1 /* $MirOS: src/bin/rm/rm.c,v 1.8 2010/09/21 21:24:02 tg Exp $ */
2 /* $NetBSD: rm.c,v 1.46 2007/06/24 17:59:31 christos Exp $ */
3 /* $OpenBSD: rm.c,v 1.18 2005/06/14 19:15:35 millert Exp $ */
4
5 /*-
6 * Copyright (c) 1990, 1993, 1994, 2003
7 * The Regents of the University of California. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <sys/cdefs.h>
35 __COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\n\
36 The Regents of the University of California. All rights reserved.\n");
37 __SCCSID("@(#)rm.c 8.8 (Berkeley) 4/27/95");
38 __RCSID("$NetBSD: rm.c,v 1.46 2007/06/24 17:59:31 christos Exp $");
39 __RCSID("$MirOS: src/bin/rm/rm.c,v 1.8 2010/09/21 21:24:02 tg Exp $");
40
41 #include <sys/param.h>
42 #include <sys/stat.h>
43 #include <sys/mount.h>
44
45 #include <err.h>
46 #include <errno.h>
47 #include <fcntl.h>
48 #include <fts.h>
49 #include <grp.h>
50 #include <libgen.h>
51 #include <locale.h>
52 #include <pwd.h>
53 #include <stdio.h>
54 #include <stdlib.h>
55 #include <string.h>
56 #include <unistd.h>
57 #include <pwd.h>
58 #include <grp.h>
59
60 extern const char *__progname;
61
62 int dflag, eval, fflag, iflag, Pflag, stdin_ok, vflag;
63
64 int check(char *, char *, struct stat *);
65 void checkdot(char **);
66 void rm_file(char **);
67 int rm_overwrite(char *, struct stat *);
68 void rm_tree(char **);
69 void usage(void) __dead;
70
71 /*
72 * For the sake of the `-f' flag, check whether an error number indicates the
73 * failure of an operation due to an non-existent file, either per se (ENOENT)
74 * or because its filename argument was illegal (ENAMETOOLONG, ENOTDIR).
75 */
76 #define NONEXISTENT(x) \
77 ((x) == ENOENT || (x) == ENAMETOOLONG || (x) == ENOTDIR)
78
79 /*
80 * rm --
81 * This rm is different from historic rms, but is expected to match
82 * POSIX 1003.2 behavior. The most visible difference is that -f
83 * has two specific effects now, ignore non-existent files and force
84 * file removal.
85 */
86 int
main(int argc,char * argv[])87 main(int argc, char *argv[])
88 {
89 int ch, rflag;
90
91 #ifndef __MirBSD__ /* irrelevant, as there is only one locale */
92 setlocale(LC_ALL, "");
93 #endif
94
95 Pflag = rflag = 0;
96 while ((ch = getopt(argc, argv, "dfiPRrv")) != -1)
97 switch (ch) {
98 case 'd':
99 dflag = 1;
100 break;
101 case 'f':
102 fflag = 1;
103 iflag = 0;
104 break;
105 case 'i':
106 fflag = 0;
107 iflag = 1;
108 break;
109 case 'P':
110 Pflag = 1;
111 break;
112 case 'R':
113 case 'r': /* Compatibility. */
114 rflag = 1;
115 break;
116 case 'v':
117 vflag = 1;
118 break;
119 default:
120 usage();
121 }
122 argc -= optind;
123 argv += optind;
124
125 if (argc < 1 && fflag == 0)
126 usage();
127
128 checkdot(argv);
129
130 if (*argv) {
131 stdin_ok = isatty(STDIN_FILENO);
132
133 if (rflag)
134 rm_tree(argv);
135 else
136 rm_file(argv);
137 }
138
139 exit(eval);
140 /* NOTREACHED */
141 }
142
143 #define TRYRENAME(fn, func, rv) do { \
144 char dname[MAXPATHLEN]; \
145 size_t dcount = strlen(fn); \
146 uint64_t dhash = dcount * (intptr_t)(fn); \
147 \
148 /* for fun: push back hash of original pathname */ \
149 while (dcount--) \
150 dhash += (fn)[dcount] * dcount; \
151 arc4random_pushb_fast(&dhash, sizeof(dhash)); \
152 \
153 /* try to rename entry randomly before removal */ \
154 do { \
155 if ((size_t)snprintf(dname, sizeof (dname), \
156 "%s/rm.%08X", dirname(fn), \
157 arc4random()) >= (sizeof(dname) + 5)) { \
158 /* resulting path would be too long */ \
159 memcpy(dname, (fn), strlen(fn) + 1); \
160 break; \
161 } \
162 } while (rename((fn), dname)); \
163 rv = func(dname); \
164 } while (/* CONSTCOND */ 0)
165
166 void
rm_tree(char ** argv)167 rm_tree(char **argv)
168 {
169 FTS *fts;
170 FTSENT *p;
171 int flags, needstat, rval;
172
173 /*
174 * Remove a file hierarchy. If forcing removal (-f), or interactive
175 * (-i) or can't ask anyway (stdin_ok), don't stat the file.
176 */
177 needstat = !fflag && !iflag && stdin_ok;
178
179 /*
180 * If the -i option is specified, the user can skip on the pre-order
181 * visit. The fts_number field flags skipped directories.
182 */
183 #define SKIPPED 1
184
185 flags = FTS_PHYSICAL;
186 if (!needstat)
187 flags |= FTS_NOSTAT;
188 if (!(fts = fts_open(argv, flags,
189 (int (*)(const FTSENT **, const FTSENT **))NULL)))
190 err(1, NULL);
191 while ((p = fts_read(fts)) != NULL) {
192
193 switch (p->fts_info) {
194 case FTS_DNR:
195 if (!fflag || p->fts_errno != ENOENT) {
196 warnx("%s: %s", p->fts_path,
197 strerror(p->fts_errno));
198 eval = 1;
199 }
200 continue;
201 case FTS_ERR:
202 errx(EXIT_FAILURE, "%s: %s", p->fts_path,
203 strerror(p->fts_errno));
204 /* NOTREACHED */
205 case FTS_NS:
206 /*
207 * FTS_NS: assume that if can't stat the file, it
208 * can't be unlinked.
209 */
210 if (fflag && NONEXISTENT(p->fts_errno))
211 continue;
212 if (needstat) {
213 warnx("%s: %s", p->fts_path,
214 strerror(p->fts_errno));
215 eval = 1;
216 continue;
217 }
218 break;
219 case FTS_D:
220 /* Pre-order: give user chance to skip. */
221 if (!fflag && !check(p->fts_path, p->fts_accpath,
222 p->fts_statp)) {
223 (void)fts_set(fts, p, FTS_SKIP);
224 p->fts_number = SKIPPED;
225 }
226 continue;
227 case FTS_DP:
228 /* Post-order: see if user skipped. */
229 if (p->fts_number == SKIPPED)
230 continue;
231 break;
232 default:
233 if (!fflag &&
234 !check(p->fts_path, p->fts_accpath, p->fts_statp))
235 continue;
236 }
237
238 rval = 0;
239 /*
240 * If we can't read or search the directory, may still be
241 * able to remove it. Don't print out the un{read,search}able
242 * message unless the remove fails.
243 */
244 switch (p->fts_info) {
245 case FTS_DP:
246 case FTS_DNR:
247 if (Pflag)
248 TRYRENAME(p->fts_accpath, rmdir, rval);
249 else
250 rval = rmdir(p->fts_accpath);
251 if (rval != 0 && fflag && errno == ENOENT)
252 continue;
253 break;
254
255 default:
256 if (Pflag) {
257 if (rm_overwrite(p->fts_accpath, NULL))
258 continue;
259 TRYRENAME(p->fts_accpath, unlink, rval);
260 } else
261 rval = unlink(p->fts_accpath);
262 if (rval != 0 && fflag && NONEXISTENT(errno))
263 continue;
264 break;
265 }
266 if (rval != 0) {
267 warn("%s", p->fts_path);
268 eval = 1;
269 } else if (vflag)
270 (void)printf("%s\n", p->fts_path);
271 }
272 if (errno)
273 err(1, "fts_read");
274 fts_close(fts);
275 }
276
277 void
rm_file(char ** argv)278 rm_file(char **argv)
279 {
280 struct stat sb;
281 int rval;
282 char *f;
283
284 /*
285 * Remove a file. POSIX 1003.2 states that, by default, attempting
286 * to remove a directory is an error, so must always stat the file.
287 */
288 while ((f = *argv++) != NULL) {
289 /* Assume if can't stat the file, can't unlink it. */
290 if (lstat(f, &sb)) {
291 if (!fflag || !NONEXISTENT(errno)) {
292 warn("%s", f);
293 eval = 1;
294 }
295 continue;
296 }
297
298 if (S_ISDIR(sb.st_mode) && !dflag) {
299 warnx("%s: is a directory", f);
300 eval = 1;
301 continue;
302 }
303 if (!fflag && !check(f, f, &sb))
304 continue;
305 else if (S_ISDIR(sb.st_mode)) {
306 if (Pflag)
307 TRYRENAME(f, rmdir, rval);
308 else
309 rval = rmdir(f);
310 } else {
311 if (Pflag) {
312 if (rm_overwrite(f, &sb))
313 continue;
314 TRYRENAME(f, unlink, rval);
315 } else
316 rval = unlink(f);
317 }
318 if (rval && (!fflag || !NONEXISTENT(errno))) {
319 warn("%s", f);
320 eval = 1;
321 }
322 if (vflag && rval == 0)
323 (void)printf("%s\n", f);
324 }
325 }
326
327 /*
328 * rm_overwrite --
329 * Overwrite the file 3 times with varying bit patterns.
330 *
331 * This is an expensive way to keep people from recovering files from your
332 * non-snapshotted FFS filesystems using fsdb(8). Really. No more. Only
333 * regular files are deleted, directories will remain.
334 * However, names are no longer recoverable as any entries deleted with -P
335 * are renamed to entries with the basename “rm.XXXXXXXX” (where ‘X’en are
336 * generated randomly) in the same parent directory first if the length of
337 * the entire pathname (including that “/rm.XXXXXXXX”) is smaller than the
338 * maximum allowed pathname length, i.e. 1024 on MirBSD.
339 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a
340 * System V file system). In a logging file system, you'll have to have
341 * kernel support.
342 *
343 * A note on standards: U.S. DoD 5220.22-M "National Industrial Security
344 * Program Operating Manual" ("NISPOM") is often cited as a reference
345 * for clearing and sanitizing magnetic media. In fact, a matrix of
346 * "clearing" and "sanitization" methods for various media was given in
347 * Chapter 8 of the original 1995 version of NISPOM. However, that
348 * matrix was *removed from the document* when Chapter 8 was rewritten
349 * in Change 2 to the document in 2001. Recently, the Defense Security
350 * Service has made a revised clearing and sanitization matrix available
351 * in Microsoft Word format on the DSS web site. The standardization
352 * status of this matrix is unclear. Furthermore, one must be very
353 * careful when referring to this matrix: it is intended for the "clearing"
354 * prior to reuse or "sanitization" prior to disposal of *entire media*,
355 * not individual files and the only non-physically-destructive method of
356 * "sanitization" that is permitted for magnetic disks of any kind is
357 * specifically noted to be prohibited for media that have contained
358 * Top Secret data.
359 *
360 * It is impossible to actually conform to the exact procedure given in
361 * the matrix if one is overwriting a file, not an entire disk, because
362 * the procedure requires examination and comparison of the disk's defect
363 * lists. Any program that claims to securely erase *files* while
364 * conforming to the standard, then, is not correct. We do as much of
365 * what the standard requires as can actually be done when erasing a
366 * file, rather than an entire disk; but that does not make us conformant.
367 *
368 * Furthermore, the presence of track caches, disk and controller write
369 * caches, and so forth make it extremely difficult to ensure that data
370 * have actually been written to the disk, particularly when one tries
371 * to repeatedly overwrite the same sectors in quick succession. We call
372 * fsync(), but controllers with nonvolatile cache, as well as IDE disks
373 * that just plain lie about the stable storage of data, will defeat this.
374 *
375 * Finally, widely respected research suggests that the given procedure
376 * is nowhere near sufficient to prevent the recovery of data using special
377 * forensic equipment and techniques that are well-known. This is
378 * presumably one reason that the matrix requires physical media destruction,
379 * rather than any technique of the sort attempted here, for secret data.
380 *
381 * Caveat Emptor.
382 *
383 * rm_overwrite will return 0 on success.
384 */
385 int
rm_overwrite(char * file,struct stat * sbp)386 rm_overwrite(char *file, struct stat *sbp)
387 {
388 struct statfs fsb;
389 size_t bsize;
390 char *buf = NULL;
391
392 struct stat sb;
393 int fd;
394 char randchar;
395
396 fd = -1;
397 if (sbp == NULL) {
398 if (lstat(file, &sb))
399 goto err;
400 sbp = &sb;
401 }
402 if (!S_ISREG(sbp->st_mode))
403 return (0);
404 if (sbp->st_nlink > 1) {
405 warnx("%s (inode %u): not overwritten due to multiple links",
406 file, sbp->st_ino);
407 /* if -f return success else failure */
408 return (fflag ? 0 : 1);
409 }
410
411 /* flags to try to defeat hidden caching by forcing seeks */
412 if ((fd = open(file, O_RDWR|O_SYNC|O_RSYNC, 0)) == -1)
413 goto err;
414
415 /* find out optimal transfer size */
416 if (fstatfs(fd, &fsb) == -1)
417 goto err;
418 bsize = MAX(fsb.f_iosize, 131072U);
419 if ((buf = malloc(bsize)) == NULL)
420 err(1, "%s: malloc", file);
421
422 #define RAND_BYTES 1
423 #define THIS_BYTE 0
424
425 #define WRITE_PASS(mode, byte, buf, bufsz) do { \
426 off_t len; \
427 size_t wlen, i; \
428 u_int32_t *qbuf = (u_int32_t *)buf; \
429 \
430 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \
431 goto err; \
432 \
433 if (mode == THIS_BYTE) \
434 memset(buf, byte, bufsz); \
435 for (len = sbp->st_size; len > 0; len -= wlen) { \
436 wlen = MIN(len, bufsz); \
437 if (mode == RAND_BYTES) \
438 arc4random_buf(buf, wlen); \
439 if ((size_t)write(fd, buf, wlen) != wlen) \
440 goto err; \
441 } \
442 sync(); /* another poke at hidden caches */ \
443 } while (/* CONSTCOND */ 0)
444
445 #define READ_PASS(byte, buf, bufsz) do { \
446 off_t len; \
447 size_t rlen; \
448 char pattern[bufsz]; \
449 \
450 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \
451 goto err; \
452 \
453 memset(pattern, byte, bufsz); \
454 for (len = sbp->st_size; len > 0; len -= rlen) { \
455 rlen = MIN(len, bufsz); \
456 if ((size_t)read(fd, buf, rlen) != rlen) \
457 goto err; \
458 if (memcmp(buf, pattern, rlen)) \
459 goto err; \
460 } \
461 sync(); /* another poke at hidden caches */ \
462 } while (/* CONSTCOND */ 0)
463
464 /*
465 * DSS sanitization matrix "clear" for magnetic disks:
466 * option 'c' "Overwrite all addressable locations with a single
467 * character."
468 */
469 randchar = (char)arc4random();
470 WRITE_PASS(THIS_BYTE, randchar, buf, bsize);
471
472 /*
473 * DSS sanitization matrix "sanitize" for magnetic disks:
474 * option 'd', sub 2 "Overwrite all addressable locations with a
475 * character, then its complement. Verify "complement" character
476 * was written successfully to all addressable locations, then
477 * overwrite all addressable locations with random characters; or
478 * verify third overwrite of random characters." The rest of the
479 * text in d-sub-2 specifies requirements for overwriting spared
480 * sectors; we cannot conform to it when erasing only a file, thus
481 * we do not conform to the standard.
482 */
483
484 /* 1. "a character" */
485 WRITE_PASS(THIS_BYTE, 0xAA, buf, bsize);
486
487 /* 2. "its complement" */
488 WRITE_PASS(THIS_BYTE, 0x55, buf, bsize);
489
490 /* 3. "Verify 'complement' character" */
491 READ_PASS(0x55, buf, bsize);
492
493 /* 4. "overwrite all addressable locations with random characters" */
494
495 WRITE_PASS(RAND_BYTES, 0, buf, bsize);
496
497 /*
498 * As the file might be huge, and we note that this revision of
499 * the matrix says "random characters", not "a random character"
500 * as the original did, we do not verify the random-character
501 * write; the "or" in the standard allows this.
502 */
503
504 if (buf != NULL) {
505 free(buf);
506 buf = NULL;
507 }
508
509 if (close(fd) == -1) {
510 fd = -1;
511 goto err;
512 }
513
514 return (0);
515
516 err: eval = 1;
517 if (buf != NULL)
518 free(buf);
519 warn("%s", file);
520 if (fd != -1)
521 close(fd);
522 return (1);
523 }
524
525 int
check(char * path,char * name,struct stat * sp)526 check(char *path, char *name, struct stat *sp)
527 {
528 int ch, first;
529 char modep[15];
530
531 /* Check -i first. */
532 if (iflag)
533 (void)fprintf(stderr, "remove '%s'? ", path);
534 else {
535 /*
536 * If it's not a symbolic link and it's unwritable and we're
537 * talking to a terminal, ask. Symbolic links are excluded
538 * because their permissions are meaningless. Check stdin_ok
539 * first because we may not have stat'ed the file.
540 */
541 if (!stdin_ok || S_ISLNK(sp->st_mode) ||
542 !(access(name, W_OK) && (errno != ETXTBSY)))
543 return (1);
544 strmode(sp->st_mode, modep);
545 if (Pflag) {
546 warnx(
547 "%s: -P was specified but file could not"
548 " be overwritten", path);
549 return 0;
550 }
551 (void)fprintf(stderr, "override %s%s%s:%s for '%s'? ",
552 modep + 1, modep[9] == ' ' ? "" : " ",
553 user_from_uid(sp->st_uid, 0),
554 group_from_gid(sp->st_gid, 0), path);
555 }
556 (void)fflush(stderr);
557
558 first = ch = getchar();
559 while (ch != '\n' && ch != EOF)
560 ch = getchar();
561 return (first == 'y' || first == 'Y');
562 }
563
564 /*
565 * POSIX.2 requires that if "." or ".." are specified as the basename
566 * portion of an operand, a diagnostic message be written to standard
567 * error and nothing more be done with such operands.
568 *
569 * Since POSIX.2 defines basename as the final portion of a path after
570 * trailing slashes have been removed, we'll remove them here.
571 */
572 #define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2])))
573 void
checkdot(char ** argv)574 checkdot(char **argv)
575 {
576 char *p, **save, **t;
577 int complained;
578
579 complained = 0;
580 for (t = argv; *t;) {
581 /* strip trailing slashes */
582 p = strrchr(*t, '\0');
583 while (--p > *t && *p == '/')
584 *p = '\0';
585
586 /* extract basename */
587 if ((p = strrchr(*t, '/')) != NULL)
588 ++p;
589 else
590 p = *t;
591
592 if (ISDOT(p)) {
593 if (!complained++)
594 warnx("\".\" and \"..\" may not be removed");
595 eval = 1;
596 for (save = t; (t[0] = t[1]) != NULL; ++t)
597 continue;
598 t = save;
599 } else
600 ++t;
601 }
602 }
603
604 void
usage(void)605 usage(void)
606 {
607 (void)fprintf(stderr, "usage: %s [-f|-i] [-dPRrv] file ...\n",
608 __progname);
609 exit(1);
610 /* NOTREACHED */
611 }
612