1/* $NetBSD: rm.c,v 1.54 2021/09/10 22:11:03 rillig Exp $ */
2
3/*-
4 * Copyright (c) 1990, 1993, 1994, 2003
5 *	The Regents of the University of California.  All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in the
14 *    documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 *    may be used to endorse or promote products derived from this software
17 *    without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32#include <sys/cdefs.h>
33#ifndef lint
34__COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\
35 The Regents of the University of California.  All rights reserved.");
36#endif /* not lint */
37
38#ifndef lint
39#if 0
40static char sccsid[] = "@(#)rm.c	8.8 (Berkeley) 4/27/95";
41#else
42__RCSID("$NetBSD: rm.c,v 1.54 2021/09/10 22:11:03 rillig Exp $");
43#endif
44#endif /* not lint */
45
46#include <sys/param.h>
47#include <sys/stat.h>
48#include <sys/types.h>
49
50#include <err.h>
51#include <errno.h>
52#include <fcntl.h>
53#include <fts.h>
54#include <grp.h>
55#include <locale.h>
56#include <pwd.h>
57#include <signal.h>
58#include <stdio.h>
59#include <stdlib.h>
60#include <string.h>
61#include <unistd.h>
62
63static int dflag, eval, fflag, iflag, Pflag, stdin_ok, vflag, Wflag;
64static int xflag;
65static sig_atomic_t pinfo;
66
67static int	check(char *, char *, struct stat *);
68static void	checkdot(char **);
69static void	progress(int);
70static void	rm_file(char **);
71static int	rm_overwrite(char *, struct stat *);
72static void	rm_tree(char **);
73__dead static void	usage(void);
74
75/*
76 * For the sake of the `-f' flag, check whether an error number indicates the
77 * failure of an operation due to an non-existent file, either per se (ENOENT)
78 * or because its filename argument was illegal (ENAMETOOLONG, ENOTDIR).
79 */
80#define NONEXISTENT(x) \
81    ((x) == ENOENT || (x) == ENAMETOOLONG || (x) == ENOTDIR)
82
83/*
84 * rm --
85 *	This rm is different from historic rm's, but is expected to match
86 *	POSIX 1003.2 behavior.  The most visible difference is that -f
87 *	has two specific effects now, ignore non-existent files and force
88 * 	file removal.
89 */
90int
91main(int argc, char *argv[])
92{
93	int ch, rflag;
94
95	setprogname(argv[0]);
96	(void)setlocale(LC_ALL, "");
97
98	Pflag = rflag = xflag = 0;
99	while ((ch = getopt(argc, argv, "dfiPRrvWx")) != -1)
100		switch (ch) {
101		case 'd':
102			dflag = 1;
103			break;
104		case 'f':
105			fflag = 1;
106			iflag = 0;
107			break;
108		case 'i':
109			fflag = 0;
110			iflag = 1;
111			break;
112		case 'P':
113			Pflag = 1;
114			break;
115		case 'R':
116		case 'r':			/* Compatibility. */
117			rflag = 1;
118			break;
119		case 'v':
120			vflag = 1;
121			break;
122		case 'x':
123			xflag = 1;
124			break;
125		case 'W':
126			Wflag = 1;
127			break;
128		case '?':
129		default:
130			usage();
131		}
132	argc -= optind;
133	argv += optind;
134
135	if (argc < 1) {
136		if (fflag)
137			return 0;
138		usage();
139	}
140
141	(void)signal(SIGINFO, progress);
142
143	checkdot(argv);
144
145	if (*argv) {
146		stdin_ok = isatty(STDIN_FILENO);
147
148		if (rflag)
149			rm_tree(argv);
150		else
151			rm_file(argv);
152	}
153
154	exit(eval);
155	/* NOTREACHED */
156}
157
158static void
159rm_tree(char **argv)
160{
161	FTS *fts;
162	FTSENT *p;
163	int flags, needstat, rval;
164
165	/*
166	 * Remove a file hierarchy.  If forcing removal (-f), or interactive
167	 * (-i) or can't ask anyway (stdin_ok), don't stat the file.
168	 */
169	needstat = !fflag && !iflag && stdin_ok;
170
171	/*
172	 * If the -i option is specified, the user can skip on the pre-order
173	 * visit.  The fts_number field flags skipped directories.
174	 */
175#define	SKIPPED	1
176
177	flags = FTS_PHYSICAL;
178	if (!needstat)
179		flags |= FTS_NOSTAT;
180	if (Wflag)
181		flags |= FTS_WHITEOUT;
182	if (xflag)
183		flags |= FTS_XDEV;
184	if ((fts = fts_open(argv, flags, NULL)) == NULL)
185		err(1, "fts_open failed");
186	while ((p = fts_read(fts)) != NULL) {
187
188		switch (p->fts_info) {
189		case FTS_DNR:
190			if (!fflag || p->fts_errno != ENOENT) {
191				warnx("%s: %s", p->fts_path,
192						strerror(p->fts_errno));
193				eval = 1;
194			}
195			continue;
196		case FTS_ERR:
197			errx(EXIT_FAILURE, "%s: %s", p->fts_path,
198					strerror(p->fts_errno));
199			/* NOTREACHED */
200		case FTS_NS:
201			/*
202			 * FTS_NS: assume that if can't stat the file, it
203			 * can't be unlinked.
204			 */
205			if (fflag && NONEXISTENT(p->fts_errno))
206				continue;
207			if (needstat) {
208				warnx("%s: %s", p->fts_path,
209						strerror(p->fts_errno));
210				eval = 1;
211				continue;
212			}
213			break;
214		case FTS_D:
215			/* Pre-order: give user chance to skip. */
216			if (!fflag && !check(p->fts_path, p->fts_accpath,
217			    p->fts_statp)) {
218				(void)fts_set(fts, p, FTS_SKIP);
219				p->fts_number = SKIPPED;
220			}
221			continue;
222		case FTS_DP:
223			/* Post-order: see if user skipped. */
224			if (p->fts_number == SKIPPED)
225				continue;
226			break;
227		default:
228			if (!fflag &&
229			    !check(p->fts_path, p->fts_accpath, p->fts_statp))
230				continue;
231		}
232
233		rval = 0;
234		/*
235		 * If we can't read or search the directory, may still be
236		 * able to remove it.  Don't print out the un{read,search}able
237		 * message unless the remove fails.
238		 */
239		switch (p->fts_info) {
240		case FTS_DP:
241		case FTS_DNR:
242			rval = rmdir(p->fts_accpath);
243			if (rval != 0 && fflag && errno == ENOENT)
244				continue;
245			break;
246
247		case FTS_W:
248			rval = undelete(p->fts_accpath);
249			if (rval != 0 && fflag && errno == ENOENT)
250				continue;
251			break;
252
253		default:
254			if (Pflag) {
255				if (rm_overwrite(p->fts_accpath, NULL))
256					continue;
257			}
258			rval = unlink(p->fts_accpath);
259			if (rval != 0 && fflag && NONEXISTENT(errno))
260				continue;
261			break;
262		}
263		if (rval != 0) {
264			warn("%s", p->fts_path);
265			eval = 1;
266		} else if (vflag || pinfo) {
267			pinfo = 0;
268			(void)printf("%s\n", p->fts_path);
269		}
270	}
271	if (errno)
272		err(1, "fts_read");
273	fts_close(fts);
274}
275
276static void
277rm_file(char **argv)
278{
279	struct stat sb;
280	int rval;
281	char *f;
282
283	/*
284	 * Remove a file.  POSIX 1003.2 states that, by default, attempting
285	 * to remove a directory is an error, so must always stat the file.
286	 */
287	while ((f = *argv++) != NULL) {
288		/* Assume if can't stat the file, can't unlink it. */
289		if (lstat(f, &sb)) {
290			if (Wflag) {
291				sb.st_mode = S_IFWHT|S_IWUSR|S_IRUSR;
292			} else {
293				if (!fflag || !NONEXISTENT(errno)) {
294					warn("%s", f);
295					eval = 1;
296				}
297				continue;
298			}
299		} else if (Wflag) {
300			warnx("%s: %s", f, strerror(EEXIST));
301			eval = 1;
302			continue;
303		}
304
305		if (S_ISDIR(sb.st_mode) && !dflag) {
306			warnx("%s: is a directory", f);
307			eval = 1;
308			continue;
309		}
310		if (!fflag && !S_ISWHT(sb.st_mode) && !check(f, f, &sb))
311			continue;
312		if (S_ISWHT(sb.st_mode))
313			rval = undelete(f);
314		else if (S_ISDIR(sb.st_mode))
315			rval = rmdir(f);
316		else {
317			if (Pflag) {
318				if (rm_overwrite(f, &sb))
319					continue;
320			}
321			rval = unlink(f);
322		}
323		if (rval && (!fflag || !NONEXISTENT(errno))) {
324			warn("%s", f);
325			eval = 1;
326		}
327		if (vflag && rval == 0)
328			(void)printf("%s\n", f);
329	}
330}
331
332/*
333 * rm_overwrite --
334 *	Overwrite the file 3 times with varying bit patterns.
335 *
336 * This is an expensive way to keep people from recovering files from your
337 * non-snapshotted FFS filesystems using fsdb(8).  Really.  No more.  Only
338 * regular files are deleted, directories (and therefore names) will remain.
339 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a
340 * System V file system).  In a logging file system, you'll have to have
341 * kernel support.
342 *
343 * A note on standards:  U.S. DoD 5220.22-M "National Industrial Security
344 * Program Operating Manual" ("NISPOM") is often cited as a reference
345 * for clearing and sanitizing magnetic media.  In fact, a matrix of
346 * "clearing" and "sanitization" methods for various media was given in
347 * Chapter 8 of the original 1995 version of NISPOM.  However, that
348 * matrix was *removed from the document* when Chapter 8 was rewritten
349 * in Change 2 to the document in 2001.  Recently, the Defense Security
350 * Service has made a revised clearing and sanitization matrix available
351 * in Microsoft Word format on the DSS web site.  The standardization
352 * status of this matrix is unclear.  Furthermore, one must be very
353 * careful when referring to this matrix: it is intended for the "clearing"
354 * prior to reuse or "sanitization" prior to disposal of *entire media*,
355 * not individual files and the only non-physically-destructive method of
356 * "sanitization" that is permitted for magnetic disks of any kind is
357 * specifically noted to be prohibited for media that have contained
358 * Top Secret data.
359 *
360 * It is impossible to actually conform to the exact procedure given in
361 * the matrix if one is overwriting a file, not an entire disk, because
362 * the procedure requires examination and comparison of the disk's defect
363 * lists.  Any program that claims to securely erase *files* while
364 * conforming to the standard, then, is not correct.  We do as much of
365 * what the standard requires as can actually be done when erasing a
366 * file, rather than an entire disk; but that does not make us conformant.
367 *
368 * Furthermore, the presence of track caches, disk and controller write
369 * caches, and so forth make it extremely difficult to ensure that data
370 * have actually been written to the disk, particularly when one tries
371 * to repeatedly overwrite the same sectors in quick succession.  We call
372 * fsync(), but controllers with nonvolatile cache, as well as IDE disks
373 * that just plain lie about the stable storage of data, will defeat this.
374 *
375 * Finally, widely respected research suggests that the given procedure
376 * is nowhere near sufficient to prevent the recovery of data using special
377 * forensic equipment and techniques that are well-known.  This is
378 * presumably one reason that the matrix requires physical media destruction,
379 * rather than any technique of the sort attempted here, for secret data.
380 *
381 * Caveat Emptor.
382 *
383 * rm_overwrite will return 0 on success.
384 */
385
386static int
387rm_overwrite(char *file, struct stat *sbp)
388{
389	struct stat sb, sb2;
390	int fd, randint;
391	char randchar;
392
393	fd = -1;
394	if (sbp == NULL) {
395		if (lstat(file, &sb))
396			goto err;
397		sbp = &sb;
398	}
399	if (!S_ISREG(sbp->st_mode))
400		return 0;
401
402	/* flags to try to defeat hidden caching by forcing seeks */
403	if ((fd = open(file, O_RDWR|O_SYNC|O_RSYNC|O_NOFOLLOW, 0)) == -1)
404		goto err;
405
406	if (fstat(fd, &sb2)) {
407		goto err;
408	}
409
410	if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino ||
411	    !S_ISREG(sb2.st_mode)) {
412		errno = EPERM;
413		goto err;
414	}
415
416#define RAND_BYTES	1
417#define THIS_BYTE	0
418
419#define	WRITE_PASS(mode, byte) do {					\
420	off_t len;							\
421	size_t wlen, i;							\
422	char buf[8 * 1024];						\
423									\
424	if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET))			\
425		goto err;						\
426									\
427	if (mode == THIS_BYTE)						\
428		memset(buf, byte, sizeof(buf));				\
429	for (len = sbp->st_size; len > 0; len -= wlen) {		\
430		if (mode == RAND_BYTES) {				\
431			for (i = 0; i < sizeof(buf); 			\
432			    i+= sizeof(u_int32_t))			\
433				*(int *)(buf + i) = arc4random();	\
434		}							\
435		wlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \
436		if ((size_t)write(fd, buf, wlen) != wlen)		\
437			goto err;					\
438	}								\
439	sync();		/* another poke at hidden caches */		\
440} while (0)
441
442#define READ_PASS(byte) do {						\
443	off_t len;							\
444	size_t rlen;							\
445	char pattern[8 * 1024];						\
446	char buf[8 * 1024];						\
447									\
448	if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET))			\
449		goto err;						\
450									\
451	memset(pattern, byte, sizeof(pattern));				\
452	for(len = sbp->st_size; len > 0; len -= rlen) {			\
453		rlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \
454		if((size_t)read(fd, buf, rlen) != rlen)			\
455			goto err;					\
456		if(memcmp(buf, pattern, rlen))				\
457			goto err;					\
458	}								\
459	sync();		/* another poke at hidden caches */		\
460} while (0)
461
462	/*
463	 * DSS sanitization matrix "clear" for magnetic disks:
464	 * option 'c' "Overwrite all addressable locations with a single
465	 * character."
466	 */
467	randint = arc4random();
468	randchar = *(char *)&randint;
469	WRITE_PASS(THIS_BYTE, randchar);
470
471	/*
472	 * DSS sanitization matrix "sanitize" for magnetic disks:
473	 * option 'd', sub 2 "Overwrite all addressable locations with a
474	 * character, then its complement.  Verify "complement" character
475	 * was written successfully to all addressable locations, then
476	 * overwrite all addressable locations with random characters; or
477	 * verify third overwrite of random characters."  The rest of the
478	 * text in d-sub-2 specifies requirements for overwriting spared
479	 * sectors; we cannot conform to it when erasing only a file, thus
480	 * we do not conform to the standard.
481	 */
482
483	/* 1. "a character" */
484	WRITE_PASS(THIS_BYTE, 0xff);
485
486	/* 2. "its complement" */
487	WRITE_PASS(THIS_BYTE, 0x00);
488
489	/* 3. "Verify 'complement' character" */
490	READ_PASS(0x00);
491
492	/* 4. "overwrite all addressable locations with random characters" */
493
494	WRITE_PASS(RAND_BYTES, 0x00);
495
496	/*
497	 * As the file might be huge, and we note that this revision of
498	 * the matrix says "random characters", not "a random character"
499	 * as the original did, we do not verify the random-character
500	 * write; the "or" in the standard allows this.
501	 */
502
503	if (close(fd) == -1) {
504		fd = -1;
505		goto err;
506	}
507
508	return 0;
509
510err:	eval = 1;
511	warn("%s", file);
512	if (fd != -1)
513		close(fd);
514	return 1;
515}
516
517static int
518check(char *path, char *name, struct stat *sp)
519{
520	int ch, first;
521	char modep[15];
522
523	/* Check -i first. */
524	if (iflag)
525		(void)fprintf(stderr, "remove '%s'? ", path);
526	else {
527		/*
528		 * If it's not a symbolic link and it's unwritable and we're
529		 * talking to a terminal, ask.  Symbolic links are excluded
530		 * because their permissions are meaningless.  Check stdin_ok
531		 * first because we may not have stat'ed the file.
532		 */
533		if (!stdin_ok || S_ISLNK(sp->st_mode) ||
534		    !(access(name, W_OK) && (errno != ETXTBSY)))
535			return (1);
536		strmode(sp->st_mode, modep);
537		if (Pflag) {
538			warnx(
539			    "%s: -P was specified but file could not"
540			    " be overwritten", path);
541			return 0;
542		}
543		(void)fprintf(stderr, "override %s%s%s:%s for '%s'? ",
544		    modep + 1, modep[9] == ' ' ? "" : " ",
545		    user_from_uid(sp->st_uid, 0),
546		    group_from_gid(sp->st_gid, 0), path);
547	}
548	(void)fflush(stderr);
549
550	first = ch = getchar();
551	while (ch != '\n' && ch != EOF)
552		ch = getchar();
553	return (first == 'y' || first == 'Y');
554}
555
556/*
557 * POSIX.2 requires that if "." or ".." are specified as the basename
558 * portion of an operand, a diagnostic message be written to standard
559 * error and nothing more be done with such operands.
560 *
561 * Since POSIX.2 defines basename as the final portion of a path after
562 * trailing slashes have been removed, we'll remove them here.
563 */
564#define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2])))
565static void
566checkdot(char **argv)
567{
568	char *p, **save, **t;
569	int complained;
570
571	complained = 0;
572	for (t = argv; *t;) {
573		/* strip trailing slashes */
574		p = strrchr(*t, '\0');
575		while (--p > *t && *p == '/')
576			*p = '\0';
577
578		/* extract basename */
579		if ((p = strrchr(*t, '/')) != NULL)
580			++p;
581		else
582			p = *t;
583
584		if (ISDOT(p)) {
585			if (!complained++)
586				warnx("\".\" and \"..\" may not be removed");
587			eval = 1;
588			for (save = t; (t[0] = t[1]) != NULL; ++t)
589				continue;
590			t = save;
591		} else
592			++t;
593	}
594}
595
596static void
597usage(void)
598{
599
600	(void)fprintf(stderr, "usage: %s [-f|-i] [-dPRrvWx] file ...\n",
601	    getprogname());
602	exit(1);
603	/* NOTREACHED */
604}
605
606static void
607progress(int sig __unused)
608{
609
610	pinfo++;
611}
612