1 /* $NetBSD: rm.c,v 1.53 2013/04/26 18:43:22 christos Exp $ */
2
3 /*-
4 * Copyright (c) 1990, 1993, 1994, 2003
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <sys/cdefs.h>
33 #ifndef lint
34 __COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\
35 The Regents of the University of California. All rights reserved.");
36 #endif /* not lint */
37
38 #ifndef lint
39 #if 0
40 static char sccsid[] = "@(#)rm.c 8.8 (Berkeley) 4/27/95";
41 #else
42 __RCSID("$NetBSD: rm.c,v 1.53 2013/04/26 18:43:22 christos Exp $");
43 #endif
44 #endif /* not lint */
45
46 #include <sys/param.h>
47 #include <sys/stat.h>
48 #include <sys/types.h>
49
50 #include <err.h>
51 #include <errno.h>
52 #include <fcntl.h>
53 #include <fts.h>
54 #include <grp.h>
55 #include <locale.h>
56 #include <pwd.h>
57 #include <signal.h>
58 #include <stdio.h>
59 #include <stdlib.h>
60 #include <string.h>
61 #include <unistd.h>
62
63 static int dflag, eval, fflag, iflag, Pflag, stdin_ok, vflag, Wflag;
64 static int xflag;
65 static sig_atomic_t pinfo;
66
67 static int check(char *, char *, struct stat *);
68 static void checkdot(char **);
69 static void progress(int);
70 static void rm_file(char **);
71 static int rm_overwrite(char *, struct stat *);
72 static void rm_tree(char **);
73 __dead static void usage(void);
74
75 #if defined(__minix)
76 # ifndef O_SYNC
77 # define O_SYNC 0
78 # endif
79 # ifndef O_RSYNC
80 # define O_RSYNC 0
81 # endif
82 #endif /* defined(__minix) */
83
84 /*
85 * For the sake of the `-f' flag, check whether an error number indicates the
86 * failure of an operation due to an non-existent file, either per se (ENOENT)
87 * or because its filename argument was illegal (ENAMETOOLONG, ENOTDIR).
88 */
89 #define NONEXISTENT(x) \
90 ((x) == ENOENT || (x) == ENAMETOOLONG || (x) == ENOTDIR)
91
92 /*
93 * rm --
94 * This rm is different from historic rm's, but is expected to match
95 * POSIX 1003.2 behavior. The most visible difference is that -f
96 * has two specific effects now, ignore non-existent files and force
97 * file removal.
98 */
99 int
main(int argc,char * argv[])100 main(int argc, char *argv[])
101 {
102 int ch, rflag;
103
104 setprogname(argv[0]);
105 (void)setlocale(LC_ALL, "");
106
107 Pflag = rflag = xflag = 0;
108 while ((ch = getopt(argc, argv, "dfiPRrvWx")) != -1)
109 switch (ch) {
110 case 'd':
111 dflag = 1;
112 break;
113 case 'f':
114 fflag = 1;
115 iflag = 0;
116 break;
117 case 'i':
118 fflag = 0;
119 iflag = 1;
120 break;
121 case 'P':
122 Pflag = 1;
123 break;
124 case 'R':
125 case 'r': /* Compatibility. */
126 rflag = 1;
127 break;
128 case 'v':
129 vflag = 1;
130 break;
131 case 'x':
132 xflag = 1;
133 break;
134 case 'W':
135 Wflag = 1;
136 break;
137 case '?':
138 default:
139 usage();
140 }
141 argc -= optind;
142 argv += optind;
143
144 if (argc < 1) {
145 if (fflag)
146 return 0;
147 usage();
148 }
149
150 (void)signal(SIGINFO, progress);
151
152 checkdot(argv);
153
154 if (*argv) {
155 stdin_ok = isatty(STDIN_FILENO);
156
157 if (rflag)
158 rm_tree(argv);
159 else
160 rm_file(argv);
161 }
162
163 exit(eval);
164 /* NOTREACHED */
165 }
166
167 static void
rm_tree(char ** argv)168 rm_tree(char **argv)
169 {
170 FTS *fts;
171 FTSENT *p;
172 int flags, needstat, rval;
173
174 /*
175 * Remove a file hierarchy. If forcing removal (-f), or interactive
176 * (-i) or can't ask anyway (stdin_ok), don't stat the file.
177 */
178 needstat = !fflag && !iflag && stdin_ok;
179
180 /*
181 * If the -i option is specified, the user can skip on the pre-order
182 * visit. The fts_number field flags skipped directories.
183 */
184 #define SKIPPED 1
185
186 flags = FTS_PHYSICAL;
187 if (!needstat)
188 flags |= FTS_NOSTAT;
189 #if !defined(__minix)
190 if (Wflag)
191 flags |= FTS_WHITEOUT;
192 #endif /* !defined(__minix) */
193 if (xflag)
194 flags |= FTS_XDEV;
195 if ((fts = fts_open(argv, flags, NULL)) == NULL)
196 err(1, "fts_open failed");
197 while ((p = fts_read(fts)) != NULL) {
198
199 switch (p->fts_info) {
200 case FTS_DNR:
201 if (!fflag || p->fts_errno != ENOENT) {
202 warnx("%s: %s", p->fts_path,
203 strerror(p->fts_errno));
204 eval = 1;
205 }
206 continue;
207 case FTS_ERR:
208 errx(EXIT_FAILURE, "%s: %s", p->fts_path,
209 strerror(p->fts_errno));
210 /* NOTREACHED */
211 case FTS_NS:
212 /*
213 * FTS_NS: assume that if can't stat the file, it
214 * can't be unlinked.
215 */
216 if (fflag && NONEXISTENT(p->fts_errno))
217 continue;
218 if (needstat) {
219 warnx("%s: %s", p->fts_path,
220 strerror(p->fts_errno));
221 eval = 1;
222 continue;
223 }
224 break;
225 case FTS_D:
226 /* Pre-order: give user chance to skip. */
227 if (!fflag && !check(p->fts_path, p->fts_accpath,
228 p->fts_statp)) {
229 (void)fts_set(fts, p, FTS_SKIP);
230 p->fts_number = SKIPPED;
231 }
232 continue;
233 case FTS_DP:
234 /* Post-order: see if user skipped. */
235 if (p->fts_number == SKIPPED)
236 continue;
237 break;
238 default:
239 if (!fflag &&
240 !check(p->fts_path, p->fts_accpath, p->fts_statp))
241 continue;
242 }
243
244 rval = 0;
245 /*
246 * If we can't read or search the directory, may still be
247 * able to remove it. Don't print out the un{read,search}able
248 * message unless the remove fails.
249 */
250 switch (p->fts_info) {
251 case FTS_DP:
252 case FTS_DNR:
253 rval = rmdir(p->fts_accpath);
254 if (rval != 0 && fflag && errno == ENOENT)
255 continue;
256 break;
257
258 #if !defined(__minix)
259 case FTS_W:
260 rval = undelete(p->fts_accpath);
261 if (rval != 0 && fflag && errno == ENOENT)
262 continue;
263 break;
264 #endif /* !defined(__minix) */
265
266 default:
267 if (Pflag) {
268 if (rm_overwrite(p->fts_accpath, NULL))
269 continue;
270 }
271 rval = unlink(p->fts_accpath);
272 if (rval != 0 && fflag && NONEXISTENT(errno))
273 continue;
274 break;
275 }
276 if (rval != 0) {
277 warn("%s", p->fts_path);
278 eval = 1;
279 } else if (vflag || pinfo) {
280 pinfo = 0;
281 (void)printf("%s\n", p->fts_path);
282 }
283 }
284 if (errno)
285 err(1, "fts_read");
286 fts_close(fts);
287 }
288
289 static void
rm_file(char ** argv)290 rm_file(char **argv)
291 {
292 struct stat sb;
293 int rval;
294 char *f;
295
296 /*
297 * Remove a file. POSIX 1003.2 states that, by default, attempting
298 * to remove a directory is an error, so must always stat the file.
299 */
300 while ((f = *argv++) != NULL) {
301 /* Assume if can't stat the file, can't unlink it. */
302 if (lstat(f, &sb)) {
303 if (Wflag) {
304 #if defined(__minix)
305 sb.st_mode = S_IWUSR|S_IRUSR;
306 #else
307 sb.st_mode = S_IFWHT|S_IWUSR|S_IRUSR;
308 #endif /* defined(__minix) */
309 } else {
310 if (!fflag || !NONEXISTENT(errno)) {
311 warn("%s", f);
312 eval = 1;
313 }
314 continue;
315 }
316 } else if (Wflag) {
317 warnx("%s: %s", f, strerror(EEXIST));
318 eval = 1;
319 continue;
320 }
321
322 if (S_ISDIR(sb.st_mode) && !dflag) {
323 warnx("%s: is a directory", f);
324 eval = 1;
325 continue;
326 }
327 #if !defined(__minix)
328 if (!fflag && !S_ISWHT(sb.st_mode) && !check(f, f, &sb))
329 #else
330 if (!fflag && !check(f, f, &sb))
331 #endif /* !defined(__minix) */
332 continue;
333 #if !defined(__minix)
334 if (S_ISWHT(sb.st_mode))
335 rval = undelete(f);
336 else
337 #endif /* !defined(__minix) */
338 if (S_ISDIR(sb.st_mode))
339 rval = rmdir(f);
340 else {
341 if (Pflag) {
342 if (rm_overwrite(f, &sb))
343 continue;
344 }
345 rval = unlink(f);
346 }
347 if (rval && (!fflag || !NONEXISTENT(errno))) {
348 warn("%s", f);
349 eval = 1;
350 }
351 if (vflag && rval == 0)
352 (void)printf("%s\n", f);
353 }
354 }
355
356 /*
357 * rm_overwrite --
358 * Overwrite the file 3 times with varying bit patterns.
359 *
360 * This is an expensive way to keep people from recovering files from your
361 * non-snapshotted FFS filesystems using fsdb(8). Really. No more. Only
362 * regular files are deleted, directories (and therefore names) will remain.
363 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a
364 * System V file system). In a logging file system, you'll have to have
365 * kernel support.
366 *
367 * A note on standards: U.S. DoD 5220.22-M "National Industrial Security
368 * Program Operating Manual" ("NISPOM") is often cited as a reference
369 * for clearing and sanitizing magnetic media. In fact, a matrix of
370 * "clearing" and "sanitization" methods for various media was given in
371 * Chapter 8 of the original 1995 version of NISPOM. However, that
372 * matrix was *removed from the document* when Chapter 8 was rewritten
373 * in Change 2 to the document in 2001. Recently, the Defense Security
374 * Service has made a revised clearing and sanitization matrix available
375 * in Microsoft Word format on the DSS web site. The standardization
376 * status of this matrix is unclear. Furthermore, one must be very
377 * careful when referring to this matrix: it is intended for the "clearing"
378 * prior to reuse or "sanitization" prior to disposal of *entire media*,
379 * not individual files and the only non-physically-destructive method of
380 * "sanitization" that is permitted for magnetic disks of any kind is
381 * specifically noted to be prohibited for media that have contained
382 * Top Secret data.
383 *
384 * It is impossible to actually conform to the exact procedure given in
385 * the matrix if one is overwriting a file, not an entire disk, because
386 * the procedure requires examination and comparison of the disk's defect
387 * lists. Any program that claims to securely erase *files* while
388 * conforming to the standard, then, is not correct. We do as much of
389 * what the standard requires as can actually be done when erasing a
390 * file, rather than an entire disk; but that does not make us conformant.
391 *
392 * Furthermore, the presence of track caches, disk and controller write
393 * caches, and so forth make it extremely difficult to ensure that data
394 * have actually been written to the disk, particularly when one tries
395 * to repeatedly overwrite the same sectors in quick succession. We call
396 * fsync(), but controllers with nonvolatile cache, as well as IDE disks
397 * that just plain lie about the stable storage of data, will defeat this.
398 *
399 * Finally, widely respected research suggests that the given procedure
400 * is nowhere near sufficient to prevent the recovery of data using special
401 * forensic equipment and techniques that are well-known. This is
402 * presumably one reason that the matrix requires physical media destruction,
403 * rather than any technique of the sort attempted here, for secret data.
404 *
405 * Caveat Emptor.
406 *
407 * rm_overwrite will return 0 on success.
408 */
409
410 static int
rm_overwrite(char * file,struct stat * sbp)411 rm_overwrite(char *file, struct stat *sbp)
412 {
413 struct stat sb, sb2;
414 int fd, randint;
415 char randchar;
416
417 fd = -1;
418 if (sbp == NULL) {
419 if (lstat(file, &sb))
420 goto err;
421 sbp = &sb;
422 }
423 if (!S_ISREG(sbp->st_mode))
424 return 0;
425
426 /* flags to try to defeat hidden caching by forcing seeks */
427 if ((fd = open(file, O_RDWR|O_SYNC|O_RSYNC|O_NOFOLLOW, 0)) == -1)
428 goto err;
429
430 if (fstat(fd, &sb2)) {
431 goto err;
432 }
433
434 if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino ||
435 !S_ISREG(sb2.st_mode)) {
436 errno = EPERM;
437 goto err;
438 }
439
440 #define RAND_BYTES 1
441 #define THIS_BYTE 0
442
443 #define WRITE_PASS(mode, byte) do { \
444 off_t len; \
445 size_t wlen, i; \
446 char buf[8 * 1024]; \
447 \
448 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \
449 goto err; \
450 \
451 if (mode == THIS_BYTE) \
452 memset(buf, byte, sizeof(buf)); \
453 for (len = sbp->st_size; len > 0; len -= wlen) { \
454 if (mode == RAND_BYTES) { \
455 for (i = 0; i < sizeof(buf); \
456 i+= sizeof(u_int32_t)) \
457 *(int *)(buf + i) = arc4random(); \
458 } \
459 wlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \
460 if ((size_t)write(fd, buf, wlen) != wlen) \
461 goto err; \
462 } \
463 sync(); /* another poke at hidden caches */ \
464 } while (/* CONSTCOND */ 0)
465
466 #define READ_PASS(byte) do { \
467 off_t len; \
468 size_t rlen; \
469 char pattern[8 * 1024]; \
470 char buf[8 * 1024]; \
471 \
472 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \
473 goto err; \
474 \
475 memset(pattern, byte, sizeof(pattern)); \
476 for(len = sbp->st_size; len > 0; len -= rlen) { \
477 rlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \
478 if((size_t)read(fd, buf, rlen) != rlen) \
479 goto err; \
480 if(memcmp(buf, pattern, rlen)) \
481 goto err; \
482 } \
483 sync(); /* another poke at hidden caches */ \
484 } while (/* CONSTCOND */ 0)
485
486 /*
487 * DSS sanitization matrix "clear" for magnetic disks:
488 * option 'c' "Overwrite all addressable locations with a single
489 * character."
490 */
491 randint = arc4random();
492 randchar = *(char *)&randint;
493 WRITE_PASS(THIS_BYTE, randchar);
494
495 /*
496 * DSS sanitization matrix "sanitize" for magnetic disks:
497 * option 'd', sub 2 "Overwrite all addressable locations with a
498 * character, then its complement. Verify "complement" character
499 * was written successfully to all addressable locations, then
500 * overwrite all addressable locations with random characters; or
501 * verify third overwrite of random characters." The rest of the
502 * text in d-sub-2 specifies requirements for overwriting spared
503 * sectors; we cannot conform to it when erasing only a file, thus
504 * we do not conform to the standard.
505 */
506
507 /* 1. "a character" */
508 WRITE_PASS(THIS_BYTE, 0xff);
509
510 /* 2. "its complement" */
511 WRITE_PASS(THIS_BYTE, 0x00);
512
513 /* 3. "Verify 'complement' character" */
514 READ_PASS(0x00);
515
516 /* 4. "overwrite all addressable locations with random characters" */
517
518 WRITE_PASS(RAND_BYTES, 0x00);
519
520 /*
521 * As the file might be huge, and we note that this revision of
522 * the matrix says "random characters", not "a random character"
523 * as the original did, we do not verify the random-character
524 * write; the "or" in the standard allows this.
525 */
526
527 if (close(fd) == -1) {
528 fd = -1;
529 goto err;
530 }
531
532 return 0;
533
534 err: eval = 1;
535 warn("%s", file);
536 if (fd != -1)
537 close(fd);
538 return 1;
539 }
540
541 static int
check(char * path,char * name,struct stat * sp)542 check(char *path, char *name, struct stat *sp)
543 {
544 int ch, first;
545 char modep[15];
546
547 /* Check -i first. */
548 if (iflag)
549 (void)fprintf(stderr, "remove '%s'? ", path);
550 else {
551 /*
552 * If it's not a symbolic link and it's unwritable and we're
553 * talking to a terminal, ask. Symbolic links are excluded
554 * because their permissions are meaningless. Check stdin_ok
555 * first because we may not have stat'ed the file.
556 */
557 if (!stdin_ok || S_ISLNK(sp->st_mode) ||
558 !(access(name, W_OK) && (errno != ETXTBSY)))
559 return (1);
560 strmode(sp->st_mode, modep);
561 if (Pflag) {
562 warnx(
563 "%s: -P was specified but file could not"
564 " be overwritten", path);
565 return 0;
566 }
567 (void)fprintf(stderr, "override %s%s%s:%s for '%s'? ",
568 modep + 1, modep[9] == ' ' ? "" : " ",
569 user_from_uid(sp->st_uid, 0),
570 group_from_gid(sp->st_gid, 0), path);
571 }
572 (void)fflush(stderr);
573
574 first = ch = getchar();
575 while (ch != '\n' && ch != EOF)
576 ch = getchar();
577 return (first == 'y' || first == 'Y');
578 }
579
580 /*
581 * POSIX.2 requires that if "." or ".." are specified as the basename
582 * portion of an operand, a diagnostic message be written to standard
583 * error and nothing more be done with such operands.
584 *
585 * Since POSIX.2 defines basename as the final portion of a path after
586 * trailing slashes have been removed, we'll remove them here.
587 */
588 #define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2])))
589 static void
checkdot(char ** argv)590 checkdot(char **argv)
591 {
592 char *p, **save, **t;
593 int complained;
594
595 complained = 0;
596 for (t = argv; *t;) {
597 /* strip trailing slashes */
598 p = strrchr(*t, '\0');
599 while (--p > *t && *p == '/')
600 *p = '\0';
601
602 /* extract basename */
603 if ((p = strrchr(*t, '/')) != NULL)
604 ++p;
605 else
606 p = *t;
607
608 if (ISDOT(p)) {
609 if (!complained++)
610 warnx("\".\" and \"..\" may not be removed");
611 eval = 1;
612 for (save = t; (t[0] = t[1]) != NULL; ++t)
613 continue;
614 t = save;
615 } else
616 ++t;
617 }
618 }
619
620 static void
usage(void)621 usage(void)
622 {
623
624 (void)fprintf(stderr, "usage: %s [-f|-i] [-dPRrvWx] file ...\n",
625 getprogname());
626 exit(1);
627 /* NOTREACHED */
628 }
629
630 static void
progress(int sig __unused)631 progress(int sig __unused)
632 {
633
634 pinfo++;
635 }
636