1 /* $NetBSD: rm.c,v 1.52 2012/06/13 07:35:37 dholland Exp $ */ 2 3 /*- 4 * Copyright (c) 1990, 1993, 1994, 2003 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #ifndef lint 34 __COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\ 35 The Regents of the University of California. All rights reserved."); 36 #endif /* not lint */ 37 38 #ifndef lint 39 #if 0 40 static char sccsid[] = "@(#)rm.c 8.8 (Berkeley) 4/27/95"; 41 #else 42 __RCSID("$NetBSD: rm.c,v 1.52 2012/06/13 07:35:37 dholland Exp $"); 43 #endif 44 #endif /* not lint */ 45 46 #include <sys/param.h> 47 #include <sys/stat.h> 48 #include <sys/types.h> 49 50 #include <err.h> 51 #include <errno.h> 52 #include <fcntl.h> 53 #include <fts.h> 54 #include <grp.h> 55 #include <locale.h> 56 #include <pwd.h> 57 #include <signal.h> 58 #include <stdio.h> 59 #include <stdlib.h> 60 #include <string.h> 61 #include <unistd.h> 62 63 static int dflag, eval, fflag, iflag, Pflag, stdin_ok, vflag, Wflag; 64 static sig_atomic_t pinfo; 65 66 static int check(char *, char *, struct stat *); 67 static void checkdot(char **); 68 static void progress(int); 69 static void rm_file(char **); 70 static int rm_overwrite(char *, struct stat *); 71 static void rm_tree(char **); 72 __dead static void usage(void); 73 74 /* 75 * For the sake of the `-f' flag, check whether an error number indicates the 76 * failure of an operation due to an non-existent file, either per se (ENOENT) 77 * or because its filename argument was illegal (ENAMETOOLONG, ENOTDIR). 78 */ 79 #define NONEXISTENT(x) \ 80 ((x) == ENOENT || (x) == ENAMETOOLONG || (x) == ENOTDIR) 81 82 /* 83 * rm -- 84 * This rm is different from historic rm's, but is expected to match 85 * POSIX 1003.2 behavior. The most visible difference is that -f 86 * has two specific effects now, ignore non-existent files and force 87 * file removal. 88 */ 89 int 90 main(int argc, char *argv[]) 91 { 92 int ch, rflag; 93 94 setprogname(argv[0]); 95 (void)setlocale(LC_ALL, ""); 96 97 Pflag = rflag = 0; 98 while ((ch = getopt(argc, argv, "dfiPRrvW")) != -1) 99 switch (ch) { 100 case 'd': 101 dflag = 1; 102 break; 103 case 'f': 104 fflag = 1; 105 iflag = 0; 106 break; 107 case 'i': 108 fflag = 0; 109 iflag = 1; 110 break; 111 case 'P': 112 Pflag = 1; 113 break; 114 case 'R': 115 case 'r': /* Compatibility. */ 116 rflag = 1; 117 break; 118 case 'v': 119 vflag = 1; 120 break; 121 case 'W': 122 Wflag = 1; 123 break; 124 case '?': 125 default: 126 usage(); 127 } 128 argc -= optind; 129 argv += optind; 130 131 if (argc < 1) { 132 if (fflag) 133 return 0; 134 usage(); 135 } 136 137 (void)signal(SIGINFO, progress); 138 139 checkdot(argv); 140 141 if (*argv) { 142 stdin_ok = isatty(STDIN_FILENO); 143 144 if (rflag) 145 rm_tree(argv); 146 else 147 rm_file(argv); 148 } 149 150 exit(eval); 151 /* NOTREACHED */ 152 } 153 154 static void 155 rm_tree(char **argv) 156 { 157 FTS *fts; 158 FTSENT *p; 159 int flags, needstat, rval; 160 161 /* 162 * Remove a file hierarchy. If forcing removal (-f), or interactive 163 * (-i) or can't ask anyway (stdin_ok), don't stat the file. 164 */ 165 needstat = !fflag && !iflag && stdin_ok; 166 167 /* 168 * If the -i option is specified, the user can skip on the pre-order 169 * visit. The fts_number field flags skipped directories. 170 */ 171 #define SKIPPED 1 172 173 flags = FTS_PHYSICAL; 174 if (!needstat) 175 flags |= FTS_NOSTAT; 176 if (Wflag) 177 flags |= FTS_WHITEOUT; 178 if ((fts = fts_open(argv, flags, NULL)) == NULL) 179 err(1, "fts_open failed"); 180 while ((p = fts_read(fts)) != NULL) { 181 182 switch (p->fts_info) { 183 case FTS_DNR: 184 if (!fflag || p->fts_errno != ENOENT) { 185 warnx("%s: %s", p->fts_path, 186 strerror(p->fts_errno)); 187 eval = 1; 188 } 189 continue; 190 case FTS_ERR: 191 errx(EXIT_FAILURE, "%s: %s", p->fts_path, 192 strerror(p->fts_errno)); 193 /* NOTREACHED */ 194 case FTS_NS: 195 /* 196 * FTS_NS: assume that if can't stat the file, it 197 * can't be unlinked. 198 */ 199 if (fflag && NONEXISTENT(p->fts_errno)) 200 continue; 201 if (needstat) { 202 warnx("%s: %s", p->fts_path, 203 strerror(p->fts_errno)); 204 eval = 1; 205 continue; 206 } 207 break; 208 case FTS_D: 209 /* Pre-order: give user chance to skip. */ 210 if (!fflag && !check(p->fts_path, p->fts_accpath, 211 p->fts_statp)) { 212 (void)fts_set(fts, p, FTS_SKIP); 213 p->fts_number = SKIPPED; 214 } 215 continue; 216 case FTS_DP: 217 /* Post-order: see if user skipped. */ 218 if (p->fts_number == SKIPPED) 219 continue; 220 break; 221 default: 222 if (!fflag && 223 !check(p->fts_path, p->fts_accpath, p->fts_statp)) 224 continue; 225 } 226 227 rval = 0; 228 /* 229 * If we can't read or search the directory, may still be 230 * able to remove it. Don't print out the un{read,search}able 231 * message unless the remove fails. 232 */ 233 switch (p->fts_info) { 234 case FTS_DP: 235 case FTS_DNR: 236 rval = rmdir(p->fts_accpath); 237 if (rval != 0 && fflag && errno == ENOENT) 238 continue; 239 break; 240 241 case FTS_W: 242 rval = undelete(p->fts_accpath); 243 if (rval != 0 && fflag && errno == ENOENT) 244 continue; 245 break; 246 247 default: 248 if (Pflag) { 249 if (rm_overwrite(p->fts_accpath, NULL)) 250 continue; 251 } 252 rval = unlink(p->fts_accpath); 253 if (rval != 0 && fflag && NONEXISTENT(errno)) 254 continue; 255 break; 256 } 257 if (rval != 0) { 258 warn("%s", p->fts_path); 259 eval = 1; 260 } else if (vflag || pinfo) { 261 pinfo = 0; 262 (void)printf("%s\n", p->fts_path); 263 } 264 } 265 if (errno) 266 err(1, "fts_read"); 267 fts_close(fts); 268 } 269 270 static void 271 rm_file(char **argv) 272 { 273 struct stat sb; 274 int rval; 275 char *f; 276 277 /* 278 * Remove a file. POSIX 1003.2 states that, by default, attempting 279 * to remove a directory is an error, so must always stat the file. 280 */ 281 while ((f = *argv++) != NULL) { 282 /* Assume if can't stat the file, can't unlink it. */ 283 if (lstat(f, &sb)) { 284 if (Wflag) { 285 sb.st_mode = S_IFWHT|S_IWUSR|S_IRUSR; 286 } else { 287 if (!fflag || !NONEXISTENT(errno)) { 288 warn("%s", f); 289 eval = 1; 290 } 291 continue; 292 } 293 } else if (Wflag) { 294 warnx("%s: %s", f, strerror(EEXIST)); 295 eval = 1; 296 continue; 297 } 298 299 if (S_ISDIR(sb.st_mode) && !dflag) { 300 warnx("%s: is a directory", f); 301 eval = 1; 302 continue; 303 } 304 if (!fflag && !S_ISWHT(sb.st_mode) && !check(f, f, &sb)) 305 continue; 306 if (S_ISWHT(sb.st_mode)) 307 rval = undelete(f); 308 else if (S_ISDIR(sb.st_mode)) 309 rval = rmdir(f); 310 else { 311 if (Pflag) { 312 if (rm_overwrite(f, &sb)) 313 continue; 314 } 315 rval = unlink(f); 316 } 317 if (rval && (!fflag || !NONEXISTENT(errno))) { 318 warn("%s", f); 319 eval = 1; 320 } 321 if (vflag && rval == 0) 322 (void)printf("%s\n", f); 323 } 324 } 325 326 /* 327 * rm_overwrite -- 328 * Overwrite the file 3 times with varying bit patterns. 329 * 330 * This is an expensive way to keep people from recovering files from your 331 * non-snapshotted FFS filesystems using fsdb(8). Really. No more. Only 332 * regular files are deleted, directories (and therefore names) will remain. 333 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a 334 * System V file system). In a logging file system, you'll have to have 335 * kernel support. 336 * 337 * A note on standards: U.S. DoD 5220.22-M "National Industrial Security 338 * Program Operating Manual" ("NISPOM") is often cited as a reference 339 * for clearing and sanitizing magnetic media. In fact, a matrix of 340 * "clearing" and "sanitization" methods for various media was given in 341 * Chapter 8 of the original 1995 version of NISPOM. However, that 342 * matrix was *removed from the document* when Chapter 8 was rewritten 343 * in Change 2 to the document in 2001. Recently, the Defense Security 344 * Service has made a revised clearing and sanitization matrix available 345 * in Microsoft Word format on the DSS web site. The standardization 346 * status of this matrix is unclear. Furthermore, one must be very 347 * careful when referring to this matrix: it is intended for the "clearing" 348 * prior to reuse or "sanitization" prior to disposal of *entire media*, 349 * not individual files and the only non-physically-destructive method of 350 * "sanitization" that is permitted for magnetic disks of any kind is 351 * specifically noted to be prohibited for media that have contained 352 * Top Secret data. 353 * 354 * It is impossible to actually conform to the exact procedure given in 355 * the matrix if one is overwriting a file, not an entire disk, because 356 * the procedure requires examination and comparison of the disk's defect 357 * lists. Any program that claims to securely erase *files* while 358 * conforming to the standard, then, is not correct. We do as much of 359 * what the standard requires as can actually be done when erasing a 360 * file, rather than an entire disk; but that does not make us conformant. 361 * 362 * Furthermore, the presence of track caches, disk and controller write 363 * caches, and so forth make it extremely difficult to ensure that data 364 * have actually been written to the disk, particularly when one tries 365 * to repeatedly overwrite the same sectors in quick succession. We call 366 * fsync(), but controllers with nonvolatile cache, as well as IDE disks 367 * that just plain lie about the stable storage of data, will defeat this. 368 * 369 * Finally, widely respected research suggests that the given procedure 370 * is nowhere near sufficient to prevent the recovery of data using special 371 * forensic equipment and techniques that are well-known. This is 372 * presumably one reason that the matrix requires physical media destruction, 373 * rather than any technique of the sort attempted here, for secret data. 374 * 375 * Caveat Emptor. 376 * 377 * rm_overwrite will return 0 on success. 378 */ 379 380 static int 381 rm_overwrite(char *file, struct stat *sbp) 382 { 383 struct stat sb, sb2; 384 int fd, randint; 385 char randchar; 386 387 fd = -1; 388 if (sbp == NULL) { 389 if (lstat(file, &sb)) 390 goto err; 391 sbp = &sb; 392 } 393 if (!S_ISREG(sbp->st_mode)) 394 return 0; 395 396 /* flags to try to defeat hidden caching by forcing seeks */ 397 if ((fd = open(file, O_RDWR|O_SYNC|O_RSYNC|O_NOFOLLOW, 0)) == -1) 398 goto err; 399 400 if (fstat(fd, &sb2)) { 401 goto err; 402 } 403 404 if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino || 405 !S_ISREG(sb2.st_mode)) { 406 errno = EPERM; 407 goto err; 408 } 409 410 #define RAND_BYTES 1 411 #define THIS_BYTE 0 412 413 #define WRITE_PASS(mode, byte) do { \ 414 off_t len; \ 415 size_t wlen, i; \ 416 char buf[8 * 1024]; \ 417 \ 418 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \ 419 goto err; \ 420 \ 421 if (mode == THIS_BYTE) \ 422 memset(buf, byte, sizeof(buf)); \ 423 for (len = sbp->st_size; len > 0; len -= wlen) { \ 424 if (mode == RAND_BYTES) { \ 425 for (i = 0; i < sizeof(buf); \ 426 i+= sizeof(u_int32_t)) \ 427 *(int *)(buf + i) = arc4random(); \ 428 } \ 429 wlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \ 430 if ((size_t)write(fd, buf, wlen) != wlen) \ 431 goto err; \ 432 } \ 433 sync(); /* another poke at hidden caches */ \ 434 } while (/* CONSTCOND */ 0) 435 436 #define READ_PASS(byte) do { \ 437 off_t len; \ 438 size_t rlen; \ 439 char pattern[8 * 1024]; \ 440 char buf[8 * 1024]; \ 441 \ 442 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \ 443 goto err; \ 444 \ 445 memset(pattern, byte, sizeof(pattern)); \ 446 for(len = sbp->st_size; len > 0; len -= rlen) { \ 447 rlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \ 448 if((size_t)read(fd, buf, rlen) != rlen) \ 449 goto err; \ 450 if(memcmp(buf, pattern, rlen)) \ 451 goto err; \ 452 } \ 453 sync(); /* another poke at hidden caches */ \ 454 } while (/* CONSTCOND */ 0) 455 456 /* 457 * DSS sanitization matrix "clear" for magnetic disks: 458 * option 'c' "Overwrite all addressable locations with a single 459 * character." 460 */ 461 randint = arc4random(); 462 randchar = *(char *)&randint; 463 WRITE_PASS(THIS_BYTE, randchar); 464 465 /* 466 * DSS sanitization matrix "sanitize" for magnetic disks: 467 * option 'd', sub 2 "Overwrite all addressable locations with a 468 * character, then its complement. Verify "complement" character 469 * was written successfully to all addressable locations, then 470 * overwrite all addressable locations with random characters; or 471 * verify third overwrite of random characters." The rest of the 472 * text in d-sub-2 specifies requirements for overwriting spared 473 * sectors; we cannot conform to it when erasing only a file, thus 474 * we do not conform to the standard. 475 */ 476 477 /* 1. "a character" */ 478 WRITE_PASS(THIS_BYTE, 0xff); 479 480 /* 2. "its complement" */ 481 WRITE_PASS(THIS_BYTE, 0x00); 482 483 /* 3. "Verify 'complement' character" */ 484 READ_PASS(0x00); 485 486 /* 4. "overwrite all addressable locations with random characters" */ 487 488 WRITE_PASS(RAND_BYTES, 0x00); 489 490 /* 491 * As the file might be huge, and we note that this revision of 492 * the matrix says "random characters", not "a random character" 493 * as the original did, we do not verify the random-character 494 * write; the "or" in the standard allows this. 495 */ 496 497 if (close(fd) == -1) { 498 fd = -1; 499 goto err; 500 } 501 502 return 0; 503 504 err: eval = 1; 505 warn("%s", file); 506 if (fd != -1) 507 close(fd); 508 return 1; 509 } 510 511 static int 512 check(char *path, char *name, struct stat *sp) 513 { 514 int ch, first; 515 char modep[15]; 516 517 /* Check -i first. */ 518 if (iflag) 519 (void)fprintf(stderr, "remove '%s'? ", path); 520 else { 521 /* 522 * If it's not a symbolic link and it's unwritable and we're 523 * talking to a terminal, ask. Symbolic links are excluded 524 * because their permissions are meaningless. Check stdin_ok 525 * first because we may not have stat'ed the file. 526 */ 527 if (!stdin_ok || S_ISLNK(sp->st_mode) || 528 !(access(name, W_OK) && (errno != ETXTBSY))) 529 return (1); 530 strmode(sp->st_mode, modep); 531 if (Pflag) { 532 warnx( 533 "%s: -P was specified but file could not" 534 " be overwritten", path); 535 return 0; 536 } 537 (void)fprintf(stderr, "override %s%s%s:%s for '%s'? ", 538 modep + 1, modep[9] == ' ' ? "" : " ", 539 user_from_uid(sp->st_uid, 0), 540 group_from_gid(sp->st_gid, 0), path); 541 } 542 (void)fflush(stderr); 543 544 first = ch = getchar(); 545 while (ch != '\n' && ch != EOF) 546 ch = getchar(); 547 return (first == 'y' || first == 'Y'); 548 } 549 550 /* 551 * POSIX.2 requires that if "." or ".." are specified as the basename 552 * portion of an operand, a diagnostic message be written to standard 553 * error and nothing more be done with such operands. 554 * 555 * Since POSIX.2 defines basename as the final portion of a path after 556 * trailing slashes have been removed, we'll remove them here. 557 */ 558 #define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2]))) 559 static void 560 checkdot(char **argv) 561 { 562 char *p, **save, **t; 563 int complained; 564 565 complained = 0; 566 for (t = argv; *t;) { 567 /* strip trailing slashes */ 568 p = strrchr(*t, '\0'); 569 while (--p > *t && *p == '/') 570 *p = '\0'; 571 572 /* extract basename */ 573 if ((p = strrchr(*t, '/')) != NULL) 574 ++p; 575 else 576 p = *t; 577 578 if (ISDOT(p)) { 579 if (!complained++) 580 warnx("\".\" and \"..\" may not be removed"); 581 eval = 1; 582 for (save = t; (t[0] = t[1]) != NULL; ++t) 583 continue; 584 t = save; 585 } else 586 ++t; 587 } 588 } 589 590 static void 591 usage(void) 592 { 593 594 (void)fprintf(stderr, "usage: %s [-f|-i] [-dPRrvW] file ...\n", 595 getprogname()); 596 exit(1); 597 /* NOTREACHED */ 598 } 599 600 static void 601 progress(int sig __unused) 602 { 603 604 pinfo++; 605 } 606