xref: /netbsd-src/bin/rm/rm.c (revision a5847cc334d9a7029f6352b847e9e8d71a0f9e0c) 
1 /* $NetBSD: rm.c,v 1.50 2011/08/29 14:48:46 joerg Exp $ */
2 
3 /*-
4  * Copyright (c) 1990, 1993, 1994, 2003
5  *	The Regents of the University of California.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the University nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  */
31 
32 #include <sys/cdefs.h>
33 #ifndef lint
34 __COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\
35  The Regents of the University of California.  All rights reserved.");
36 #endif /* not lint */
37 
38 #ifndef lint
39 #if 0
40 static char sccsid[] = "@(#)rm.c	8.8 (Berkeley) 4/27/95";
41 #else
42 __RCSID("$NetBSD: rm.c,v 1.50 2011/08/29 14:48:46 joerg Exp $");
43 #endif
44 #endif /* not lint */
45 
46 #include <sys/param.h>
47 #include <sys/stat.h>
48 #include <sys/types.h>
49 
50 #include <err.h>
51 #include <errno.h>
52 #include <fcntl.h>
53 #include <fts.h>
54 #include <grp.h>
55 #include <locale.h>
56 #include <pwd.h>
57 #include <stdio.h>
58 #include <stdlib.h>
59 #include <string.h>
60 #include <unistd.h>
61 
62 static int dflag, eval, fflag, iflag, Pflag, stdin_ok, vflag, Wflag;
63 
64 static int	check(char *, char *, struct stat *);
65 static void	checkdot(char **);
66 static void	rm_file(char **);
67 static int	rm_overwrite(char *, struct stat *);
68 static void	rm_tree(char **);
69 __dead static void	usage(void);
70 
71 /*
72  * For the sake of the `-f' flag, check whether an error number indicates the
73  * failure of an operation due to an non-existent file, either per se (ENOENT)
74  * or because its filename argument was illegal (ENAMETOOLONG, ENOTDIR).
75  */
76 #define NONEXISTENT(x) \
77     ((x) == ENOENT || (x) == ENAMETOOLONG || (x) == ENOTDIR)
78 
79 /*
80  * rm --
81  *	This rm is different from historic rm's, but is expected to match
82  *	POSIX 1003.2 behavior.  The most visible difference is that -f
83  *	has two specific effects now, ignore non-existent files and force
84  * 	file removal.
85  */
86 int
87 main(int argc, char *argv[])
88 {
89 	int ch, rflag;
90 
91 	setprogname(argv[0]);
92 	(void)setlocale(LC_ALL, "");
93 
94 	Pflag = rflag = 0;
95 	while ((ch = getopt(argc, argv, "dfiPRrvW")) != -1)
96 		switch (ch) {
97 		case 'd':
98 			dflag = 1;
99 			break;
100 		case 'f':
101 			fflag = 1;
102 			iflag = 0;
103 			break;
104 		case 'i':
105 			fflag = 0;
106 			iflag = 1;
107 			break;
108 		case 'P':
109 			Pflag = 1;
110 			break;
111 		case 'R':
112 		case 'r':			/* Compatibility. */
113 			rflag = 1;
114 			break;
115 		case 'v':
116 			vflag = 1;
117 			break;
118 		case 'W':
119 			Wflag = 1;
120 			break;
121 		case '?':
122 		default:
123 			usage();
124 		}
125 	argc -= optind;
126 	argv += optind;
127 
128 	if (argc < 1) {
129 		if (fflag)
130 			return 0;
131 		usage();
132 	}
133 
134 	checkdot(argv);
135 
136 	if (*argv) {
137 		stdin_ok = isatty(STDIN_FILENO);
138 
139 		if (rflag)
140 			rm_tree(argv);
141 		else
142 			rm_file(argv);
143 	}
144 
145 	exit(eval);
146 	/* NOTREACHED */
147 }
148 
149 static void
150 rm_tree(char **argv)
151 {
152 	FTS *fts;
153 	FTSENT *p;
154 	int flags, needstat, rval;
155 
156 	/*
157 	 * Remove a file hierarchy.  If forcing removal (-f), or interactive
158 	 * (-i) or can't ask anyway (stdin_ok), don't stat the file.
159 	 */
160 	needstat = !fflag && !iflag && stdin_ok;
161 
162 	/*
163 	 * If the -i option is specified, the user can skip on the pre-order
164 	 * visit.  The fts_number field flags skipped directories.
165 	 */
166 #define	SKIPPED	1
167 
168 	flags = FTS_PHYSICAL;
169 	if (!needstat)
170 		flags |= FTS_NOSTAT;
171 	if (Wflag)
172 		flags |= FTS_WHITEOUT;
173 	if ((fts = fts_open(argv, flags, NULL)) == NULL)
174 		err(1, "fts_open failed");
175 	while ((p = fts_read(fts)) != NULL) {
176 
177 		switch (p->fts_info) {
178 		case FTS_DNR:
179 			if (!fflag || p->fts_errno != ENOENT) {
180 				warnx("%s: %s", p->fts_path,
181 						strerror(p->fts_errno));
182 				eval = 1;
183 			}
184 			continue;
185 		case FTS_ERR:
186 			errx(EXIT_FAILURE, "%s: %s", p->fts_path,
187 					strerror(p->fts_errno));
188 			/* NOTREACHED */
189 		case FTS_NS:
190 			/*
191 			 * FTS_NS: assume that if can't stat the file, it
192 			 * can't be unlinked.
193 			 */
194 			if (fflag && NONEXISTENT(p->fts_errno))
195 				continue;
196 			if (needstat) {
197 				warnx("%s: %s", p->fts_path,
198 						strerror(p->fts_errno));
199 				eval = 1;
200 				continue;
201 			}
202 			break;
203 		case FTS_D:
204 			/* Pre-order: give user chance to skip. */
205 			if (!fflag && !check(p->fts_path, p->fts_accpath,
206 			    p->fts_statp)) {
207 				(void)fts_set(fts, p, FTS_SKIP);
208 				p->fts_number = SKIPPED;
209 			}
210 			continue;
211 		case FTS_DP:
212 			/* Post-order: see if user skipped. */
213 			if (p->fts_number == SKIPPED)
214 				continue;
215 			break;
216 		default:
217 			if (!fflag &&
218 			    !check(p->fts_path, p->fts_accpath, p->fts_statp))
219 				continue;
220 		}
221 
222 		rval = 0;
223 		/*
224 		 * If we can't read or search the directory, may still be
225 		 * able to remove it.  Don't print out the un{read,search}able
226 		 * message unless the remove fails.
227 		 */
228 		switch (p->fts_info) {
229 		case FTS_DP:
230 		case FTS_DNR:
231 			rval = rmdir(p->fts_accpath);
232 			if (rval != 0 && fflag && errno == ENOENT)
233 				continue;
234 			break;
235 
236 		case FTS_W:
237 			rval = undelete(p->fts_accpath);
238 			if (rval != 0 && fflag && errno == ENOENT)
239 				continue;
240 			break;
241 
242 		default:
243 			if (Pflag) {
244 				if (rm_overwrite(p->fts_accpath, NULL))
245 					continue;
246 			}
247 			rval = unlink(p->fts_accpath);
248 			if (rval != 0 && fflag && NONEXISTENT(errno))
249 				continue;
250 			break;
251 		}
252 		if (rval != 0) {
253 			warn("%s", p->fts_path);
254 			eval = 1;
255 		} else if (vflag)
256 			(void)printf("%s\n", p->fts_path);
257 	}
258 	if (errno)
259 		err(1, "fts_read");
260 	fts_close(fts);
261 }
262 
263 static void
264 rm_file(char **argv)
265 {
266 	struct stat sb;
267 	int rval;
268 	char *f;
269 
270 	/*
271 	 * Remove a file.  POSIX 1003.2 states that, by default, attempting
272 	 * to remove a directory is an error, so must always stat the file.
273 	 */
274 	while ((f = *argv++) != NULL) {
275 		/* Assume if can't stat the file, can't unlink it. */
276 		if (lstat(f, &sb)) {
277 			if (Wflag) {
278 				sb.st_mode = S_IFWHT|S_IWUSR|S_IRUSR;
279 			} else {
280 				if (!fflag || !NONEXISTENT(errno)) {
281 					warn("%s", f);
282 					eval = 1;
283 				}
284 				continue;
285 			}
286 		} else if (Wflag) {
287 			warnx("%s: %s", f, strerror(EEXIST));
288 			eval = 1;
289 			continue;
290 		}
291 
292 		if (S_ISDIR(sb.st_mode) && !dflag) {
293 			warnx("%s: is a directory", f);
294 			eval = 1;
295 			continue;
296 		}
297 		if (!fflag && !S_ISWHT(sb.st_mode) && !check(f, f, &sb))
298 			continue;
299 		if (S_ISWHT(sb.st_mode))
300 			rval = undelete(f);
301 		else if (S_ISDIR(sb.st_mode))
302 			rval = rmdir(f);
303 		else {
304 			if (Pflag) {
305 				if (rm_overwrite(f, &sb))
306 					continue;
307 			}
308 			rval = unlink(f);
309 		}
310 		if (rval && (!fflag || !NONEXISTENT(errno))) {
311 			warn("%s", f);
312 			eval = 1;
313 		}
314 		if (vflag && rval == 0)
315 			(void)printf("%s\n", f);
316 	}
317 }
318 
319 /*
320  * rm_overwrite --
321  *	Overwrite the file 3 times with varying bit patterns.
322  *
323  * This is an expensive way to keep people from recovering files from your
324  * non-snapshotted FFS filesystems using fsdb(8).  Really.  No more.  Only
325  * regular files are deleted, directories (and therefore names) will remain.
326  * Also, this assumes a fixed-block file system (like FFS, or a V7 or a
327  * System V file system).  In a logging file system, you'll have to have
328  * kernel support.
329  *
330  * A note on standards:  U.S. DoD 5220.22-M "National Industrial Security
331  * Program Operating Manual" ("NISPOM") is often cited as a reference
332  * for clearing and sanitizing magnetic media.  In fact, a matrix of
333  * "clearing" and "sanitization" methods for various media was given in
334  * Chapter 8 of the original 1995 version of NISPOM.  However, that
335  * matrix was *removed from the document* when Chapter 8 was rewritten
336  * in Change 2 to the document in 2001.  Recently, the Defense Security
337  * Service has made a revised clearing and sanitization matrix available
338  * in Microsoft Word format on the DSS web site.  The standardization
339  * status of this matrix is unclear.  Furthermore, one must be very
340  * careful when referring to this matrix: it is intended for the "clearing"
341  * prior to reuse or "sanitization" prior to disposal of *entire media*,
342  * not individual files and the only non-physically-destructive method of
343  * "sanitization" that is permitted for magnetic disks of any kind is
344  * specifically noted to be prohibited for media that have contained
345  * Top Secret data.
346  *
347  * It is impossible to actually conform to the exact procedure given in
348  * the matrix if one is overwriting a file, not an entire disk, because
349  * the procedure requires examination and comparison of the disk's defect
350  * lists.  Any program that claims to securely erase *files* while
351  * conforming to the standard, then, is not correct.  We do as much of
352  * what the standard requires as can actually be done when erasing a
353  * file, rather than an entire disk; but that does not make us conformant.
354  *
355  * Furthermore, the presence of track caches, disk and controller write
356  * caches, and so forth make it extremely difficult to ensure that data
357  * have actually been written to the disk, particularly when one tries
358  * to repeatedly overwrite the same sectors in quick succession.  We call
359  * fsync(), but controllers with nonvolatile cache, as well as IDE disks
360  * that just plain lie about the stable storage of data, will defeat this.
361  *
362  * Finally, widely respected research suggests that the given procedure
363  * is nowhere near sufficient to prevent the recovery of data using special
364  * forensic equipment and techniques that are well-known.  This is
365  * presumably one reason that the matrix requires physical media destruction,
366  * rather than any technique of the sort attempted here, for secret data.
367  *
368  * Caveat Emptor.
369  *
370  * rm_overwrite will return 0 on success.
371  */
372 
373 static int
374 rm_overwrite(char *file, struct stat *sbp)
375 {
376 	struct stat sb;
377 	int fd, randint;
378 	char randchar;
379 
380 	fd = -1;
381 	if (sbp == NULL) {
382 		if (lstat(file, &sb))
383 			goto err;
384 		sbp = &sb;
385 	}
386 	if (!S_ISREG(sbp->st_mode))
387 		return 0;
388 
389 	/* flags to try to defeat hidden caching by forcing seeks */
390 	if ((fd = open(file, O_RDWR|O_SYNC|O_RSYNC, 0)) == -1)
391 		goto err;
392 
393 #define RAND_BYTES	1
394 #define THIS_BYTE	0
395 
396 #define	WRITE_PASS(mode, byte) do {					\
397 	off_t len;							\
398 	size_t wlen, i;							\
399 	char buf[8 * 1024];						\
400 									\
401 	if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET))			\
402 		goto err;						\
403 									\
404 	if (mode == THIS_BYTE)						\
405 		memset(buf, byte, sizeof(buf));				\
406 	for (len = sbp->st_size; len > 0; len -= wlen) {		\
407 		if (mode == RAND_BYTES) {				\
408 			for (i = 0; i < sizeof(buf); 			\
409 			    i+= sizeof(u_int32_t))			\
410 				*(int *)(buf + i) = arc4random();	\
411 		}							\
412 		wlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \
413 		if ((size_t)write(fd, buf, wlen) != wlen)		\
414 			goto err;					\
415 	}								\
416 	sync();		/* another poke at hidden caches */		\
417 } while (/* CONSTCOND */ 0)
418 
419 #define READ_PASS(byte) do {						\
420 	off_t len;							\
421 	size_t rlen;							\
422 	char pattern[8 * 1024];						\
423 	char buf[8 * 1024];						\
424 									\
425 	if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET))			\
426 		goto err;						\
427 									\
428 	memset(pattern, byte, sizeof(pattern));				\
429 	for(len = sbp->st_size; len > 0; len -= rlen) {			\
430 		rlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \
431 		if((size_t)read(fd, buf, rlen) != rlen)			\
432 			goto err;					\
433 		if(memcmp(buf, pattern, rlen))				\
434 			goto err;					\
435 	}								\
436 	sync();		/* another poke at hidden caches */		\
437 } while (/* CONSTCOND */ 0)
438 
439 	/*
440 	 * DSS sanitization matrix "clear" for magnetic disks:
441 	 * option 'c' "Overwrite all addressable locations with a single
442 	 * character."
443 	 */
444 	randint = arc4random();
445 	randchar = *(char *)&randint;
446 	WRITE_PASS(THIS_BYTE, randchar);
447 
448 	/*
449 	 * DSS sanitization matrix "sanitize" for magnetic disks:
450 	 * option 'd', sub 2 "Overwrite all addressable locations with a
451 	 * character, then its complement.  Verify "complement" character
452 	 * was written successfully to all addressable locations, then
453 	 * overwrite all addressable locations with random characters; or
454 	 * verify third overwrite of random characters."  The rest of the
455 	 * text in d-sub-2 specifies requirements for overwriting spared
456 	 * sectors; we cannot conform to it when erasing only a file, thus
457 	 * we do not conform to the standard.
458 	 */
459 
460 	/* 1. "a character" */
461 	WRITE_PASS(THIS_BYTE, 0xff);
462 
463 	/* 2. "its complement" */
464 	WRITE_PASS(THIS_BYTE, 0x00);
465 
466 	/* 3. "Verify 'complement' character" */
467 	READ_PASS(0x00);
468 
469 	/* 4. "overwrite all addressable locations with random characters" */
470 
471 	WRITE_PASS(RAND_BYTES, 0x00);
472 
473 	/*
474 	 * As the file might be huge, and we note that this revision of
475 	 * the matrix says "random characters", not "a random character"
476 	 * as the original did, we do not verify the random-character
477 	 * write; the "or" in the standard allows this.
478 	 */
479 
480 	if (close(fd) == -1) {
481 		fd = -1;
482 		goto err;
483 	}
484 
485 	return 0;
486 
487 err:	eval = 1;
488 	warn("%s", file);
489 	if (fd != -1)
490 		close(fd);
491 	return 1;
492 }
493 
494 static int
495 check(char *path, char *name, struct stat *sp)
496 {
497 	int ch, first;
498 	char modep[15];
499 
500 	/* Check -i first. */
501 	if (iflag)
502 		(void)fprintf(stderr, "remove '%s'? ", path);
503 	else {
504 		/*
505 		 * If it's not a symbolic link and it's unwritable and we're
506 		 * talking to a terminal, ask.  Symbolic links are excluded
507 		 * because their permissions are meaningless.  Check stdin_ok
508 		 * first because we may not have stat'ed the file.
509 		 */
510 		if (!stdin_ok || S_ISLNK(sp->st_mode) ||
511 		    !(access(name, W_OK) && (errno != ETXTBSY)))
512 			return (1);
513 		strmode(sp->st_mode, modep);
514 		if (Pflag) {
515 			warnx(
516 			    "%s: -P was specified but file could not"
517 			    " be overwritten", path);
518 			return 0;
519 		}
520 		(void)fprintf(stderr, "override %s%s%s:%s for '%s'? ",
521 		    modep + 1, modep[9] == ' ' ? "" : " ",
522 		    user_from_uid(sp->st_uid, 0),
523 		    group_from_gid(sp->st_gid, 0), path);
524 	}
525 	(void)fflush(stderr);
526 
527 	first = ch = getchar();
528 	while (ch != '\n' && ch != EOF)
529 		ch = getchar();
530 	return (first == 'y' || first == 'Y');
531 }
532 
533 /*
534  * POSIX.2 requires that if "." or ".." are specified as the basename
535  * portion of an operand, a diagnostic message be written to standard
536  * error and nothing more be done with such operands.
537  *
538  * Since POSIX.2 defines basename as the final portion of a path after
539  * trailing slashes have been removed, we'll remove them here.
540  */
541 #define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2])))
542 static void
543 checkdot(char **argv)
544 {
545 	char *p, **save, **t;
546 	int complained;
547 
548 	complained = 0;
549 	for (t = argv; *t;) {
550 		/* strip trailing slashes */
551 		p = strrchr(*t, '\0');
552 		while (--p > *t && *p == '/')
553 			*p = '\0';
554 
555 		/* extract basename */
556 		if ((p = strrchr(*t, '/')) != NULL)
557 			++p;
558 		else
559 			p = *t;
560 
561 		if (ISDOT(p)) {
562 			if (!complained++)
563 				warnx("\".\" and \"..\" may not be removed");
564 			eval = 1;
565 			for (save = t; (t[0] = t[1]) != NULL; ++t)
566 				continue;
567 			t = save;
568 		} else
569 			++t;
570 	}
571 }
572 
573 static void
574 usage(void)
575 {
576 
577 	(void)fprintf(stderr, "usage: %s [-f|-i] [-dPRrvW] file ...\n",
578 	    getprogname());
579 	exit(1);
580 	/* NOTREACHED */
581 }
582