rm.c revision 1.48.4.1
1 /* $NetBSD: rm.c,v 1.48.4.1 2012/06/15 09:08:03 sborrill Exp $ */ 2 3 /*- 4 * Copyright (c) 1990, 1993, 1994, 2003 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #ifndef lint 34 __COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\ 35 The Regents of the University of California. All rights reserved."); 36 #endif /* not lint */ 37 38 #ifndef lint 39 #if 0 40 static char sccsid[] = "@(#)rm.c 8.8 (Berkeley) 4/27/95"; 41 #else 42 __RCSID("$NetBSD: rm.c,v 1.48.4.1 2012/06/15 09:08:03 sborrill Exp $"); 43 #endif 44 #endif /* not lint */ 45 46 #include <sys/param.h> 47 #include <sys/stat.h> 48 #include <sys/types.h> 49 50 #include <err.h> 51 #include <errno.h> 52 #include <fcntl.h> 53 #include <fts.h> 54 #include <grp.h> 55 #include <locale.h> 56 #include <pwd.h> 57 #include <stdio.h> 58 #include <stdlib.h> 59 #include <string.h> 60 #include <unistd.h> 61 62 int dflag, eval, fflag, iflag, Pflag, stdin_ok, vflag, Wflag; 63 64 int check(char *, char *, struct stat *); 65 void checkdot(char **); 66 void rm_file(char **); 67 int rm_overwrite(char *, struct stat *); 68 void rm_tree(char **); 69 void usage(void); 70 int main(int, char *[]); 71 72 /* 73 * For the sake of the `-f' flag, check whether an error number indicates the 74 * failure of an operation due to an non-existent file, either per se (ENOENT) 75 * or because its filename argument was illegal (ENAMETOOLONG, ENOTDIR). 76 */ 77 #define NONEXISTENT(x) \ 78 ((x) == ENOENT || (x) == ENAMETOOLONG || (x) == ENOTDIR) 79 80 /* 81 * rm -- 82 * This rm is different from historic rm's, but is expected to match 83 * POSIX 1003.2 behavior. The most visible difference is that -f 84 * has two specific effects now, ignore non-existent files and force 85 * file removal. 86 */ 87 int 88 main(int argc, char *argv[]) 89 { 90 int ch, rflag; 91 92 setprogname(argv[0]); 93 (void)setlocale(LC_ALL, ""); 94 95 Pflag = rflag = 0; 96 while ((ch = getopt(argc, argv, "dfiPRrvW")) != -1) 97 switch (ch) { 98 case 'd': 99 dflag = 1; 100 break; 101 case 'f': 102 fflag = 1; 103 iflag = 0; 104 break; 105 case 'i': 106 fflag = 0; 107 iflag = 1; 108 break; 109 case 'P': 110 Pflag = 1; 111 break; 112 case 'R': 113 case 'r': /* Compatibility. */ 114 rflag = 1; 115 break; 116 case 'v': 117 vflag = 1; 118 break; 119 case 'W': 120 Wflag = 1; 121 break; 122 case '?': 123 default: 124 usage(); 125 } 126 argc -= optind; 127 argv += optind; 128 129 if (argc < 1) { 130 if (fflag) 131 return 0; 132 usage(); 133 } 134 135 checkdot(argv); 136 137 if (*argv) { 138 stdin_ok = isatty(STDIN_FILENO); 139 140 if (rflag) 141 rm_tree(argv); 142 else 143 rm_file(argv); 144 } 145 146 exit(eval); 147 /* NOTREACHED */ 148 } 149 150 void 151 rm_tree(char **argv) 152 { 153 FTS *fts; 154 FTSENT *p; 155 int flags, needstat, rval; 156 157 /* 158 * Remove a file hierarchy. If forcing removal (-f), or interactive 159 * (-i) or can't ask anyway (stdin_ok), don't stat the file. 160 */ 161 needstat = !fflag && !iflag && stdin_ok; 162 163 /* 164 * If the -i option is specified, the user can skip on the pre-order 165 * visit. The fts_number field flags skipped directories. 166 */ 167 #define SKIPPED 1 168 169 flags = FTS_PHYSICAL; 170 if (!needstat) 171 flags |= FTS_NOSTAT; 172 if (Wflag) 173 flags |= FTS_WHITEOUT; 174 if ((fts = fts_open(argv, flags, NULL)) == NULL) 175 err(1, "fts_open failed"); 176 while ((p = fts_read(fts)) != NULL) { 177 178 switch (p->fts_info) { 179 case FTS_DNR: 180 if (!fflag || p->fts_errno != ENOENT) { 181 warnx("%s: %s", p->fts_path, 182 strerror(p->fts_errno)); 183 eval = 1; 184 } 185 continue; 186 case FTS_ERR: 187 errx(EXIT_FAILURE, "%s: %s", p->fts_path, 188 strerror(p->fts_errno)); 189 /* NOTREACHED */ 190 case FTS_NS: 191 /* 192 * FTS_NS: assume that if can't stat the file, it 193 * can't be unlinked. 194 */ 195 if (fflag && NONEXISTENT(p->fts_errno)) 196 continue; 197 if (needstat) { 198 warnx("%s: %s", p->fts_path, 199 strerror(p->fts_errno)); 200 eval = 1; 201 continue; 202 } 203 break; 204 case FTS_D: 205 /* Pre-order: give user chance to skip. */ 206 if (!fflag && !check(p->fts_path, p->fts_accpath, 207 p->fts_statp)) { 208 (void)fts_set(fts, p, FTS_SKIP); 209 p->fts_number = SKIPPED; 210 } 211 continue; 212 case FTS_DP: 213 /* Post-order: see if user skipped. */ 214 if (p->fts_number == SKIPPED) 215 continue; 216 break; 217 default: 218 if (!fflag && 219 !check(p->fts_path, p->fts_accpath, p->fts_statp)) 220 continue; 221 } 222 223 rval = 0; 224 /* 225 * If we can't read or search the directory, may still be 226 * able to remove it. Don't print out the un{read,search}able 227 * message unless the remove fails. 228 */ 229 switch (p->fts_info) { 230 case FTS_DP: 231 case FTS_DNR: 232 rval = rmdir(p->fts_accpath); 233 if (rval != 0 && fflag && errno == ENOENT) 234 continue; 235 break; 236 237 case FTS_W: 238 rval = undelete(p->fts_accpath); 239 if (rval != 0 && fflag && errno == ENOENT) 240 continue; 241 break; 242 243 default: 244 if (Pflag) { 245 if (rm_overwrite(p->fts_accpath, NULL)) 246 continue; 247 } 248 rval = unlink(p->fts_accpath); 249 if (rval != 0 && fflag && NONEXISTENT(errno)) 250 continue; 251 break; 252 } 253 if (rval != 0) { 254 warn("%s", p->fts_path); 255 eval = 1; 256 } else if (vflag) 257 (void)printf("%s\n", p->fts_path); 258 } 259 if (errno) 260 err(1, "fts_read"); 261 fts_close(fts); 262 } 263 264 void 265 rm_file(char **argv) 266 { 267 struct stat sb; 268 int rval; 269 char *f; 270 271 /* 272 * Remove a file. POSIX 1003.2 states that, by default, attempting 273 * to remove a directory is an error, so must always stat the file. 274 */ 275 while ((f = *argv++) != NULL) { 276 /* Assume if can't stat the file, can't unlink it. */ 277 if (lstat(f, &sb)) { 278 if (Wflag) { 279 sb.st_mode = S_IFWHT|S_IWUSR|S_IRUSR; 280 } else { 281 if (!fflag || !NONEXISTENT(errno)) { 282 warn("%s", f); 283 eval = 1; 284 } 285 continue; 286 } 287 } else if (Wflag) { 288 warnx("%s: %s", f, strerror(EEXIST)); 289 eval = 1; 290 continue; 291 } 292 293 if (S_ISDIR(sb.st_mode) && !dflag) { 294 warnx("%s: is a directory", f); 295 eval = 1; 296 continue; 297 } 298 if (!fflag && !S_ISWHT(sb.st_mode) && !check(f, f, &sb)) 299 continue; 300 if (S_ISWHT(sb.st_mode)) 301 rval = undelete(f); 302 else if (S_ISDIR(sb.st_mode)) 303 rval = rmdir(f); 304 else { 305 if (Pflag) { 306 if (rm_overwrite(f, &sb)) 307 continue; 308 } 309 rval = unlink(f); 310 } 311 if (rval && (!fflag || !NONEXISTENT(errno))) { 312 warn("%s", f); 313 eval = 1; 314 } 315 if (vflag && rval == 0) 316 (void)printf("%s\n", f); 317 } 318 } 319 320 /* 321 * rm_overwrite -- 322 * Overwrite the file 3 times with varying bit patterns. 323 * 324 * This is an expensive way to keep people from recovering files from your 325 * non-snapshotted FFS filesystems using fsdb(8). Really. No more. Only 326 * regular files are deleted, directories (and therefore names) will remain. 327 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a 328 * System V file system). In a logging file system, you'll have to have 329 * kernel support. 330 * 331 * A note on standards: U.S. DoD 5220.22-M "National Industrial Security 332 * Program Operating Manual" ("NISPOM") is often cited as a reference 333 * for clearing and sanitizing magnetic media. In fact, a matrix of 334 * "clearing" and "sanitization" methods for various media was given in 335 * Chapter 8 of the original 1995 version of NISPOM. However, that 336 * matrix was *removed from the document* when Chapter 8 was rewritten 337 * in Change 2 to the document in 2001. Recently, the Defense Security 338 * Service has made a revised clearing and sanitization matrix available 339 * in Microsoft Word format on the DSS web site. The standardization 340 * status of this matrix is unclear. Furthermore, one must be very 341 * careful when referring to this matrix: it is intended for the "clearing" 342 * prior to reuse or "sanitization" prior to disposal of *entire media*, 343 * not individual files and the only non-physically-destructive method of 344 * "sanitization" that is permitted for magnetic disks of any kind is 345 * specifically noted to be prohibited for media that have contained 346 * Top Secret data. 347 * 348 * It is impossible to actually conform to the exact procedure given in 349 * the matrix if one is overwriting a file, not an entire disk, because 350 * the procedure requires examination and comparison of the disk's defect 351 * lists. Any program that claims to securely erase *files* while 352 * conforming to the standard, then, is not correct. We do as much of 353 * what the standard requires as can actually be done when erasing a 354 * file, rather than an entire disk; but that does not make us conformant. 355 * 356 * Furthermore, the presence of track caches, disk and controller write 357 * caches, and so forth make it extremely difficult to ensure that data 358 * have actually been written to the disk, particularly when one tries 359 * to repeatedly overwrite the same sectors in quick succession. We call 360 * fsync(), but controllers with nonvolatile cache, as well as IDE disks 361 * that just plain lie about the stable storage of data, will defeat this. 362 * 363 * Finally, widely respected research suggests that the given procedure 364 * is nowhere near sufficient to prevent the recovery of data using special 365 * forensic equipment and techniques that are well-known. This is 366 * presumably one reason that the matrix requires physical media destruction, 367 * rather than any technique of the sort attempted here, for secret data. 368 * 369 * Caveat Emptor. 370 * 371 * rm_overwrite will return 0 on success. 372 */ 373 374 int 375 rm_overwrite(char *file, struct stat *sbp) 376 { 377 struct stat sb, sb2; 378 int fd, randint; 379 char randchar; 380 381 fd = -1; 382 if (sbp == NULL) { 383 if (lstat(file, &sb)) 384 goto err; 385 sbp = &sb; 386 } 387 if (!S_ISREG(sbp->st_mode)) 388 return 0; 389 390 /* flags to try to defeat hidden caching by forcing seeks */ 391 if ((fd = open(file, O_RDWR|O_SYNC|O_RSYNC|O_NOFOLLOW, 0)) == -1) 392 goto err; 393 394 if (fstat(fd, &sb2)) { 395 goto err; 396 } 397 398 if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino || 399 !S_ISREG(sb2.st_mode)) { 400 errno = EPERM; 401 goto err; 402 } 403 404 #define RAND_BYTES 1 405 #define THIS_BYTE 0 406 407 #define WRITE_PASS(mode, byte) do { \ 408 off_t len; \ 409 int wlen, i; \ 410 char buf[8 * 1024]; \ 411 \ 412 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \ 413 goto err; \ 414 \ 415 if (mode == THIS_BYTE) \ 416 memset(buf, byte, sizeof(buf)); \ 417 for (len = sbp->st_size; len > 0; len -= wlen) { \ 418 if (mode == RAND_BYTES) { \ 419 for (i = 0; i < sizeof(buf); \ 420 i+= sizeof(u_int32_t)) \ 421 *(int *)(buf + i) = arc4random(); \ 422 } \ 423 wlen = len < sizeof(buf) ? len : sizeof(buf); \ 424 if (write(fd, buf, wlen) != wlen) \ 425 goto err; \ 426 } \ 427 sync(); /* another poke at hidden caches */ \ 428 } while (/* CONSTCOND */ 0) 429 430 #define READ_PASS(byte) do { \ 431 off_t len; \ 432 int rlen; \ 433 char pattern[8 * 1024]; \ 434 char buf[8 * 1024]; \ 435 \ 436 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \ 437 goto err; \ 438 \ 439 memset(pattern, byte, sizeof(pattern)); \ 440 for(len = sbp->st_size; len > 0; len -= rlen) { \ 441 rlen = len < sizeof(buf) ? len : sizeof(buf); \ 442 if(read(fd, buf, rlen) != rlen) \ 443 goto err; \ 444 if(memcmp(buf, pattern, rlen)) \ 445 goto err; \ 446 } \ 447 sync(); /* another poke at hidden caches */ \ 448 } while (/* CONSTCOND */ 0) 449 450 /* 451 * DSS sanitization matrix "clear" for magnetic disks: 452 * option 'c' "Overwrite all addressable locations with a single 453 * character." 454 */ 455 randint = arc4random(); 456 randchar = *(char *)&randint; 457 WRITE_PASS(THIS_BYTE, randchar); 458 459 /* 460 * DSS sanitization matrix "sanitize" for magnetic disks: 461 * option 'd', sub 2 "Overwrite all addressable locations with a 462 * character, then its complement. Verify "complement" character 463 * was written successfully to all addressable locations, then 464 * overwrite all addressable locations with random characters; or 465 * verify third overwrite of random characters." The rest of the 466 * text in d-sub-2 specifies requirements for overwriting spared 467 * sectors; we cannot conform to it when erasing only a file, thus 468 * we do not conform to the standard. 469 */ 470 471 /* 1. "a character" */ 472 WRITE_PASS(THIS_BYTE, 0xff); 473 474 /* 2. "its complement" */ 475 WRITE_PASS(THIS_BYTE, 0x00); 476 477 /* 3. "Verify 'complement' character" */ 478 READ_PASS(0x00); 479 480 /* 4. "overwrite all addressable locations with random characters" */ 481 482 WRITE_PASS(RAND_BYTES, 0x00); 483 484 /* 485 * As the file might be huge, and we note that this revision of 486 * the matrix says "random characters", not "a random character" 487 * as the original did, we do not verify the random-character 488 * write; the "or" in the standard allows this. 489 */ 490 491 if (close(fd) == -1) { 492 fd = -1; 493 goto err; 494 } 495 496 return 0; 497 498 err: eval = 1; 499 warn("%s", file); 500 if (fd != -1) 501 close(fd); 502 return 1; 503 } 504 505 int 506 check(char *path, char *name, struct stat *sp) 507 { 508 int ch, first; 509 char modep[15]; 510 511 /* Check -i first. */ 512 if (iflag) 513 (void)fprintf(stderr, "remove '%s'? ", path); 514 else { 515 /* 516 * If it's not a symbolic link and it's unwritable and we're 517 * talking to a terminal, ask. Symbolic links are excluded 518 * because their permissions are meaningless. Check stdin_ok 519 * first because we may not have stat'ed the file. 520 */ 521 if (!stdin_ok || S_ISLNK(sp->st_mode) || 522 !(access(name, W_OK) && (errno != ETXTBSY))) 523 return (1); 524 strmode(sp->st_mode, modep); 525 if (Pflag) { 526 warnx( 527 "%s: -P was specified but file could not" 528 " be overwritten", path); 529 return 0; 530 } 531 (void)fprintf(stderr, "override %s%s%s:%s for '%s'? ", 532 modep + 1, modep[9] == ' ' ? "" : " ", 533 user_from_uid(sp->st_uid, 0), 534 group_from_gid(sp->st_gid, 0), path); 535 } 536 (void)fflush(stderr); 537 538 first = ch = getchar(); 539 while (ch != '\n' && ch != EOF) 540 ch = getchar(); 541 return (first == 'y' || first == 'Y'); 542 } 543 544 /* 545 * POSIX.2 requires that if "." or ".." are specified as the basename 546 * portion of an operand, a diagnostic message be written to standard 547 * error and nothing more be done with such operands. 548 * 549 * Since POSIX.2 defines basename as the final portion of a path after 550 * trailing slashes have been removed, we'll remove them here. 551 */ 552 #define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2]))) 553 void 554 checkdot(char **argv) 555 { 556 char *p, **save, **t; 557 int complained; 558 559 complained = 0; 560 for (t = argv; *t;) { 561 /* strip trailing slashes */ 562 p = strrchr(*t, '\0'); 563 while (--p > *t && *p == '/') 564 *p = '\0'; 565 566 /* extract basename */ 567 if ((p = strrchr(*t, '/')) != NULL) 568 ++p; 569 else 570 p = *t; 571 572 if (ISDOT(p)) { 573 if (!complained++) 574 warnx("\".\" and \"..\" may not be removed"); 575 eval = 1; 576 for (save = t; (t[0] = t[1]) != NULL; ++t) 577 continue; 578 t = save; 579 } else 580 ++t; 581 } 582 } 583 584 void 585 usage(void) 586 { 587 588 (void)fprintf(stderr, "usage: %s [-f|-i] [-dPRrvW] file ...\n", 589 getprogname()); 590 exit(1); 591 /* NOTREACHED */ 592 } 593
Indexes created Sat Oct 11 16:09:52 GMT 2025