rm.c revision 1.3 
1/*	$OpenBSD: rm.c,v 1.3 2015/11/17 18:52:10 tedu Exp $	*/
2/*	$NetBSD: rm.c,v 1.19 1995/09/07 06:48:50 jtc Exp $	*/
3
4/*-
5 * Copyright (c) 1990, 1993, 1994
6 *	The Regents of the University of California.  All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 *    notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the University nor the names of its contributors
17 *    may be used to endorse or promote products derived from this software
18 *    without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33#include <sys/types.h>
34#include <sys/stat.h>
35#include <sys/mount.h>
36
37#include <locale.h>
38#include <err.h>
39#include <errno.h>
40#include <fcntl.h>
41#include <fts.h>
42#include <stdio.h>
43#include <stdlib.h>
44#include <string.h>
45#include <unistd.h>
46#include <limits.h>
47#include <pwd.h>
48#include <grp.h>
49
50#define MAXIMUM(a, b)	(((a) > (b)) ? (a) : (b))
51
52extern char *__progname;
53
54static int eval, stdin_ok;
55
56static int	check(char *, char *, struct stat *);
57static void	checkdot(char **);
58static void	rm_file(char **);
59static int	rm_overwrite(char *, struct stat *);
60static int	pass(int, off_t, char *, size_t);
61static void	rm_tree(char **);
62
63static void __dead
64usage(void)
65{
66	(void)fprintf(stderr, "usage: %s [-dfiPRr] file ...\n", __progname);
67	exit(1);
68}
69
70/*
71 * rm --
72 *	This rm is different from historic rm's, but is expected to match
73 *	POSIX 1003.2 behavior.  The most visible difference is that -f
74 *	has two specific effects now, ignore non-existent files and force
75 * 	file removal.
76 */
77int
78rmmain(int argc, char *argv[])
79{
80	if (pledge("stdio rpath cpath", NULL) == -1)
81		err(1, "pledge");
82
83	checkdot(argv);
84
85	if (*argv) {
86		stdin_ok = isatty(STDIN_FILENO);
87
88		rm_tree(argv);
89	}
90
91	return (eval);
92}
93
94static void
95rm_tree(char **argv)
96{
97	FTS *fts;
98	FTSENT *p;
99	int flags;
100
101	/*
102	 * If the -i option is specified, the user can skip on the pre-order
103	 * visit.  The fts_number field flags skipped directories.
104	 */
105#define	SKIPPED	1
106
107	flags = FTS_PHYSICAL;
108	flags |= FTS_NOSTAT;
109	if (!(fts = fts_open(argv, flags, NULL)))
110		err(1, NULL);
111	while ((p = fts_read(fts)) != NULL) {
112		switch (p->fts_info) {
113		case FTS_DNR:
114			if (p->fts_errno != ENOENT) {
115				warnx("%s: %s",
116				    p->fts_path, strerror(p->fts_errno));
117				eval = 1;
118			}
119			continue;
120		case FTS_ERR:
121			errc(1, p->fts_errno, "%s", p->fts_path);
122		case FTS_NS:
123			/*
124			 * FTS_NS: assume that if can't stat the file, it
125			 * can't be unlinked.
126			 */
127			break;
128		case FTS_D:
129			/* Pre-order: give user chance to skip. */
130			continue;
131		case FTS_DP:
132			/* Post-order: see if user skipped. */
133			if (p->fts_number == SKIPPED)
134				continue;
135			break;
136		default:
137			break;
138		}
139
140		/*
141		 * If we can't read or search the directory, may still be
142		 * able to remove it.  Don't print out the un{read,search}able
143		 * message unless the remove fails.
144		 */
145		switch (p->fts_info) {
146		case FTS_DP:
147		case FTS_DNR:
148			if (!rmdir(p->fts_accpath) ||
149			    (errno == ENOENT))
150				continue;
151			break;
152
153		case FTS_F:
154		case FTS_NSOK:
155		default:
156			if (!unlink(p->fts_accpath) ||
157			    (errno == ENOENT))
158				continue;
159		}
160		warn("%s", p->fts_path);
161		eval = 1;
162	}
163	if (errno)
164		err(1, "fts_read");
165	fts_close(fts);
166}
167
168static void
169rm_file(char **argv)
170{
171	struct stat sb;
172	int rval;
173	char *f;
174
175	/*
176	 * Remove a file.  POSIX 1003.2 states that, by default, attempting
177	 * to remove a directory is an error, so must always stat the file.
178	 */
179	while ((f = *argv++) != NULL) {
180		/* Assume if can't stat the file, can't unlink it. */
181		if (lstat(f, &sb)) {
182			if (errno != ENOENT) {
183				warn("%s", f);
184				eval = 1;
185			}
186			continue;
187		}
188
189		if (S_ISDIR(sb.st_mode)) {
190			warnx("%s: is a directory", f);
191			eval = 1;
192			continue;
193		}
194		if (S_ISDIR(sb.st_mode))
195			rval = rmdir(f);
196		else {
197			rval = unlink(f);
198		}
199		if (rval && (errno != ENOENT)) {
200			warn("%s", f);
201			eval = 1;
202		}
203	}
204}
205
206/*
207 * rm_overwrite --
208 *	Overwrite the file with varying bit patterns.
209 *
210 * XXX
211 * This is a cheap way to *really* delete files.  Note that only regular
212 * files are deleted, directories (and therefore names) will remain.
213 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a
214 * System V file system).  In a logging file system, you'll have to have
215 * kernel support.
216 * Returns 1 for success.
217 */
218static int
219rm_overwrite(char *file, struct stat *sbp)
220{
221	struct stat sb, sb2;
222	struct statfs fsb;
223	size_t bsize;
224	int fd;
225	char *buf = NULL;
226
227	fd = -1;
228	if (sbp == NULL) {
229		if (lstat(file, &sb))
230			goto err;
231		sbp = &sb;
232	}
233	if (!S_ISREG(sbp->st_mode))
234		return (1);
235	if (sbp->st_nlink > 1) {
236		warnx("%s (inode %llu): not overwritten due to multiple links",
237		    file, (unsigned long long)sbp->st_ino);
238		return (0);
239	}
240	if ((fd = open(file, O_WRONLY|O_NONBLOCK|O_NOFOLLOW, 0)) == -1)
241		goto err;
242	if (fstat(fd, &sb2))
243		goto err;
244	if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino ||
245	    !S_ISREG(sb2.st_mode)) {
246		errno = EPERM;
247		goto err;
248	}
249	if (fstatfs(fd, &fsb) == -1)
250		goto err;
251	bsize = MAXIMUM(fsb.f_iosize, 1024U);
252	if ((buf = malloc(bsize)) == NULL)
253		err(1, "%s: malloc", file);
254
255	if (!pass(fd, sbp->st_size, buf, bsize))
256		goto err;
257	if (fsync(fd))
258		goto err;
259	close(fd);
260	free(buf);
261	return (1);
262
263err:
264	warn("%s", file);
265	close(fd);
266	eval = 1;
267	free(buf);
268	return (0);
269}
270
271static int
272pass(int fd, off_t len, char *buf, size_t bsize)
273{
274	size_t wlen;
275
276	for (; len > 0; len -= wlen) {
277		wlen = len < bsize ? len : bsize;
278		arc4random_buf(buf, wlen);
279		if (write(fd, buf, wlen) != wlen)
280			return (0);
281	}
282	return (1);
283}
284
285static int
286check(char *path, char *name, struct stat *sp)
287{
288	int ch, first;
289	char modep[15];
290
291	/*
292	 * If it's not a symbolic link and it's unwritable and we're
293	 * talking to a terminal, ask.  Symbolic links are excluded
294	 * because their permissions are meaningless.  Check stdin_ok
295	 * first because we may not have stat'ed the file.
296	 */
297	if (!stdin_ok || S_ISLNK(sp->st_mode) || !access(name, W_OK) ||
298	    errno != EACCES)
299		return (1);
300	strmode(sp->st_mode, modep);
301	(void)fprintf(stderr, "override %s%s%s/%s for %s? ",
302	    modep + 1, modep[9] == ' ' ? "" : " ",
303	    user_from_uid(sp->st_uid, 0),
304	    group_from_gid(sp->st_gid, 0), path);
305	(void)fflush(stderr);
306
307	first = ch = getchar();
308	while (ch != '\n' && ch != EOF)
309		ch = getchar();
310	return (first == 'y' || first == 'Y');
311}
312
313/*
314 * POSIX.2 requires that if "." or ".." are specified as the basename
315 * portion of an operand, a diagnostic message be written to standard
316 * error and nothing more be done with such operands.
317 *
318 * Since POSIX.2 defines basename as the final portion of a path after
319 * trailing slashes have been removed, we'll remove them here.
320 */
321#define ISDOT(a)	((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2])))
322static void
323checkdot(char **argv)
324{
325	char *p, **save, **t;
326	int complained;
327
328	complained = 0;
329	for (t = argv; *t;) {
330		/* strip trailing slashes */
331		p = strrchr (*t, '\0');
332		while (--p > *t && *p == '/')
333			*p = '\0';
334
335		/* extract basename */
336		if ((p = strrchr(*t, '/')) != NULL)
337			++p;
338		else
339			p = *t;
340
341		if (ISDOT(p)) {
342			if (!complained++)
343				warnx("\".\" and \"..\" may not be removed");
344			eval = 1;
345			for (save = t; (t[0] = t[1]) != NULL; ++t)
346				continue;
347			t = save;
348		} else
349			++t;
350	}
351}
352