rm.c revision 1.50
1 /* $NetBSD: rm.c,v 1.50 2011/08/29 14:48:46 joerg Exp $ */ 2 3 /*- 4 * Copyright (c) 1990, 1993, 1994, 2003 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #ifndef lint 34 __COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\ 35 The Regents of the University of California. All rights reserved."); 36 #endif /* not lint */ 37 38 #ifndef lint 39 #if 0 40 static char sccsid[] = "@(#)rm.c 8.8 (Berkeley) 4/27/95"; 41 #else 42 __RCSID("$NetBSD: rm.c,v 1.50 2011/08/29 14:48:46 joerg Exp $"); 43 #endif 44 #endif /* not lint */ 45 46 #include <sys/param.h> 47 #include <sys/stat.h> 48 #include <sys/types.h> 49 50 #include <err.h> 51 #include <errno.h> 52 #include <fcntl.h> 53 #include <fts.h> 54 #include <grp.h> 55 #include <locale.h> 56 #include <pwd.h> 57 #include <stdio.h> 58 #include <stdlib.h> 59 #include <string.h> 60 #include <unistd.h> 61 62 static int dflag, eval, fflag, iflag, Pflag, stdin_ok, vflag, Wflag; 63 64 static int check(char *, char *, struct stat *); 65 static void checkdot(char **); 66 static void rm_file(char **); 67 static int rm_overwrite(char *, struct stat *); 68 static void rm_tree(char **); 69 __dead static void usage(void); 70 71 /* 72 * For the sake of the `-f' flag, check whether an error number indicates the 73 * failure of an operation due to an non-existent file, either per se (ENOENT) 74 * or because its filename argument was illegal (ENAMETOOLONG, ENOTDIR). 75 */ 76 #define NONEXISTENT(x) \ 77 ((x) == ENOENT || (x) == ENAMETOOLONG || (x) == ENOTDIR) 78 79 /* 80 * rm -- 81 * This rm is different from historic rm's, but is expected to match 82 * POSIX 1003.2 behavior. The most visible difference is that -f 83 * has two specific effects now, ignore non-existent files and force 84 * file removal. 85 */ 86 int 87 main(int argc, char *argv[]) 88 { 89 int ch, rflag; 90 91 setprogname(argv[0]); 92 (void)setlocale(LC_ALL, ""); 93 94 Pflag = rflag = 0; 95 while ((ch = getopt(argc, argv, "dfiPRrvW")) != -1) 96 switch (ch) { 97 case 'd': 98 dflag = 1; 99 break; 100 case 'f': 101 fflag = 1; 102 iflag = 0; 103 break; 104 case 'i': 105 fflag = 0; 106 iflag = 1; 107 break; 108 case 'P': 109 Pflag = 1; 110 break; 111 case 'R': 112 case 'r': /* Compatibility. */ 113 rflag = 1; 114 break; 115 case 'v': 116 vflag = 1; 117 break; 118 case 'W': 119 Wflag = 1; 120 break; 121 case '?': 122 default: 123 usage(); 124 } 125 argc -= optind; 126 argv += optind; 127 128 if (argc < 1) { 129 if (fflag) 130 return 0; 131 usage(); 132 } 133 134 checkdot(argv); 135 136 if (*argv) { 137 stdin_ok = isatty(STDIN_FILENO); 138 139 if (rflag) 140 rm_tree(argv); 141 else 142 rm_file(argv); 143 } 144 145 exit(eval); 146 /* NOTREACHED */ 147 } 148 149 static void 150 rm_tree(char **argv) 151 { 152 FTS *fts; 153 FTSENT *p; 154 int flags, needstat, rval; 155 156 /* 157 * Remove a file hierarchy. If forcing removal (-f), or interactive 158 * (-i) or can't ask anyway (stdin_ok), don't stat the file. 159 */ 160 needstat = !fflag && !iflag && stdin_ok; 161 162 /* 163 * If the -i option is specified, the user can skip on the pre-order 164 * visit. The fts_number field flags skipped directories. 165 */ 166 #define SKIPPED 1 167 168 flags = FTS_PHYSICAL; 169 if (!needstat) 170 flags |= FTS_NOSTAT; 171 if (Wflag) 172 flags |= FTS_WHITEOUT; 173 if ((fts = fts_open(argv, flags, NULL)) == NULL) 174 err(1, "fts_open failed"); 175 while ((p = fts_read(fts)) != NULL) { 176 177 switch (p->fts_info) { 178 case FTS_DNR: 179 if (!fflag || p->fts_errno != ENOENT) { 180 warnx("%s: %s", p->fts_path, 181 strerror(p->fts_errno)); 182 eval = 1; 183 } 184 continue; 185 case FTS_ERR: 186 errx(EXIT_FAILURE, "%s: %s", p->fts_path, 187 strerror(p->fts_errno)); 188 /* NOTREACHED */ 189 case FTS_NS: 190 /* 191 * FTS_NS: assume that if can't stat the file, it 192 * can't be unlinked. 193 */ 194 if (fflag && NONEXISTENT(p->fts_errno)) 195 continue; 196 if (needstat) { 197 warnx("%s: %s", p->fts_path, 198 strerror(p->fts_errno)); 199 eval = 1; 200 continue; 201 } 202 break; 203 case FTS_D: 204 /* Pre-order: give user chance to skip. */ 205 if (!fflag && !check(p->fts_path, p->fts_accpath, 206 p->fts_statp)) { 207 (void)fts_set(fts, p, FTS_SKIP); 208 p->fts_number = SKIPPED; 209 } 210 continue; 211 case FTS_DP: 212 /* Post-order: see if user skipped. */ 213 if (p->fts_number == SKIPPED) 214 continue; 215 break; 216 default: 217 if (!fflag && 218 !check(p->fts_path, p->fts_accpath, p->fts_statp)) 219 continue; 220 } 221 222 rval = 0; 223 /* 224 * If we can't read or search the directory, may still be 225 * able to remove it. Don't print out the un{read,search}able 226 * message unless the remove fails. 227 */ 228 switch (p->fts_info) { 229 case FTS_DP: 230 case FTS_DNR: 231 rval = rmdir(p->fts_accpath); 232 if (rval != 0 && fflag && errno == ENOENT) 233 continue; 234 break; 235 236 case FTS_W: 237 rval = undelete(p->fts_accpath); 238 if (rval != 0 && fflag && errno == ENOENT) 239 continue; 240 break; 241 242 default: 243 if (Pflag) { 244 if (rm_overwrite(p->fts_accpath, NULL)) 245 continue; 246 } 247 rval = unlink(p->fts_accpath); 248 if (rval != 0 && fflag && NONEXISTENT(errno)) 249 continue; 250 break; 251 } 252 if (rval != 0) { 253 warn("%s", p->fts_path); 254 eval = 1; 255 } else if (vflag) 256 (void)printf("%s\n", p->fts_path); 257 } 258 if (errno) 259 err(1, "fts_read"); 260 fts_close(fts); 261 } 262 263 static void 264 rm_file(char **argv) 265 { 266 struct stat sb; 267 int rval; 268 char *f; 269 270 /* 271 * Remove a file. POSIX 1003.2 states that, by default, attempting 272 * to remove a directory is an error, so must always stat the file. 273 */ 274 while ((f = *argv++) != NULL) { 275 /* Assume if can't stat the file, can't unlink it. */ 276 if (lstat(f, &sb)) { 277 if (Wflag) { 278 sb.st_mode = S_IFWHT|S_IWUSR|S_IRUSR; 279 } else { 280 if (!fflag || !NONEXISTENT(errno)) { 281 warn("%s", f); 282 eval = 1; 283 } 284 continue; 285 } 286 } else if (Wflag) { 287 warnx("%s: %s", f, strerror(EEXIST)); 288 eval = 1; 289 continue; 290 } 291 292 if (S_ISDIR(sb.st_mode) && !dflag) { 293 warnx("%s: is a directory", f); 294 eval = 1; 295 continue; 296 } 297 if (!fflag && !S_ISWHT(sb.st_mode) && !check(f, f, &sb)) 298 continue; 299 if (S_ISWHT(sb.st_mode)) 300 rval = undelete(f); 301 else if (S_ISDIR(sb.st_mode)) 302 rval = rmdir(f); 303 else { 304 if (Pflag) { 305 if (rm_overwrite(f, &sb)) 306 continue; 307 } 308 rval = unlink(f); 309 } 310 if (rval && (!fflag || !NONEXISTENT(errno))) { 311 warn("%s", f); 312 eval = 1; 313 } 314 if (vflag && rval == 0) 315 (void)printf("%s\n", f); 316 } 317 } 318 319 /* 320 * rm_overwrite -- 321 * Overwrite the file 3 times with varying bit patterns. 322 * 323 * This is an expensive way to keep people from recovering files from your 324 * non-snapshotted FFS filesystems using fsdb(8). Really. No more. Only 325 * regular files are deleted, directories (and therefore names) will remain. 326 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a 327 * System V file system). In a logging file system, you'll have to have 328 * kernel support. 329 * 330 * A note on standards: U.S. DoD 5220.22-M "National Industrial Security 331 * Program Operating Manual" ("NISPOM") is often cited as a reference 332 * for clearing and sanitizing magnetic media. In fact, a matrix of 333 * "clearing" and "sanitization" methods for various media was given in 334 * Chapter 8 of the original 1995 version of NISPOM. However, that 335 * matrix was *removed from the document* when Chapter 8 was rewritten 336 * in Change 2 to the document in 2001. Recently, the Defense Security 337 * Service has made a revised clearing and sanitization matrix available 338 * in Microsoft Word format on the DSS web site. The standardization 339 * status of this matrix is unclear. Furthermore, one must be very 340 * careful when referring to this matrix: it is intended for the "clearing" 341 * prior to reuse or "sanitization" prior to disposal of *entire media*, 342 * not individual files and the only non-physically-destructive method of 343 * "sanitization" that is permitted for magnetic disks of any kind is 344 * specifically noted to be prohibited for media that have contained 345 * Top Secret data. 346 * 347 * It is impossible to actually conform to the exact procedure given in 348 * the matrix if one is overwriting a file, not an entire disk, because 349 * the procedure requires examination and comparison of the disk's defect 350 * lists. Any program that claims to securely erase *files* while 351 * conforming to the standard, then, is not correct. We do as much of 352 * what the standard requires as can actually be done when erasing a 353 * file, rather than an entire disk; but that does not make us conformant. 354 * 355 * Furthermore, the presence of track caches, disk and controller write 356 * caches, and so forth make it extremely difficult to ensure that data 357 * have actually been written to the disk, particularly when one tries 358 * to repeatedly overwrite the same sectors in quick succession. We call 359 * fsync(), but controllers with nonvolatile cache, as well as IDE disks 360 * that just plain lie about the stable storage of data, will defeat this. 361 * 362 * Finally, widely respected research suggests that the given procedure 363 * is nowhere near sufficient to prevent the recovery of data using special 364 * forensic equipment and techniques that are well-known. This is 365 * presumably one reason that the matrix requires physical media destruction, 366 * rather than any technique of the sort attempted here, for secret data. 367 * 368 * Caveat Emptor. 369 * 370 * rm_overwrite will return 0 on success. 371 */ 372 373 static int 374 rm_overwrite(char *file, struct stat *sbp) 375 { 376 struct stat sb; 377 int fd, randint; 378 char randchar; 379 380 fd = -1; 381 if (sbp == NULL) { 382 if (lstat(file, &sb)) 383 goto err; 384 sbp = &sb; 385 } 386 if (!S_ISREG(sbp->st_mode)) 387 return 0; 388 389 /* flags to try to defeat hidden caching by forcing seeks */ 390 if ((fd = open(file, O_RDWR|O_SYNC|O_RSYNC, 0)) == -1) 391 goto err; 392 393 #define RAND_BYTES 1 394 #define THIS_BYTE 0 395 396 #define WRITE_PASS(mode, byte) do { \ 397 off_t len; \ 398 size_t wlen, i; \ 399 char buf[8 * 1024]; \ 400 \ 401 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \ 402 goto err; \ 403 \ 404 if (mode == THIS_BYTE) \ 405 memset(buf, byte, sizeof(buf)); \ 406 for (len = sbp->st_size; len > 0; len -= wlen) { \ 407 if (mode == RAND_BYTES) { \ 408 for (i = 0; i < sizeof(buf); \ 409 i+= sizeof(u_int32_t)) \ 410 *(int *)(buf + i) = arc4random(); \ 411 } \ 412 wlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \ 413 if ((size_t)write(fd, buf, wlen) != wlen) \ 414 goto err; \ 415 } \ 416 sync(); /* another poke at hidden caches */ \ 417 } while (/* CONSTCOND */ 0) 418 419 #define READ_PASS(byte) do { \ 420 off_t len; \ 421 size_t rlen; \ 422 char pattern[8 * 1024]; \ 423 char buf[8 * 1024]; \ 424 \ 425 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \ 426 goto err; \ 427 \ 428 memset(pattern, byte, sizeof(pattern)); \ 429 for(len = sbp->st_size; len > 0; len -= rlen) { \ 430 rlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \ 431 if((size_t)read(fd, buf, rlen) != rlen) \ 432 goto err; \ 433 if(memcmp(buf, pattern, rlen)) \ 434 goto err; \ 435 } \ 436 sync(); /* another poke at hidden caches */ \ 437 } while (/* CONSTCOND */ 0) 438 439 /* 440 * DSS sanitization matrix "clear" for magnetic disks: 441 * option 'c' "Overwrite all addressable locations with a single 442 * character." 443 */ 444 randint = arc4random(); 445 randchar = *(char *)&randint; 446 WRITE_PASS(THIS_BYTE, randchar); 447 448 /* 449 * DSS sanitization matrix "sanitize" for magnetic disks: 450 * option 'd', sub 2 "Overwrite all addressable locations with a 451 * character, then its complement. Verify "complement" character 452 * was written successfully to all addressable locations, then 453 * overwrite all addressable locations with random characters; or 454 * verify third overwrite of random characters." The rest of the 455 * text in d-sub-2 specifies requirements for overwriting spared 456 * sectors; we cannot conform to it when erasing only a file, thus 457 * we do not conform to the standard. 458 */ 459 460 /* 1. "a character" */ 461 WRITE_PASS(THIS_BYTE, 0xff); 462 463 /* 2. "its complement" */ 464 WRITE_PASS(THIS_BYTE, 0x00); 465 466 /* 3. "Verify 'complement' character" */ 467 READ_PASS(0x00); 468 469 /* 4. "overwrite all addressable locations with random characters" */ 470 471 WRITE_PASS(RAND_BYTES, 0x00); 472 473 /* 474 * As the file might be huge, and we note that this revision of 475 * the matrix says "random characters", not "a random character" 476 * as the original did, we do not verify the random-character 477 * write; the "or" in the standard allows this. 478 */ 479 480 if (close(fd) == -1) { 481 fd = -1; 482 goto err; 483 } 484 485 return 0; 486 487 err: eval = 1; 488 warn("%s", file); 489 if (fd != -1) 490 close(fd); 491 return 1; 492 } 493 494 static int 495 check(char *path, char *name, struct stat *sp) 496 { 497 int ch, first; 498 char modep[15]; 499 500 /* Check -i first. */ 501 if (iflag) 502 (void)fprintf(stderr, "remove '%s'? ", path); 503 else { 504 /* 505 * If it's not a symbolic link and it's unwritable and we're 506 * talking to a terminal, ask. Symbolic links are excluded 507 * because their permissions are meaningless. Check stdin_ok 508 * first because we may not have stat'ed the file. 509 */ 510 if (!stdin_ok || S_ISLNK(sp->st_mode) || 511 !(access(name, W_OK) && (errno != ETXTBSY))) 512 return (1); 513 strmode(sp->st_mode, modep); 514 if (Pflag) { 515 warnx( 516 "%s: -P was specified but file could not" 517 " be overwritten", path); 518 return 0; 519 } 520 (void)fprintf(stderr, "override %s%s%s:%s for '%s'? ", 521 modep + 1, modep[9] == ' ' ? "" : " ", 522 user_from_uid(sp->st_uid, 0), 523 group_from_gid(sp->st_gid, 0), path); 524 } 525 (void)fflush(stderr); 526 527 first = ch = getchar(); 528 while (ch != '\n' && ch != EOF) 529 ch = getchar(); 530 return (first == 'y' || first == 'Y'); 531 } 532 533 /* 534 * POSIX.2 requires that if "." or ".." are specified as the basename 535 * portion of an operand, a diagnostic message be written to standard 536 * error and nothing more be done with such operands. 537 * 538 * Since POSIX.2 defines basename as the final portion of a path after 539 * trailing slashes have been removed, we'll remove them here. 540 */ 541 #define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2]))) 542 static void 543 checkdot(char **argv) 544 { 545 char *p, **save, **t; 546 int complained; 547 548 complained = 0; 549 for (t = argv; *t;) { 550 /* strip trailing slashes */ 551 p = strrchr(*t, '\0'); 552 while (--p > *t && *p == '/') 553 *p = '\0'; 554 555 /* extract basename */ 556 if ((p = strrchr(*t, '/')) != NULL) 557 ++p; 558 else 559 p = *t; 560 561 if (ISDOT(p)) { 562 if (!complained++) 563 warnx("\".\" and \"..\" may not be removed"); 564 eval = 1; 565 for (save = t; (t[0] = t[1]) != NULL; ++t) 566 continue; 567 t = save; 568 } else 569 ++t; 570 } 571 } 572 573 static void 574 usage(void) 575 { 576 577 (void)fprintf(stderr, "usage: %s [-f|-i] [-dPRrvW] file ...\n", 578 getprogname()); 579 exit(1); 580 /* NOTREACHED */ 581 } 582
Indexes created Mon Sep 29 15:09:53 GMT 2025