xref: /openbsd-src/bin/rm/rm.c (revision b9fc9a728fce9c4289b7e9a992665e28d5629a54) 
1 /*	$OpenBSD: rm.c,v 1.30 2015/01/16 06:39:32 deraadt Exp $	*/
2 /*	$NetBSD: rm.c,v 1.19 1995/09/07 06:48:50 jtc Exp $	*/
3 
4 /*-
5  * Copyright (c) 1990, 1993, 1994
6  *	The Regents of the University of California.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. Neither the name of the University nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 #include <sys/types.h>
34 #include <sys/stat.h>
35 #include <sys/mount.h>
36 
37 #include <locale.h>
38 #include <err.h>
39 #include <errno.h>
40 #include <fcntl.h>
41 #include <fts.h>
42 #include <stdio.h>
43 #include <stdlib.h>
44 #include <string.h>
45 #include <unistd.h>
46 #include <limits.h>
47 #include <pwd.h>
48 #include <grp.h>
49 
50 #define MAXIMUM(a, b)	(((a) > (b)) ? (a) : (b))
51 
52 extern char *__progname;
53 
54 int dflag, eval, fflag, iflag, Pflag, stdin_ok;
55 
56 int	check(char *, char *, struct stat *);
57 void	checkdot(char **);
58 void	rm_file(char **);
59 int	rm_overwrite(char *, struct stat *);
60 int	pass(int, off_t, char *, size_t);
61 void	rm_tree(char **);
62 void	usage(void);
63 
64 /*
65  * rm --
66  *	This rm is different from historic rm's, but is expected to match
67  *	POSIX 1003.2 behavior.  The most visible difference is that -f
68  *	has two specific effects now, ignore non-existent files and force
69  * 	file removal.
70  */
71 int
72 main(int argc, char *argv[])
73 {
74 	int ch, rflag;
75 
76 	setlocale(LC_ALL, "");
77 
78 	Pflag = rflag = 0;
79 	while ((ch = getopt(argc, argv, "dfiPRr")) != -1)
80 		switch(ch) {
81 		case 'd':
82 			dflag = 1;
83 			break;
84 		case 'f':
85 			fflag = 1;
86 			iflag = 0;
87 			break;
88 		case 'i':
89 			fflag = 0;
90 			iflag = 1;
91 			break;
92 		case 'P':
93 			Pflag = 1;
94 			break;
95 		case 'R':
96 		case 'r':			/* Compatibility. */
97 			rflag = 1;
98 			break;
99 		default:
100 			usage();
101 		}
102 	argc -= optind;
103 	argv += optind;
104 
105 	if (argc < 1 && fflag == 0)
106 		usage();
107 
108 	checkdot(argv);
109 
110 	if (*argv) {
111 		stdin_ok = isatty(STDIN_FILENO);
112 
113 		if (rflag)
114 			rm_tree(argv);
115 		else
116 			rm_file(argv);
117 	}
118 
119 	exit (eval);
120 }
121 
122 void
123 rm_tree(char **argv)
124 {
125 	FTS *fts;
126 	FTSENT *p;
127 	int needstat;
128 	int flags;
129 
130 	/*
131 	 * Remove a file hierarchy.  If forcing removal (-f), or interactive
132 	 * (-i) or can't ask anyway (stdin_ok), don't stat the file.
133 	 */
134 	needstat = !fflag && !iflag && stdin_ok;
135 
136 	/*
137 	 * If the -i option is specified, the user can skip on the pre-order
138 	 * visit.  The fts_number field flags skipped directories.
139 	 */
140 #define	SKIPPED	1
141 
142 	flags = FTS_PHYSICAL;
143 	if (!needstat)
144 		flags |= FTS_NOSTAT;
145 	if (!(fts = fts_open(argv, flags, NULL)))
146 		err(1, NULL);
147 	while ((p = fts_read(fts)) != NULL) {
148 		switch (p->fts_info) {
149 		case FTS_DNR:
150 			if (!fflag || p->fts_errno != ENOENT) {
151 				warnx("%s: %s",
152 				    p->fts_path, strerror(p->fts_errno));
153 				eval = 1;
154 			}
155 			continue;
156 		case FTS_ERR:
157 			errc(1, p->fts_errno, "%s", p->fts_path);
158 		case FTS_NS:
159 			/*
160 			 * FTS_NS: assume that if can't stat the file, it
161 			 * can't be unlinked.
162 			 */
163 			if (!needstat)
164 				break;
165 			if (!fflag || p->fts_errno != ENOENT) {
166 				warnx("%s: %s",
167 				    p->fts_path, strerror(p->fts_errno));
168 				eval = 1;
169 			}
170 			continue;
171 		case FTS_D:
172 			/* Pre-order: give user chance to skip. */
173 			if (!fflag && !check(p->fts_path, p->fts_accpath,
174 			    p->fts_statp)) {
175 				(void)fts_set(fts, p, FTS_SKIP);
176 				p->fts_number = SKIPPED;
177 			}
178 			continue;
179 		case FTS_DP:
180 			/* Post-order: see if user skipped. */
181 			if (p->fts_number == SKIPPED)
182 				continue;
183 			break;
184 		default:
185 			if (!fflag &&
186 			    !check(p->fts_path, p->fts_accpath, p->fts_statp))
187 				continue;
188 		}
189 
190 		/*
191 		 * If we can't read or search the directory, may still be
192 		 * able to remove it.  Don't print out the un{read,search}able
193 		 * message unless the remove fails.
194 		 */
195 		switch (p->fts_info) {
196 		case FTS_DP:
197 		case FTS_DNR:
198 			if (!rmdir(p->fts_accpath) ||
199 			    (fflag && errno == ENOENT))
200 				continue;
201 			break;
202 
203 		case FTS_F:
204 		case FTS_NSOK:
205 			if (Pflag)
206 				rm_overwrite(p->fts_accpath, p->fts_info ==
207 				    FTS_NSOK ? NULL : p->fts_statp);
208 			/* FALLTHROUGH */
209 		default:
210 			if (!unlink(p->fts_accpath) ||
211 			    (fflag && errno == ENOENT))
212 				continue;
213 		}
214 		warn("%s", p->fts_path);
215 		eval = 1;
216 	}
217 	if (errno)
218 		err(1, "fts_read");
219 	fts_close(fts);
220 }
221 
222 void
223 rm_file(char **argv)
224 {
225 	struct stat sb;
226 	int rval;
227 	char *f;
228 
229 	/*
230 	 * Remove a file.  POSIX 1003.2 states that, by default, attempting
231 	 * to remove a directory is an error, so must always stat the file.
232 	 */
233 	while ((f = *argv++) != NULL) {
234 		/* Assume if can't stat the file, can't unlink it. */
235 		if (lstat(f, &sb)) {
236 			if (!fflag || errno != ENOENT) {
237 				warn("%s", f);
238 				eval = 1;
239 			}
240 			continue;
241 		}
242 
243 		if (S_ISDIR(sb.st_mode) && !dflag) {
244 			warnx("%s: is a directory", f);
245 			eval = 1;
246 			continue;
247 		}
248 		if (!fflag && !check(f, f, &sb))
249 			continue;
250 		else if (S_ISDIR(sb.st_mode))
251 			rval = rmdir(f);
252 		else {
253 			if (Pflag)
254 				rm_overwrite(f, &sb);
255 			rval = unlink(f);
256 		}
257 		if (rval && (!fflag || errno != ENOENT)) {
258 			warn("%s", f);
259 			eval = 1;
260 		}
261 	}
262 }
263 
264 /*
265  * rm_overwrite --
266  *	Overwrite the file with varying bit patterns.
267  *
268  * XXX
269  * This is a cheap way to *really* delete files.  Note that only regular
270  * files are deleted, directories (and therefore names) will remain.
271  * Also, this assumes a fixed-block file system (like FFS, or a V7 or a
272  * System V file system).  In a logging file system, you'll have to have
273  * kernel support.
274  * Returns 1 for success.
275  */
276 int
277 rm_overwrite(char *file, struct stat *sbp)
278 {
279 	struct stat sb, sb2;
280 	struct statfs fsb;
281 	size_t bsize;
282 	int fd;
283 	char *buf = NULL;
284 
285 	fd = -1;
286 	if (sbp == NULL) {
287 		if (lstat(file, &sb))
288 			goto err;
289 		sbp = &sb;
290 	}
291 	if (!S_ISREG(sbp->st_mode))
292 		return (1);
293 	if (sbp->st_nlink > 1) {
294 		warnx("%s (inode %llu): not overwritten due to multiple links",
295 		    file, (unsigned long long)sbp->st_ino);
296 		return (0);
297 	}
298 	if ((fd = open(file, O_WRONLY|O_NONBLOCK|O_NOFOLLOW, 0)) == -1)
299 		goto err;
300 	if (fstat(fd, &sb2))
301 		goto err;
302 	if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino ||
303 	    !S_ISREG(sb2.st_mode)) {
304 		errno = EPERM;
305 		goto err;
306 	}
307 	if (fstatfs(fd, &fsb) == -1)
308 		goto err;
309 	bsize = MAXIMUM(fsb.f_iosize, 1024U);
310 	if ((buf = malloc(bsize)) == NULL)
311 		err(1, "%s: malloc", file);
312 
313 	if (!pass(fd, sbp->st_size, buf, bsize))
314 		goto err;
315 	if (fsync(fd))
316 		goto err;
317 	close(fd);
318 	free(buf);
319 	return (1);
320 
321 err:
322 	warn("%s", file);
323 	close(fd);
324 	eval = 1;
325 	free(buf);
326 	return (0);
327 }
328 
329 int
330 pass(int fd, off_t len, char *buf, size_t bsize)
331 {
332 	size_t wlen;
333 
334 	for (; len > 0; len -= wlen) {
335 		wlen = len < bsize ? len : bsize;
336 		arc4random_buf(buf, wlen);
337 		if (write(fd, buf, wlen) != wlen)
338 			return (0);
339 	}
340 	return (1);
341 }
342 
343 int
344 check(char *path, char *name, struct stat *sp)
345 {
346 	int ch, first;
347 	char modep[15];
348 
349 	/* Check -i first. */
350 	if (iflag)
351 		(void)fprintf(stderr, "remove %s? ", path);
352 	else {
353 		/*
354 		 * If it's not a symbolic link and it's unwritable and we're
355 		 * talking to a terminal, ask.  Symbolic links are excluded
356 		 * because their permissions are meaningless.  Check stdin_ok
357 		 * first because we may not have stat'ed the file.
358 		 */
359 		if (!stdin_ok || S_ISLNK(sp->st_mode) || !access(name, W_OK) ||
360 		    errno != EACCES)
361 			return (1);
362 		strmode(sp->st_mode, modep);
363 		(void)fprintf(stderr, "override %s%s%s/%s for %s? ",
364 		    modep + 1, modep[9] == ' ' ? "" : " ",
365 		    user_from_uid(sp->st_uid, 0),
366 		    group_from_gid(sp->st_gid, 0), path);
367 	}
368 	(void)fflush(stderr);
369 
370 	first = ch = getchar();
371 	while (ch != '\n' && ch != EOF)
372 		ch = getchar();
373 	return (first == 'y' || first == 'Y');
374 }
375 
376 /*
377  * POSIX.2 requires that if "." or ".." are specified as the basename
378  * portion of an operand, a diagnostic message be written to standard
379  * error and nothing more be done with such operands.
380  *
381  * Since POSIX.2 defines basename as the final portion of a path after
382  * trailing slashes have been removed, we'll remove them here.
383  */
384 #define ISDOT(a)	((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2])))
385 void
386 checkdot(char **argv)
387 {
388 	char *p, **save, **t;
389 	int complained;
390 
391 	complained = 0;
392 	for (t = argv; *t;) {
393 		/* strip trailing slashes */
394 		p = strrchr (*t, '\0');
395 		while (--p > *t && *p == '/')
396 			*p = '\0';
397 
398 		/* extract basename */
399 		if ((p = strrchr(*t, '/')) != NULL)
400 			++p;
401 		else
402 			p = *t;
403 
404 		if (ISDOT(p)) {
405 			if (!complained++)
406 				warnx("\".\" and \"..\" may not be removed");
407 			eval = 1;
408 			for (save = t; (t[0] = t[1]) != NULL; ++t)
409 				continue;
410 			t = save;
411 		} else
412 			++t;
413 	}
414 }
415 
416 void
417 usage(void)
418 {
419 	(void)fprintf(stderr, "usage: %s [-dfiPRr] file ...\n", __progname);
420 	exit(1);
421 }
422