rm.c revision 1.2
1/* $OpenBSD: rm.c,v 1.2 2015/11/17 18:34:00 tedu Exp $ */ 2/* $NetBSD: rm.c,v 1.19 1995/09/07 06:48:50 jtc Exp $ */ 3 4/*- 5 * Copyright (c) 1990, 1993, 1994 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the University nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33#include <sys/types.h> 34#include <sys/stat.h> 35#include <sys/mount.h> 36 37#include <locale.h> 38#include <err.h> 39#include <errno.h> 40#include <fcntl.h> 41#include <fts.h> 42#include <stdio.h> 43#include <stdlib.h> 44#include <string.h> 45#include <unistd.h> 46#include <limits.h> 47#include <pwd.h> 48#include <grp.h> 49 50#define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 51 52extern char *__progname; 53 54static int dflag, eval, fflag, iflag, Pflag, stdin_ok; 55 56static int check(char *, char *, struct stat *); 57static void checkdot(char **); 58static void rm_file(char **); 59static int rm_overwrite(char *, struct stat *); 60static int pass(int, off_t, char *, size_t); 61static void rm_tree(char **); 62 63static void __dead 64usage(void) 65{ 66 (void)fprintf(stderr, "usage: %s [-dfiPRr] file ...\n", __progname); 67 exit(1); 68} 69 70/* 71 * rm -- 72 * This rm is different from historic rm's, but is expected to match 73 * POSIX 1003.2 behavior. The most visible difference is that -f 74 * has two specific effects now, ignore non-existent files and force 75 * file removal. 76 */ 77int 78rmmain(int argc, char *argv[]) 79{ 80 int ch, rflag; 81 82 Pflag = rflag = 0; 83 84 fflag = 1; 85 rflag = 1; 86 87 if (Pflag) { 88 if (pledge("stdio rpath wpath cpath", NULL) == -1) 89 err(1, "pledge"); 90 } else { 91 if (pledge("stdio rpath cpath", NULL) == -1) 92 err(1, "pledge"); 93 } 94 95 if (argc < 1 && fflag == 0) 96 usage(); 97 98 checkdot(argv); 99 100 if (*argv) { 101 stdin_ok = isatty(STDIN_FILENO); 102 103 if (rflag) 104 rm_tree(argv); 105 else 106 rm_file(argv); 107 } 108 109 return (eval); 110} 111 112static void 113rm_tree(char **argv) 114{ 115 FTS *fts; 116 FTSENT *p; 117 int needstat; 118 int flags; 119 120 /* 121 * Remove a file hierarchy. If forcing removal (-f), or interactive 122 * (-i) or can't ask anyway (stdin_ok), don't stat the file. 123 */ 124 needstat = !fflag && !iflag && stdin_ok; 125 126 /* 127 * If the -i option is specified, the user can skip on the pre-order 128 * visit. The fts_number field flags skipped directories. 129 */ 130#define SKIPPED 1 131 132 flags = FTS_PHYSICAL; 133 if (!needstat) 134 flags |= FTS_NOSTAT; 135 if (!(fts = fts_open(argv, flags, NULL))) 136 err(1, NULL); 137 while ((p = fts_read(fts)) != NULL) { 138 switch (p->fts_info) { 139 case FTS_DNR: 140 if (!fflag || p->fts_errno != ENOENT) { 141 warnx("%s: %s", 142 p->fts_path, strerror(p->fts_errno)); 143 eval = 1; 144 } 145 continue; 146 case FTS_ERR: 147 errc(1, p->fts_errno, "%s", p->fts_path); 148 case FTS_NS: 149 /* 150 * FTS_NS: assume that if can't stat the file, it 151 * can't be unlinked. 152 */ 153 if (!needstat) 154 break; 155 if (!fflag || p->fts_errno != ENOENT) { 156 warnx("%s: %s", 157 p->fts_path, strerror(p->fts_errno)); 158 eval = 1; 159 } 160 continue; 161 case FTS_D: 162 /* Pre-order: give user chance to skip. */ 163 if (!fflag && !check(p->fts_path, p->fts_accpath, 164 p->fts_statp)) { 165 (void)fts_set(fts, p, FTS_SKIP); 166 p->fts_number = SKIPPED; 167 } 168 continue; 169 case FTS_DP: 170 /* Post-order: see if user skipped. */ 171 if (p->fts_number == SKIPPED) 172 continue; 173 break; 174 default: 175 if (!fflag && 176 !check(p->fts_path, p->fts_accpath, p->fts_statp)) 177 continue; 178 } 179 180 /* 181 * If we can't read or search the directory, may still be 182 * able to remove it. Don't print out the un{read,search}able 183 * message unless the remove fails. 184 */ 185 switch (p->fts_info) { 186 case FTS_DP: 187 case FTS_DNR: 188 if (!rmdir(p->fts_accpath) || 189 (fflag && errno == ENOENT)) 190 continue; 191 break; 192 193 case FTS_F: 194 case FTS_NSOK: 195 if (Pflag) 196 rm_overwrite(p->fts_accpath, p->fts_info == 197 FTS_NSOK ? NULL : p->fts_statp); 198 /* FALLTHROUGH */ 199 default: 200 if (!unlink(p->fts_accpath) || 201 (fflag && errno == ENOENT)) 202 continue; 203 } 204 warn("%s", p->fts_path); 205 eval = 1; 206 } 207 if (errno) 208 err(1, "fts_read"); 209 fts_close(fts); 210} 211 212static void 213rm_file(char **argv) 214{ 215 struct stat sb; 216 int rval; 217 char *f; 218 219 /* 220 * Remove a file. POSIX 1003.2 states that, by default, attempting 221 * to remove a directory is an error, so must always stat the file. 222 */ 223 while ((f = *argv++) != NULL) { 224 /* Assume if can't stat the file, can't unlink it. */ 225 if (lstat(f, &sb)) { 226 if (!fflag || errno != ENOENT) { 227 warn("%s", f); 228 eval = 1; 229 } 230 continue; 231 } 232 233 if (S_ISDIR(sb.st_mode) && !dflag) { 234 warnx("%s: is a directory", f); 235 eval = 1; 236 continue; 237 } 238 if (!fflag && !check(f, f, &sb)) 239 continue; 240 else if (S_ISDIR(sb.st_mode)) 241 rval = rmdir(f); 242 else { 243 if (Pflag) 244 rm_overwrite(f, &sb); 245 rval = unlink(f); 246 } 247 if (rval && (!fflag || errno != ENOENT)) { 248 warn("%s", f); 249 eval = 1; 250 } 251 } 252} 253 254/* 255 * rm_overwrite -- 256 * Overwrite the file with varying bit patterns. 257 * 258 * XXX 259 * This is a cheap way to *really* delete files. Note that only regular 260 * files are deleted, directories (and therefore names) will remain. 261 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a 262 * System V file system). In a logging file system, you'll have to have 263 * kernel support. 264 * Returns 1 for success. 265 */ 266static int 267rm_overwrite(char *file, struct stat *sbp) 268{ 269 struct stat sb, sb2; 270 struct statfs fsb; 271 size_t bsize; 272 int fd; 273 char *buf = NULL; 274 275 fd = -1; 276 if (sbp == NULL) { 277 if (lstat(file, &sb)) 278 goto err; 279 sbp = &sb; 280 } 281 if (!S_ISREG(sbp->st_mode)) 282 return (1); 283 if (sbp->st_nlink > 1) { 284 warnx("%s (inode %llu): not overwritten due to multiple links", 285 file, (unsigned long long)sbp->st_ino); 286 return (0); 287 } 288 if ((fd = open(file, O_WRONLY|O_NONBLOCK|O_NOFOLLOW, 0)) == -1) 289 goto err; 290 if (fstat(fd, &sb2)) 291 goto err; 292 if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino || 293 !S_ISREG(sb2.st_mode)) { 294 errno = EPERM; 295 goto err; 296 } 297 if (fstatfs(fd, &fsb) == -1) 298 goto err; 299 bsize = MAXIMUM(fsb.f_iosize, 1024U); 300 if ((buf = malloc(bsize)) == NULL) 301 err(1, "%s: malloc", file); 302 303 if (!pass(fd, sbp->st_size, buf, bsize)) 304 goto err; 305 if (fsync(fd)) 306 goto err; 307 close(fd); 308 free(buf); 309 return (1); 310 311err: 312 warn("%s", file); 313 close(fd); 314 eval = 1; 315 free(buf); 316 return (0); 317} 318 319static int 320pass(int fd, off_t len, char *buf, size_t bsize) 321{ 322 size_t wlen; 323 324 for (; len > 0; len -= wlen) { 325 wlen = len < bsize ? len : bsize; 326 arc4random_buf(buf, wlen); 327 if (write(fd, buf, wlen) != wlen) 328 return (0); 329 } 330 return (1); 331} 332 333static int 334check(char *path, char *name, struct stat *sp) 335{ 336 int ch, first; 337 char modep[15]; 338 339 /* Check -i first. */ 340 if (iflag) 341 (void)fprintf(stderr, "remove %s? ", path); 342 else { 343 /* 344 * If it's not a symbolic link and it's unwritable and we're 345 * talking to a terminal, ask. Symbolic links are excluded 346 * because their permissions are meaningless. Check stdin_ok 347 * first because we may not have stat'ed the file. 348 */ 349 if (!stdin_ok || S_ISLNK(sp->st_mode) || !access(name, W_OK) || 350 errno != EACCES) 351 return (1); 352 strmode(sp->st_mode, modep); 353 (void)fprintf(stderr, "override %s%s%s/%s for %s? ", 354 modep + 1, modep[9] == ' ' ? "" : " ", 355 user_from_uid(sp->st_uid, 0), 356 group_from_gid(sp->st_gid, 0), path); 357 } 358 (void)fflush(stderr); 359 360 first = ch = getchar(); 361 while (ch != '\n' && ch != EOF) 362 ch = getchar(); 363 return (first == 'y' || first == 'Y'); 364} 365 366/* 367 * POSIX.2 requires that if "." or ".." are specified as the basename 368 * portion of an operand, a diagnostic message be written to standard 369 * error and nothing more be done with such operands. 370 * 371 * Since POSIX.2 defines basename as the final portion of a path after 372 * trailing slashes have been removed, we'll remove them here. 373 */ 374#define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2]))) 375static void 376checkdot(char **argv) 377{ 378 char *p, **save, **t; 379 int complained; 380 381 complained = 0; 382 for (t = argv; *t;) { 383 /* strip trailing slashes */ 384 p = strrchr (*t, '\0'); 385 while (--p > *t && *p == '/') 386 *p = '\0'; 387 388 /* extract basename */ 389 if ((p = strrchr(*t, '/')) != NULL) 390 ++p; 391 else 392 p = *t; 393 394 if (ISDOT(p)) { 395 if (!complained++) 396 warnx("\".\" and \"..\" may not be removed"); 397 eval = 1; 398 for (save = t; (t[0] = t[1]) != NULL; ++t) 399 continue; 400 t = save; 401 } else 402 ++t; 403 } 404} 405