• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* $NetBSD: rm.c,v 1.53 2013/04/26 18:43:22 christos Exp $ */
2 
3 /*-
4  * Copyright (c) 1990, 1993, 1994, 2003
5  *	The Regents of the University of California.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the University nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  */
31 
32 #include <sys/cdefs.h>
33 #ifndef lint
34 __COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\
35  The Regents of the University of California.  All rights reserved.");
36 #endif /* not lint */
37 
38 #ifndef lint
39 #if 0
40 static char sccsid[] = "@(#)rm.c	8.8 (Berkeley) 4/27/95";
41 #else
42 __RCSID("$NetBSD: rm.c,v 1.53 2013/04/26 18:43:22 christos Exp $");
43 #endif
44 #endif /* not lint */
45 
46 #include <sys/param.h>
47 #include <sys/stat.h>
48 #include <sys/types.h>
49 
50 #include <err.h>
51 #include <errno.h>
52 #include <fcntl.h>
53 #include <fts.h>
54 #include <grp.h>
55 #include <locale.h>
56 #include <pwd.h>
57 #include <signal.h>
58 #include <stdio.h>
59 #include <stdlib.h>
60 #include <string.h>
61 #include <unistd.h>
62 
63 static int dflag, eval, fflag, iflag, Pflag, stdin_ok, vflag, Wflag;
64 static int xflag;
65 static sig_atomic_t pinfo;
66 
67 static int	check(char *, char *, struct stat *);
68 static void	checkdot(char **);
69 static void	progress(int);
70 static void	rm_file(char **);
71 static int	rm_overwrite(char *, struct stat *);
72 static void	rm_tree(char **);
73 __dead static void	usage(void);
74 
75 /*
76  * For the sake of the `-f' flag, check whether an error number indicates the
77  * failure of an operation due to an non-existent file, either per se (ENOENT)
78  * or because its filename argument was illegal (ENAMETOOLONG, ENOTDIR).
79  */
80 #define NONEXISTENT(x) \
81     ((x) == ENOENT || (x) == ENAMETOOLONG || (x) == ENOTDIR)
82 
83 /*
84  * rm --
85  *	This rm is different from historic rm's, but is expected to match
86  *	POSIX 1003.2 behavior.  The most visible difference is that -f
87  *	has two specific effects now, ignore non-existent files and force
88  * 	file removal.
89  */
90 int
main(int argc,char * argv[])91 main(int argc, char *argv[])
92 {
93 	int ch, rflag;
94 
95 	setprogname(argv[0]);
96 	(void)setlocale(LC_ALL, "");
97 
98 	Pflag = rflag = xflag = 0;
99 	while ((ch = getopt(argc, argv, "dfiPRrvWx")) != -1)
100 		switch (ch) {
101 		case 'd':
102 			dflag = 1;
103 			break;
104 		case 'f':
105 			fflag = 1;
106 			iflag = 0;
107 			break;
108 		case 'i':
109 			fflag = 0;
110 			iflag = 1;
111 			break;
112 		case 'P':
113 			Pflag = 1;
114 			break;
115 		case 'R':
116 		case 'r':			/* Compatibility. */
117 			rflag = 1;
118 			break;
119 		case 'v':
120 			vflag = 1;
121 			break;
122 		case 'x':
123 			xflag = 1;
124 			break;
125 #ifndef __ANDROID__
126 		case 'W':
127 			Wflag = 1;
128 			break;
129 #endif
130 		case '?':
131 		default:
132 			usage();
133 		}
134 	argc -= optind;
135 	argv += optind;
136 
137 	if (argc < 1) {
138 		if (fflag)
139 			return 0;
140 		usage();
141 	}
142 
143 	(void)signal(SIGINFO, progress);
144 
145 	checkdot(argv);
146 
147 	if (*argv) {
148 		stdin_ok = isatty(STDIN_FILENO);
149 
150 		if (rflag)
151 			rm_tree(argv);
152 		else
153 			rm_file(argv);
154 	}
155 
156 	exit(eval);
157 	/* NOTREACHED */
158 }
159 
160 static void
rm_tree(char ** argv)161 rm_tree(char **argv)
162 {
163 	FTS *fts;
164 	FTSENT *p;
165 	int flags, needstat, rval;
166 
167 	/*
168 	 * Remove a file hierarchy.  If forcing removal (-f), or interactive
169 	 * (-i) or can't ask anyway (stdin_ok), don't stat the file.
170 	 */
171 	needstat = !fflag && !iflag && stdin_ok;
172 
173 	/*
174 	 * If the -i option is specified, the user can skip on the pre-order
175 	 * visit.  The fts_number field flags skipped directories.
176 	 */
177 #define	SKIPPED	1
178 
179 	flags = FTS_PHYSICAL;
180 	if (!needstat)
181 		flags |= FTS_NOSTAT;
182 #ifndef __ANDROID__
183 	if (Wflag)
184 		flags |= FTS_WHITEOUT;
185 #endif
186 	if (xflag)
187 		flags |= FTS_XDEV;
188 	if ((fts = fts_open(argv, flags, NULL)) == NULL)
189 		err(1, "fts_open failed");
190 	while ((p = fts_read(fts)) != NULL) {
191 
192 		switch (p->fts_info) {
193 		case FTS_DNR:
194 			if (!fflag || p->fts_errno != ENOENT) {
195 				warnx("%s: %s", p->fts_path,
196 						strerror(p->fts_errno));
197 				eval = 1;
198 			}
199 			continue;
200 		case FTS_ERR:
201 			errx(EXIT_FAILURE, "%s: %s", p->fts_path,
202 					strerror(p->fts_errno));
203 			/* NOTREACHED */
204 		case FTS_NS:
205 			/*
206 			 * FTS_NS: assume that if can't stat the file, it
207 			 * can't be unlinked.
208 			 */
209 			if (fflag && NONEXISTENT(p->fts_errno))
210 				continue;
211 			if (needstat) {
212 				warnx("%s: %s", p->fts_path,
213 						strerror(p->fts_errno));
214 				eval = 1;
215 				continue;
216 			}
217 			break;
218 		case FTS_D:
219 			/* Pre-order: give user chance to skip. */
220 			if (!fflag && !check(p->fts_path, p->fts_accpath,
221 			    p->fts_statp)) {
222 				(void)fts_set(fts, p, FTS_SKIP);
223 				p->fts_number = SKIPPED;
224 			}
225 			continue;
226 		case FTS_DP:
227 			/* Post-order: see if user skipped. */
228 			if (p->fts_number == SKIPPED)
229 				continue;
230 			break;
231 		default:
232 			if (!fflag &&
233 			    !check(p->fts_path, p->fts_accpath, p->fts_statp))
234 				continue;
235 		}
236 
237 		rval = 0;
238 		/*
239 		 * If we can't read or search the directory, may still be
240 		 * able to remove it.  Don't print out the un{read,search}able
241 		 * message unless the remove fails.
242 		 */
243 		switch (p->fts_info) {
244 		case FTS_DP:
245 		case FTS_DNR:
246 			rval = rmdir(p->fts_accpath);
247 			if (rval != 0 && fflag && errno == ENOENT)
248 				continue;
249 			break;
250 
251 #ifndef __ANDROID__
252 		case FTS_W:
253 			rval = undelete(p->fts_accpath);
254 			if (rval != 0 && fflag && errno == ENOENT)
255 				continue;
256 			break;
257 #endif
258 
259 		default:
260 			if (Pflag) {
261 				if (rm_overwrite(p->fts_accpath, NULL))
262 					continue;
263 			}
264 			rval = unlink(p->fts_accpath);
265 			if (rval != 0 && fflag && NONEXISTENT(errno))
266 				continue;
267 			break;
268 		}
269 		if (rval != 0) {
270 			warn("%s", p->fts_path);
271 			eval = 1;
272 		} else if (vflag || pinfo) {
273 			pinfo = 0;
274 			(void)printf("%s\n", p->fts_path);
275 		}
276 	}
277 	if (errno)
278 		err(1, "fts_read");
279 	fts_close(fts);
280 }
281 
282 static void
rm_file(char ** argv)283 rm_file(char **argv)
284 {
285 	struct stat sb;
286 	int rval;
287 	char *f;
288 
289 	/*
290 	 * Remove a file.  POSIX 1003.2 states that, by default, attempting
291 	 * to remove a directory is an error, so must always stat the file.
292 	 */
293 	while ((f = *argv++) != NULL) {
294 		/* Assume if can't stat the file, can't unlink it. */
295 		if (lstat(f, &sb)) {
296 #ifndef __ANDROID__
297 			if (Wflag) {
298 				sb.st_mode = S_IFWHT|S_IWUSR|S_IRUSR;
299 			} else {
300 #endif
301 				if (!fflag || !NONEXISTENT(errno)) {
302 					warn("%s", f);
303 					eval = 1;
304 				}
305 				continue;
306 #ifndef __ANDROID__
307 			}
308 		} else if (Wflag) {
309 			warnx("%s: %s", f, strerror(EEXIST));
310 			eval = 1;
311 			continue;
312 #endif
313 		}
314 
315 		if (S_ISDIR(sb.st_mode) && !dflag) {
316 			warnx("%s: is a directory", f);
317 			eval = 1;
318 			continue;
319 		}
320 		if (!fflag && !S_ISWHT(sb.st_mode) && !check(f, f, &sb))
321 			continue;
322 #ifndef __ANDROID__
323 		if (S_ISWHT(sb.st_mode))
324 			rval = undelete(f);
325 		else if (S_ISDIR(sb.st_mode))
326 #else
327 		if (S_ISDIR(sb.st_mode))
328 #endif
329 			rval = rmdir(f);
330 		else {
331 			if (Pflag) {
332 				if (rm_overwrite(f, &sb))
333 					continue;
334 			}
335 			rval = unlink(f);
336 		}
337 		if (rval && (!fflag || !NONEXISTENT(errno))) {
338 			warn("%s", f);
339 			eval = 1;
340 		}
341 		if (vflag && rval == 0)
342 			(void)printf("%s\n", f);
343 	}
344 }
345 
346 /*
347  * rm_overwrite --
348  *	Overwrite the file 3 times with varying bit patterns.
349  *
350  * This is an expensive way to keep people from recovering files from your
351  * non-snapshotted FFS filesystems using fsdb(8).  Really.  No more.  Only
352  * regular files are deleted, directories (and therefore names) will remain.
353  * Also, this assumes a fixed-block file system (like FFS, or a V7 or a
354  * System V file system).  In a logging file system, you'll have to have
355  * kernel support.
356  *
357  * A note on standards:  U.S. DoD 5220.22-M "National Industrial Security
358  * Program Operating Manual" ("NISPOM") is often cited as a reference
359  * for clearing and sanitizing magnetic media.  In fact, a matrix of
360  * "clearing" and "sanitization" methods for various media was given in
361  * Chapter 8 of the original 1995 version of NISPOM.  However, that
362  * matrix was *removed from the document* when Chapter 8 was rewritten
363  * in Change 2 to the document in 2001.  Recently, the Defense Security
364  * Service has made a revised clearing and sanitization matrix available
365  * in Microsoft Word format on the DSS web site.  The standardization
366  * status of this matrix is unclear.  Furthermore, one must be very
367  * careful when referring to this matrix: it is intended for the "clearing"
368  * prior to reuse or "sanitization" prior to disposal of *entire media*,
369  * not individual files and the only non-physically-destructive method of
370  * "sanitization" that is permitted for magnetic disks of any kind is
371  * specifically noted to be prohibited for media that have contained
372  * Top Secret data.
373  *
374  * It is impossible to actually conform to the exact procedure given in
375  * the matrix if one is overwriting a file, not an entire disk, because
376  * the procedure requires examination and comparison of the disk's defect
377  * lists.  Any program that claims to securely erase *files* while
378  * conforming to the standard, then, is not correct.  We do as much of
379  * what the standard requires as can actually be done when erasing a
380  * file, rather than an entire disk; but that does not make us conformant.
381  *
382  * Furthermore, the presence of track caches, disk and controller write
383  * caches, and so forth make it extremely difficult to ensure that data
384  * have actually been written to the disk, particularly when one tries
385  * to repeatedly overwrite the same sectors in quick succession.  We call
386  * fsync(), but controllers with nonvolatile cache, as well as IDE disks
387  * that just plain lie about the stable storage of data, will defeat this.
388  *
389  * Finally, widely respected research suggests that the given procedure
390  * is nowhere near sufficient to prevent the recovery of data using special
391  * forensic equipment and techniques that are well-known.  This is
392  * presumably one reason that the matrix requires physical media destruction,
393  * rather than any technique of the sort attempted here, for secret data.
394  *
395  * Caveat Emptor.
396  *
397  * rm_overwrite will return 0 on success.
398  */
399 
400 static int
rm_overwrite(char * file,struct stat * sbp)401 rm_overwrite(char *file, struct stat *sbp)
402 {
403 	struct stat sb, sb2;
404 	int fd, randint;
405 	char randchar;
406 
407 	fd = -1;
408 	if (sbp == NULL) {
409 		if (lstat(file, &sb))
410 			goto err;
411 		sbp = &sb;
412 	}
413 	if (!S_ISREG(sbp->st_mode))
414 		return 0;
415 
416 	/* flags to try to defeat hidden caching by forcing seeks */
417 	if ((fd = open(file, O_RDWR|O_SYNC|O_RSYNC|O_NOFOLLOW, 0)) == -1)
418 		goto err;
419 
420 	if (fstat(fd, &sb2)) {
421 		goto err;
422 	}
423 
424 	if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino ||
425 	    !S_ISREG(sb2.st_mode)) {
426 		errno = EPERM;
427 		goto err;
428 	}
429 
430 #define RAND_BYTES	1
431 #define THIS_BYTE	0
432 
433 #define	WRITE_PASS(mode, byte) do {					\
434 	off_t len;							\
435 	size_t wlen, i;							\
436 	char buf[8 * 1024];						\
437 									\
438 	if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET))			\
439 		goto err;						\
440 									\
441 	if (mode == THIS_BYTE)						\
442 		memset(buf, byte, sizeof(buf));				\
443 	for (len = sbp->st_size; len > 0; len -= wlen) {		\
444 		if (mode == RAND_BYTES) {				\
445 			for (i = 0; i < sizeof(buf); 			\
446 			    i+= sizeof(u_int32_t))			\
447 				*(int *)(buf + i) = arc4random();	\
448 		}							\
449 		wlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \
450 		if ((size_t)write(fd, buf, wlen) != wlen)		\
451 			goto err;					\
452 	}								\
453 	sync();		/* another poke at hidden caches */		\
454 } while (/* CONSTCOND */ 0)
455 
456 #define READ_PASS(byte) do {						\
457 	off_t len;							\
458 	size_t rlen;							\
459 	char pattern[8 * 1024];						\
460 	char buf[8 * 1024];						\
461 									\
462 	if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET))			\
463 		goto err;						\
464 									\
465 	memset(pattern, byte, sizeof(pattern));				\
466 	for(len = sbp->st_size; len > 0; len -= rlen) {			\
467 		rlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \
468 		if((size_t)read(fd, buf, rlen) != rlen)			\
469 			goto err;					\
470 		if(memcmp(buf, pattern, rlen))				\
471 			goto err;					\
472 	}								\
473 	sync();		/* another poke at hidden caches */		\
474 } while (/* CONSTCOND */ 0)
475 
476 	/*
477 	 * DSS sanitization matrix "clear" for magnetic disks:
478 	 * option 'c' "Overwrite all addressable locations with a single
479 	 * character."
480 	 */
481 	randint = arc4random();
482 	randchar = *(char *)&randint;
483 	WRITE_PASS(THIS_BYTE, randchar);
484 
485 	/*
486 	 * DSS sanitization matrix "sanitize" for magnetic disks:
487 	 * option 'd', sub 2 "Overwrite all addressable locations with a
488 	 * character, then its complement.  Verify "complement" character
489 	 * was written successfully to all addressable locations, then
490 	 * overwrite all addressable locations with random characters; or
491 	 * verify third overwrite of random characters."  The rest of the
492 	 * text in d-sub-2 specifies requirements for overwriting spared
493 	 * sectors; we cannot conform to it when erasing only a file, thus
494 	 * we do not conform to the standard.
495 	 */
496 
497 	/* 1. "a character" */
498 	WRITE_PASS(THIS_BYTE, 0xff);
499 
500 	/* 2. "its complement" */
501 	WRITE_PASS(THIS_BYTE, 0x00);
502 
503 	/* 3. "Verify 'complement' character" */
504 	READ_PASS(0x00);
505 
506 	/* 4. "overwrite all addressable locations with random characters" */
507 
508 	WRITE_PASS(RAND_BYTES, 0x00);
509 
510 	/*
511 	 * As the file might be huge, and we note that this revision of
512 	 * the matrix says "random characters", not "a random character"
513 	 * as the original did, we do not verify the random-character
514 	 * write; the "or" in the standard allows this.
515 	 */
516 
517 	if (close(fd) == -1) {
518 		fd = -1;
519 		goto err;
520 	}
521 
522 	return 0;
523 
524 err:	eval = 1;
525 	warn("%s", file);
526 	if (fd != -1)
527 		close(fd);
528 	return 1;
529 }
530 
531 static int
check(char * path,char * name,struct stat * sp)532 check(char *path, char *name, struct stat *sp)
533 {
534 	int ch, first;
535 	char modep[15];
536 
537 	/* Check -i first. */
538 	if (iflag)
539 		(void)fprintf(stderr, "remove '%s'? ", path);
540 	else {
541 		/*
542 		 * If it's not a symbolic link and it's unwritable and we're
543 		 * talking to a terminal, ask.  Symbolic links are excluded
544 		 * because their permissions are meaningless.  Check stdin_ok
545 		 * first because we may not have stat'ed the file.
546 		 */
547 		if (!stdin_ok || S_ISLNK(sp->st_mode) ||
548 		    !(access(name, W_OK) && (errno != ETXTBSY)))
549 			return (1);
550 		strmode(sp->st_mode, modep);
551 		if (Pflag) {
552 			warnx(
553 			    "%s: -P was specified but file could not"
554 			    " be overwritten", path);
555 			return 0;
556 		}
557 		(void)fprintf(stderr, "override %s%s%s:%s for '%s'? ",
558 		    modep + 1, modep[9] == ' ' ? "" : " ",
559 		    user_from_uid(sp->st_uid, 0),
560 		    group_from_gid(sp->st_gid, 0), path);
561 	}
562 	(void)fflush(stderr);
563 
564 	first = ch = getchar();
565 	while (ch != '\n' && ch != EOF)
566 		ch = getchar();
567 	return (first == 'y' || first == 'Y');
568 }
569 
570 /*
571  * POSIX.2 requires that if "." or ".." are specified as the basename
572  * portion of an operand, a diagnostic message be written to standard
573  * error and nothing more be done with such operands.
574  *
575  * Since POSIX.2 defines basename as the final portion of a path after
576  * trailing slashes have been removed, we'll remove them here.
577  */
578 #define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2])))
579 static void
checkdot(char ** argv)580 checkdot(char **argv)
581 {
582 	char *p, **save, **t;
583 	int complained;
584 
585 	complained = 0;
586 	for (t = argv; *t;) {
587 		/* strip trailing slashes */
588 		p = strrchr(*t, '\0');
589 		while (--p > *t && *p == '/')
590 			*p = '\0';
591 
592 		/* extract basename */
593 		if ((p = strrchr(*t, '/')) != NULL)
594 			++p;
595 		else
596 			p = *t;
597 
598 		if (ISDOT(p)) {
599 			if (!complained++)
600 				warnx("\".\" and \"..\" may not be removed");
601 			eval = 1;
602 			for (save = t; (t[0] = t[1]) != NULL; ++t)
603 				continue;
604 			t = save;
605 		} else
606 			++t;
607 	}
608 }
609 
610 static void
usage(void)611 usage(void)
612 {
613 
614 	(void)fprintf(stderr, "usage: %s [-f|-i] [-dPRrvWx] file ...\n",
615 	    getprogname());
616 	exit(1);
617 	/* NOTREACHED */
618 }
619 
620 static void
progress(int sig __unused)621 progress(int sig __unused)
622 {
623 
624 	pinfo++;
625 }
626