1/* $NetBSD: rm.c,v 1.54 2021/09/10 22:11:03 rillig Exp $ */ 2 3/*- 4 * Copyright (c) 1990, 1993, 1994, 2003 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32#include <sys/cdefs.h> 33#ifndef lint 34__COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\ 35 The Regents of the University of California. All rights reserved."); 36#endif /* not lint */ 37 38#ifndef lint 39#if 0 40static char sccsid[] = "@(#)rm.c 8.8 (Berkeley) 4/27/95"; 41#else 42__RCSID("$NetBSD: rm.c,v 1.54 2021/09/10 22:11:03 rillig Exp $"); 43#endif 44#endif /* not lint */ 45 46#include <sys/param.h> 47#include <sys/stat.h> 48#include <sys/types.h> 49 50#include <err.h> 51#include <errno.h> 52#include <fcntl.h> 53#include <fts.h> 54#include <grp.h> 55#include <locale.h> 56#include <pwd.h> 57#include <signal.h> 58#include <stdio.h> 59#include <stdlib.h> 60#include <string.h> 61#include <unistd.h> 62 63static int dflag, eval, fflag, iflag, Pflag, stdin_ok, vflag, Wflag; 64static int xflag; 65static sig_atomic_t pinfo; 66 67static int check(char *, char *, struct stat *); 68static void checkdot(char **); 69static void progress(int); 70static void rm_file(char **); 71static int rm_overwrite(char *, struct stat *); 72static void rm_tree(char **); 73__dead static void usage(void); 74 75/* 76 * For the sake of the `-f' flag, check whether an error number indicates the 77 * failure of an operation due to an non-existent file, either per se (ENOENT) 78 * or because its filename argument was illegal (ENAMETOOLONG, ENOTDIR). 79 */ 80#define NONEXISTENT(x) \ 81 ((x) == ENOENT || (x) == ENAMETOOLONG || (x) == ENOTDIR) 82 83/* 84 * rm -- 85 * This rm is different from historic rm's, but is expected to match 86 * POSIX 1003.2 behavior. The most visible difference is that -f 87 * has two specific effects now, ignore non-existent files and force 88 * file removal. 89 */ 90int 91main(int argc, char *argv[]) 92{ 93 int ch, rflag; 94 95 setprogname(argv[0]); 96 (void)setlocale(LC_ALL, ""); 97 98 Pflag = rflag = xflag = 0; 99 while ((ch = getopt(argc, argv, "dfiPRrvWx")) != -1) 100 switch (ch) { 101 case 'd': 102 dflag = 1; 103 break; 104 case 'f': 105 fflag = 1; 106 iflag = 0; 107 break; 108 case 'i': 109 fflag = 0; 110 iflag = 1; 111 break; 112 case 'P': 113 Pflag = 1; 114 break; 115 case 'R': 116 case 'r': /* Compatibility. */ 117 rflag = 1; 118 break; 119 case 'v': 120 vflag = 1; 121 break; 122 case 'x': 123 xflag = 1; 124 break; 125 case 'W': 126 Wflag = 1; 127 break; 128 case '?': 129 default: 130 usage(); 131 } 132 argc -= optind; 133 argv += optind; 134 135 if (argc < 1) { 136 if (fflag) 137 return 0; 138 usage(); 139 } 140 141 (void)signal(SIGINFO, progress); 142 143 checkdot(argv); 144 145 if (*argv) { 146 stdin_ok = isatty(STDIN_FILENO); 147 148 if (rflag) 149 rm_tree(argv); 150 else 151 rm_file(argv); 152 } 153 154 exit(eval); 155 /* NOTREACHED */ 156} 157 158static void 159rm_tree(char **argv) 160{ 161 FTS *fts; 162 FTSENT *p; 163 int flags, needstat, rval; 164 165 /* 166 * Remove a file hierarchy. If forcing removal (-f), or interactive 167 * (-i) or can't ask anyway (stdin_ok), don't stat the file. 168 */ 169 needstat = !fflag && !iflag && stdin_ok; 170 171 /* 172 * If the -i option is specified, the user can skip on the pre-order 173 * visit. The fts_number field flags skipped directories. 174 */ 175#define SKIPPED 1 176 177 flags = FTS_PHYSICAL; 178 if (!needstat) 179 flags |= FTS_NOSTAT; 180 if (Wflag) 181 flags |= FTS_WHITEOUT; 182 if (xflag) 183 flags |= FTS_XDEV; 184 if ((fts = fts_open(argv, flags, NULL)) == NULL) 185 err(1, "fts_open failed"); 186 while ((p = fts_read(fts)) != NULL) { 187 188 switch (p->fts_info) { 189 case FTS_DNR: 190 if (!fflag || p->fts_errno != ENOENT) { 191 warnx("%s: %s", p->fts_path, 192 strerror(p->fts_errno)); 193 eval = 1; 194 } 195 continue; 196 case FTS_ERR: 197 errx(EXIT_FAILURE, "%s: %s", p->fts_path, 198 strerror(p->fts_errno)); 199 /* NOTREACHED */ 200 case FTS_NS: 201 /* 202 * FTS_NS: assume that if can't stat the file, it 203 * can't be unlinked. 204 */ 205 if (fflag && NONEXISTENT(p->fts_errno)) 206 continue; 207 if (needstat) { 208 warnx("%s: %s", p->fts_path, 209 strerror(p->fts_errno)); 210 eval = 1; 211 continue; 212 } 213 break; 214 case FTS_D: 215 /* Pre-order: give user chance to skip. */ 216 if (!fflag && !check(p->fts_path, p->fts_accpath, 217 p->fts_statp)) { 218 (void)fts_set(fts, p, FTS_SKIP); 219 p->fts_number = SKIPPED; 220 } 221 continue; 222 case FTS_DP: 223 /* Post-order: see if user skipped. */ 224 if (p->fts_number == SKIPPED) 225 continue; 226 break; 227 default: 228 if (!fflag && 229 !check(p->fts_path, p->fts_accpath, p->fts_statp)) 230 continue; 231 } 232 233 rval = 0; 234 /* 235 * If we can't read or search the directory, may still be 236 * able to remove it. Don't print out the un{read,search}able 237 * message unless the remove fails. 238 */ 239 switch (p->fts_info) { 240 case FTS_DP: 241 case FTS_DNR: 242 rval = rmdir(p->fts_accpath); 243 if (rval != 0 && fflag && errno == ENOENT) 244 continue; 245 break; 246 247 case FTS_W: 248 rval = undelete(p->fts_accpath); 249 if (rval != 0 && fflag && errno == ENOENT) 250 continue; 251 break; 252 253 default: 254 if (Pflag) { 255 if (rm_overwrite(p->fts_accpath, NULL)) 256 continue; 257 } 258 rval = unlink(p->fts_accpath); 259 if (rval != 0 && fflag && NONEXISTENT(errno)) 260 continue; 261 break; 262 } 263 if (rval != 0) { 264 warn("%s", p->fts_path); 265 eval = 1; 266 } else if (vflag || pinfo) { 267 pinfo = 0; 268 (void)printf("%s\n", p->fts_path); 269 } 270 } 271 if (errno) 272 err(1, "fts_read"); 273 fts_close(fts); 274} 275 276static void 277rm_file(char **argv) 278{ 279 struct stat sb; 280 int rval; 281 char *f; 282 283 /* 284 * Remove a file. POSIX 1003.2 states that, by default, attempting 285 * to remove a directory is an error, so must always stat the file. 286 */ 287 while ((f = *argv++) != NULL) { 288 /* Assume if can't stat the file, can't unlink it. */ 289 if (lstat(f, &sb)) { 290 if (Wflag) { 291 sb.st_mode = S_IFWHT|S_IWUSR|S_IRUSR; 292 } else { 293 if (!fflag || !NONEXISTENT(errno)) { 294 warn("%s", f); 295 eval = 1; 296 } 297 continue; 298 } 299 } else if (Wflag) { 300 warnx("%s: %s", f, strerror(EEXIST)); 301 eval = 1; 302 continue; 303 } 304 305 if (S_ISDIR(sb.st_mode) && !dflag) { 306 warnx("%s: is a directory", f); 307 eval = 1; 308 continue; 309 } 310 if (!fflag && !S_ISWHT(sb.st_mode) && !check(f, f, &sb)) 311 continue; 312 if (S_ISWHT(sb.st_mode)) 313 rval = undelete(f); 314 else if (S_ISDIR(sb.st_mode)) 315 rval = rmdir(f); 316 else { 317 if (Pflag) { 318 if (rm_overwrite(f, &sb)) 319 continue; 320 } 321 rval = unlink(f); 322 } 323 if (rval && (!fflag || !NONEXISTENT(errno))) { 324 warn("%s", f); 325 eval = 1; 326 } 327 if (vflag && rval == 0) 328 (void)printf("%s\n", f); 329 } 330} 331 332/* 333 * rm_overwrite -- 334 * Overwrite the file 3 times with varying bit patterns. 335 * 336 * This is an expensive way to keep people from recovering files from your 337 * non-snapshotted FFS filesystems using fsdb(8). Really. No more. Only 338 * regular files are deleted, directories (and therefore names) will remain. 339 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a 340 * System V file system). In a logging file system, you'll have to have 341 * kernel support. 342 * 343 * A note on standards: U.S. DoD 5220.22-M "National Industrial Security 344 * Program Operating Manual" ("NISPOM") is often cited as a reference 345 * for clearing and sanitizing magnetic media. In fact, a matrix of 346 * "clearing" and "sanitization" methods for various media was given in 347 * Chapter 8 of the original 1995 version of NISPOM. However, that 348 * matrix was *removed from the document* when Chapter 8 was rewritten 349 * in Change 2 to the document in 2001. Recently, the Defense Security 350 * Service has made a revised clearing and sanitization matrix available 351 * in Microsoft Word format on the DSS web site. The standardization 352 * status of this matrix is unclear. Furthermore, one must be very 353 * careful when referring to this matrix: it is intended for the "clearing" 354 * prior to reuse or "sanitization" prior to disposal of *entire media*, 355 * not individual files and the only non-physically-destructive method of 356 * "sanitization" that is permitted for magnetic disks of any kind is 357 * specifically noted to be prohibited for media that have contained 358 * Top Secret data. 359 * 360 * It is impossible to actually conform to the exact procedure given in 361 * the matrix if one is overwriting a file, not an entire disk, because 362 * the procedure requires examination and comparison of the disk's defect 363 * lists. Any program that claims to securely erase *files* while 364 * conforming to the standard, then, is not correct. We do as much of 365 * what the standard requires as can actually be done when erasing a 366 * file, rather than an entire disk; but that does not make us conformant. 367 * 368 * Furthermore, the presence of track caches, disk and controller write 369 * caches, and so forth make it extremely difficult to ensure that data 370 * have actually been written to the disk, particularly when one tries 371 * to repeatedly overwrite the same sectors in quick succession. We call 372 * fsync(), but controllers with nonvolatile cache, as well as IDE disks 373 * that just plain lie about the stable storage of data, will defeat this. 374 * 375 * Finally, widely respected research suggests that the given procedure 376 * is nowhere near sufficient to prevent the recovery of data using special 377 * forensic equipment and techniques that are well-known. This is 378 * presumably one reason that the matrix requires physical media destruction, 379 * rather than any technique of the sort attempted here, for secret data. 380 * 381 * Caveat Emptor. 382 * 383 * rm_overwrite will return 0 on success. 384 */ 385 386static int 387rm_overwrite(char *file, struct stat *sbp) 388{ 389 struct stat sb, sb2; 390 int fd, randint; 391 char randchar; 392 393 fd = -1; 394 if (sbp == NULL) { 395 if (lstat(file, &sb)) 396 goto err; 397 sbp = &sb; 398 } 399 if (!S_ISREG(sbp->st_mode)) 400 return 0; 401 402 /* flags to try to defeat hidden caching by forcing seeks */ 403 if ((fd = open(file, O_RDWR|O_SYNC|O_RSYNC|O_NOFOLLOW, 0)) == -1) 404 goto err; 405 406 if (fstat(fd, &sb2)) { 407 goto err; 408 } 409 410 if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino || 411 !S_ISREG(sb2.st_mode)) { 412 errno = EPERM; 413 goto err; 414 } 415 416#define RAND_BYTES 1 417#define THIS_BYTE 0 418 419#define WRITE_PASS(mode, byte) do { \ 420 off_t len; \ 421 size_t wlen, i; \ 422 char buf[8 * 1024]; \ 423 \ 424 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \ 425 goto err; \ 426 \ 427 if (mode == THIS_BYTE) \ 428 memset(buf, byte, sizeof(buf)); \ 429 for (len = sbp->st_size; len > 0; len -= wlen) { \ 430 if (mode == RAND_BYTES) { \ 431 for (i = 0; i < sizeof(buf); \ 432 i+= sizeof(u_int32_t)) \ 433 *(int *)(buf + i) = arc4random(); \ 434 } \ 435 wlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \ 436 if ((size_t)write(fd, buf, wlen) != wlen) \ 437 goto err; \ 438 } \ 439 sync(); /* another poke at hidden caches */ \ 440} while (0) 441 442#define READ_PASS(byte) do { \ 443 off_t len; \ 444 size_t rlen; \ 445 char pattern[8 * 1024]; \ 446 char buf[8 * 1024]; \ 447 \ 448 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \ 449 goto err; \ 450 \ 451 memset(pattern, byte, sizeof(pattern)); \ 452 for(len = sbp->st_size; len > 0; len -= rlen) { \ 453 rlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \ 454 if((size_t)read(fd, buf, rlen) != rlen) \ 455 goto err; \ 456 if(memcmp(buf, pattern, rlen)) \ 457 goto err; \ 458 } \ 459 sync(); /* another poke at hidden caches */ \ 460} while (0) 461 462 /* 463 * DSS sanitization matrix "clear" for magnetic disks: 464 * option 'c' "Overwrite all addressable locations with a single 465 * character." 466 */ 467 randint = arc4random(); 468 randchar = *(char *)&randint; 469 WRITE_PASS(THIS_BYTE, randchar); 470 471 /* 472 * DSS sanitization matrix "sanitize" for magnetic disks: 473 * option 'd', sub 2 "Overwrite all addressable locations with a 474 * character, then its complement. Verify "complement" character 475 * was written successfully to all addressable locations, then 476 * overwrite all addressable locations with random characters; or 477 * verify third overwrite of random characters." The rest of the 478 * text in d-sub-2 specifies requirements for overwriting spared 479 * sectors; we cannot conform to it when erasing only a file, thus 480 * we do not conform to the standard. 481 */ 482 483 /* 1. "a character" */ 484 WRITE_PASS(THIS_BYTE, 0xff); 485 486 /* 2. "its complement" */ 487 WRITE_PASS(THIS_BYTE, 0x00); 488 489 /* 3. "Verify 'complement' character" */ 490 READ_PASS(0x00); 491 492 /* 4. "overwrite all addressable locations with random characters" */ 493 494 WRITE_PASS(RAND_BYTES, 0x00); 495 496 /* 497 * As the file might be huge, and we note that this revision of 498 * the matrix says "random characters", not "a random character" 499 * as the original did, we do not verify the random-character 500 * write; the "or" in the standard allows this. 501 */ 502 503 if (close(fd) == -1) { 504 fd = -1; 505 goto err; 506 } 507 508 return 0; 509 510err: eval = 1; 511 warn("%s", file); 512 if (fd != -1) 513 close(fd); 514 return 1; 515} 516 517static int 518check(char *path, char *name, struct stat *sp) 519{ 520 int ch, first; 521 char modep[15]; 522 523 /* Check -i first. */ 524 if (iflag) 525 (void)fprintf(stderr, "remove '%s'? ", path); 526 else { 527 /* 528 * If it's not a symbolic link and it's unwritable and we're 529 * talking to a terminal, ask. Symbolic links are excluded 530 * because their permissions are meaningless. Check stdin_ok 531 * first because we may not have stat'ed the file. 532 */ 533 if (!stdin_ok || S_ISLNK(sp->st_mode) || 534 !(access(name, W_OK) && (errno != ETXTBSY))) 535 return (1); 536 strmode(sp->st_mode, modep); 537 if (Pflag) { 538 warnx( 539 "%s: -P was specified but file could not" 540 " be overwritten", path); 541 return 0; 542 } 543 (void)fprintf(stderr, "override %s%s%s:%s for '%s'? ", 544 modep + 1, modep[9] == ' ' ? "" : " ", 545 user_from_uid(sp->st_uid, 0), 546 group_from_gid(sp->st_gid, 0), path); 547 } 548 (void)fflush(stderr); 549 550 first = ch = getchar(); 551 while (ch != '\n' && ch != EOF) 552 ch = getchar(); 553 return (first == 'y' || first == 'Y'); 554} 555 556/* 557 * POSIX.2 requires that if "." or ".." are specified as the basename 558 * portion of an operand, a diagnostic message be written to standard 559 * error and nothing more be done with such operands. 560 * 561 * Since POSIX.2 defines basename as the final portion of a path after 562 * trailing slashes have been removed, we'll remove them here. 563 */ 564#define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2]))) 565static void 566checkdot(char **argv) 567{ 568 char *p, **save, **t; 569 int complained; 570 571 complained = 0; 572 for (t = argv; *t;) { 573 /* strip trailing slashes */ 574 p = strrchr(*t, '\0'); 575 while (--p > *t && *p == '/') 576 *p = '\0'; 577 578 /* extract basename */ 579 if ((p = strrchr(*t, '/')) != NULL) 580 ++p; 581 else 582 p = *t; 583 584 if (ISDOT(p)) { 585 if (!complained++) 586 warnx("\".\" and \"..\" may not be removed"); 587 eval = 1; 588 for (save = t; (t[0] = t[1]) != NULL; ++t) 589 continue; 590 t = save; 591 } else 592 ++t; 593 } 594} 595 596static void 597usage(void) 598{ 599 600 (void)fprintf(stderr, "usage: %s [-f|-i] [-dPRrvWx] file ...\n", 601 getprogname()); 602 exit(1); 603 /* NOTREACHED */ 604} 605 606static void 607progress(int sig __unused) 608{ 609 610 pinfo++; 611} 612