rm.c revision 1.3
1/* $OpenBSD: rm.c,v 1.3 2015/11/17 18:52:10 tedu Exp $ */ 2/* $NetBSD: rm.c,v 1.19 1995/09/07 06:48:50 jtc Exp $ */ 3 4/*- 5 * Copyright (c) 1990, 1993, 1994 6 * The Regents of the University of California. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 3. Neither the name of the University nor the names of its contributors 17 * may be used to endorse or promote products derived from this software 18 * without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 * SUCH DAMAGE. 31 */ 32 33#include <sys/types.h> 34#include <sys/stat.h> 35#include <sys/mount.h> 36 37#include <locale.h> 38#include <err.h> 39#include <errno.h> 40#include <fcntl.h> 41#include <fts.h> 42#include <stdio.h> 43#include <stdlib.h> 44#include <string.h> 45#include <unistd.h> 46#include <limits.h> 47#include <pwd.h> 48#include <grp.h> 49 50#define MAXIMUM(a, b) (((a) > (b)) ? (a) : (b)) 51 52extern char *__progname; 53 54static int eval, stdin_ok; 55 56static int check(char *, char *, struct stat *); 57static void checkdot(char **); 58static void rm_file(char **); 59static int rm_overwrite(char *, struct stat *); 60static int pass(int, off_t, char *, size_t); 61static void rm_tree(char **); 62 63static void __dead 64usage(void) 65{ 66 (void)fprintf(stderr, "usage: %s [-dfiPRr] file ...\n", __progname); 67 exit(1); 68} 69 70/* 71 * rm -- 72 * This rm is different from historic rm's, but is expected to match 73 * POSIX 1003.2 behavior. The most visible difference is that -f 74 * has two specific effects now, ignore non-existent files and force 75 * file removal. 76 */ 77int 78rmmain(int argc, char *argv[]) 79{ 80 if (pledge("stdio rpath cpath", NULL) == -1) 81 err(1, "pledge"); 82 83 checkdot(argv); 84 85 if (*argv) { 86 stdin_ok = isatty(STDIN_FILENO); 87 88 rm_tree(argv); 89 } 90 91 return (eval); 92} 93 94static void 95rm_tree(char **argv) 96{ 97 FTS *fts; 98 FTSENT *p; 99 int flags; 100 101 /* 102 * If the -i option is specified, the user can skip on the pre-order 103 * visit. The fts_number field flags skipped directories. 104 */ 105#define SKIPPED 1 106 107 flags = FTS_PHYSICAL; 108 flags |= FTS_NOSTAT; 109 if (!(fts = fts_open(argv, flags, NULL))) 110 err(1, NULL); 111 while ((p = fts_read(fts)) != NULL) { 112 switch (p->fts_info) { 113 case FTS_DNR: 114 if (p->fts_errno != ENOENT) { 115 warnx("%s: %s", 116 p->fts_path, strerror(p->fts_errno)); 117 eval = 1; 118 } 119 continue; 120 case FTS_ERR: 121 errc(1, p->fts_errno, "%s", p->fts_path); 122 case FTS_NS: 123 /* 124 * FTS_NS: assume that if can't stat the file, it 125 * can't be unlinked. 126 */ 127 break; 128 case FTS_D: 129 /* Pre-order: give user chance to skip. */ 130 continue; 131 case FTS_DP: 132 /* Post-order: see if user skipped. */ 133 if (p->fts_number == SKIPPED) 134 continue; 135 break; 136 default: 137 break; 138 } 139 140 /* 141 * If we can't read or search the directory, may still be 142 * able to remove it. Don't print out the un{read,search}able 143 * message unless the remove fails. 144 */ 145 switch (p->fts_info) { 146 case FTS_DP: 147 case FTS_DNR: 148 if (!rmdir(p->fts_accpath) || 149 (errno == ENOENT)) 150 continue; 151 break; 152 153 case FTS_F: 154 case FTS_NSOK: 155 default: 156 if (!unlink(p->fts_accpath) || 157 (errno == ENOENT)) 158 continue; 159 } 160 warn("%s", p->fts_path); 161 eval = 1; 162 } 163 if (errno) 164 err(1, "fts_read"); 165 fts_close(fts); 166} 167 168static void 169rm_file(char **argv) 170{ 171 struct stat sb; 172 int rval; 173 char *f; 174 175 /* 176 * Remove a file. POSIX 1003.2 states that, by default, attempting 177 * to remove a directory is an error, so must always stat the file. 178 */ 179 while ((f = *argv++) != NULL) { 180 /* Assume if can't stat the file, can't unlink it. */ 181 if (lstat(f, &sb)) { 182 if (errno != ENOENT) { 183 warn("%s", f); 184 eval = 1; 185 } 186 continue; 187 } 188 189 if (S_ISDIR(sb.st_mode)) { 190 warnx("%s: is a directory", f); 191 eval = 1; 192 continue; 193 } 194 if (S_ISDIR(sb.st_mode)) 195 rval = rmdir(f); 196 else { 197 rval = unlink(f); 198 } 199 if (rval && (errno != ENOENT)) { 200 warn("%s", f); 201 eval = 1; 202 } 203 } 204} 205 206/* 207 * rm_overwrite -- 208 * Overwrite the file with varying bit patterns. 209 * 210 * XXX 211 * This is a cheap way to *really* delete files. Note that only regular 212 * files are deleted, directories (and therefore names) will remain. 213 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a 214 * System V file system). In a logging file system, you'll have to have 215 * kernel support. 216 * Returns 1 for success. 217 */ 218static int 219rm_overwrite(char *file, struct stat *sbp) 220{ 221 struct stat sb, sb2; 222 struct statfs fsb; 223 size_t bsize; 224 int fd; 225 char *buf = NULL; 226 227 fd = -1; 228 if (sbp == NULL) { 229 if (lstat(file, &sb)) 230 goto err; 231 sbp = &sb; 232 } 233 if (!S_ISREG(sbp->st_mode)) 234 return (1); 235 if (sbp->st_nlink > 1) { 236 warnx("%s (inode %llu): not overwritten due to multiple links", 237 file, (unsigned long long)sbp->st_ino); 238 return (0); 239 } 240 if ((fd = open(file, O_WRONLY|O_NONBLOCK|O_NOFOLLOW, 0)) == -1) 241 goto err; 242 if (fstat(fd, &sb2)) 243 goto err; 244 if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino || 245 !S_ISREG(sb2.st_mode)) { 246 errno = EPERM; 247 goto err; 248 } 249 if (fstatfs(fd, &fsb) == -1) 250 goto err; 251 bsize = MAXIMUM(fsb.f_iosize, 1024U); 252 if ((buf = malloc(bsize)) == NULL) 253 err(1, "%s: malloc", file); 254 255 if (!pass(fd, sbp->st_size, buf, bsize)) 256 goto err; 257 if (fsync(fd)) 258 goto err; 259 close(fd); 260 free(buf); 261 return (1); 262 263err: 264 warn("%s", file); 265 close(fd); 266 eval = 1; 267 free(buf); 268 return (0); 269} 270 271static int 272pass(int fd, off_t len, char *buf, size_t bsize) 273{ 274 size_t wlen; 275 276 for (; len > 0; len -= wlen) { 277 wlen = len < bsize ? len : bsize; 278 arc4random_buf(buf, wlen); 279 if (write(fd, buf, wlen) != wlen) 280 return (0); 281 } 282 return (1); 283} 284 285static int 286check(char *path, char *name, struct stat *sp) 287{ 288 int ch, first; 289 char modep[15]; 290 291 /* 292 * If it's not a symbolic link and it's unwritable and we're 293 * talking to a terminal, ask. Symbolic links are excluded 294 * because their permissions are meaningless. Check stdin_ok 295 * first because we may not have stat'ed the file. 296 */ 297 if (!stdin_ok || S_ISLNK(sp->st_mode) || !access(name, W_OK) || 298 errno != EACCES) 299 return (1); 300 strmode(sp->st_mode, modep); 301 (void)fprintf(stderr, "override %s%s%s/%s for %s? ", 302 modep + 1, modep[9] == ' ' ? "" : " ", 303 user_from_uid(sp->st_uid, 0), 304 group_from_gid(sp->st_gid, 0), path); 305 (void)fflush(stderr); 306 307 first = ch = getchar(); 308 while (ch != '\n' && ch != EOF) 309 ch = getchar(); 310 return (first == 'y' || first == 'Y'); 311} 312 313/* 314 * POSIX.2 requires that if "." or ".." are specified as the basename 315 * portion of an operand, a diagnostic message be written to standard 316 * error and nothing more be done with such operands. 317 * 318 * Since POSIX.2 defines basename as the final portion of a path after 319 * trailing slashes have been removed, we'll remove them here. 320 */ 321#define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2]))) 322static void 323checkdot(char **argv) 324{ 325 char *p, **save, **t; 326 int complained; 327 328 complained = 0; 329 for (t = argv; *t;) { 330 /* strip trailing slashes */ 331 p = strrchr (*t, '\0'); 332 while (--p > *t && *p == '/') 333 *p = '\0'; 334 335 /* extract basename */ 336 if ((p = strrchr(*t, '/')) != NULL) 337 ++p; 338 else 339 p = *t; 340 341 if (ISDOT(p)) { 342 if (!complained++) 343 warnx("\".\" and \"..\" may not be removed"); 344 eval = 1; 345 for (save = t; (t[0] = t[1]) != NULL; ++t) 346 continue; 347 t = save; 348 } else 349 ++t; 350 } 351} 352