-1994  mycroft Import original 4.4-Lite version.
 1.1.1.1  21-Mar-1993  cgd initial import of 386bsd-0.1 sources
 1.25.4.1  27-Dec-1999  wrstuden Pull up to last week's -current.
 1.26.4.1  06-Mar-2002  he Pull up revision 1.28 (requested by lukem):
Fix a problem where ``rm -rf foo'' exits with a non-zero exit status
on a read-only file system even if foo doesn't exist.
 1.45.2.1  15-Jun-2012  sborrill Pull up the following revisions(s) (requested by dholland in ticket #1451):
bin/rm/rm.c: revision 1.52

Rectify race condition in rm -P processing by checking that the file
we opened is the one we expected to get. Also use O_NOFOLLOW to help
avoid even opening devices, which sometimes produce side effects.
 1.46.12.2  18-Sep-2008  wrstuden Sync with wrstuden-revivesa-base-2.
 1.46.12.1  23-Jun-2008  wrstuden Sync w/ -current. 34 merge conflicts to follow.
 1.46.10.1  04-Jun-2008  yamt sync with head
 1.48.6.1  13-May-2009  jym Sync with HEAD.

Third (and last) commit. See http://mail-index.netbsd.org/source-changes/2009/05/13/msg221222.html
 1.48.4.1  15-Jun-2012  sborrill Pull up the following revisions(s) (requested by dholland in ticket #1775):
bin/rm/rm.c: revision 1.52

Rectify race condition in rm -P processing by checking that the file
we opened is the one we expected to get. Also use O_NOFOLLOW to help
avoid even opening devices, which sometimes produce side effects.
 1.50.2.3  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.50.2.2  30-Oct-2012  yamt sync with head
 1.50.2.1  17-Apr-2012  yamt sync with head
 1.51.2.1  15-Jun-2012  sborrill Pull up the following revisions(s) (requested by dholland in ticket #346):
bin/rm/rm.c: revision 1.52

Rectify race condition in rm -P processing by checking that the file
we opened is the one we expected to get. Also use O_NOFOLLOW to help
avoid even opening devices, which sometimes produce side effects.
 1.52.2.1  23-Jun-2013  tls resync from head
 1.53.30.2  21-Apr-2020  martin Ooops, restore accidently removed files from merge mishap
 1.53.30.1  21-Apr-2020  martin Sync with HEAD

RSS XML Feed