1 /* $NetBSD: rm.c,v 1.53 2013/04/26 18:43:22 christos Exp $ */ 2 3 /*- 4 * Copyright (c) 1990, 1993, 1994, 2003 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32 #include <sys/cdefs.h> 33 #ifndef lint 34 __COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\ 35 The Regents of the University of California. All rights reserved."); 36 #endif /* not lint */ 37 38 #ifndef lint 39 #if 0 40 static char sccsid[] = "@(#)rm.c 8.8 (Berkeley) 4/27/95"; 41 #else 42 __RCSID("$NetBSD: rm.c,v 1.53 2013/04/26 18:43:22 christos Exp $"); 43 #endif 44 #endif /* not lint */ 45 46 #include <sys/param.h> 47 #include <sys/stat.h> 48 #include <sys/types.h> 49 50 #include <err.h> 51 #include <errno.h> 52 #include <fcntl.h> 53 #include <fts.h> 54 #include <grp.h> 55 #include <locale.h> 56 #include <pwd.h> 57 #include <signal.h> 58 #include <stdio.h> 59 #include <stdlib.h> 60 #include <string.h> 61 #include <unistd.h> 62 63 static int dflag, eval, fflag, iflag, Pflag, stdin_ok, vflag, Wflag; 64 static int xflag; 65 static sig_atomic_t pinfo; 66 67 static int check(char *, char *, struct stat *); 68 static void checkdot(char **); 69 static void progress(int); 70 static void rm_file(char **); 71 static int rm_overwrite(char *, struct stat *); 72 static void rm_tree(char **); 73 __dead static void usage(void); 74 75 /* 76 * For the sake of the `-f' flag, check whether an error number indicates the 77 * failure of an operation due to an non-existent file, either per se (ENOENT) 78 * or because its filename argument was illegal (ENAMETOOLONG, ENOTDIR). 79 */ 80 #define NONEXISTENT(x) \ 81 ((x) == ENOENT || (x) == ENAMETOOLONG || (x) == ENOTDIR) 82 83 /* 84 * rm -- 85 * This rm is different from historic rm's, but is expected to match 86 * POSIX 1003.2 behavior. The most visible difference is that -f 87 * has two specific effects now, ignore non-existent files and force 88 * file removal. 89 */ 90 int 91 main(int argc, char *argv[]) 92 { 93 int ch, rflag; 94 95 setprogname(argv[0]); 96 (void)setlocale(LC_ALL, ""); 97 98 Pflag = rflag = xflag = 0; 99 while ((ch = getopt(argc, argv, "dfiPRrvWx")) != -1) 100 switch (ch) { 101 case 'd': 102 dflag = 1; 103 break; 104 case 'f': 105 fflag = 1; 106 iflag = 0; 107 break; 108 case 'i': 109 fflag = 0; 110 iflag = 1; 111 break; 112 case 'P': 113 Pflag = 1; 114 break; 115 case 'R': 116 case 'r': /* Compatibility. */ 117 rflag = 1; 118 break; 119 case 'v': 120 vflag = 1; 121 break; 122 case 'x': 123 xflag = 1; 124 break; 125 #ifndef __ANDROID__ 126 case 'W': 127 Wflag = 1; 128 break; 129 #endif 130 case '?': 131 default: 132 usage(); 133 } 134 argc -= optind; 135 argv += optind; 136 137 if (argc < 1) { 138 if (fflag) 139 return 0; 140 usage(); 141 } 142 143 (void)signal(SIGINFO, progress); 144 145 checkdot(argv); 146 147 if (*argv) { 148 stdin_ok = isatty(STDIN_FILENO); 149 150 if (rflag) 151 rm_tree(argv); 152 else 153 rm_file(argv); 154 } 155 156 exit(eval); 157 /* NOTREACHED */ 158 } 159 160 static void 161 rm_tree(char **argv) 162 { 163 FTS *fts; 164 FTSENT *p; 165 int flags, needstat, rval; 166 167 /* 168 * Remove a file hierarchy. If forcing removal (-f), or interactive 169 * (-i) or can't ask anyway (stdin_ok), don't stat the file. 170 */ 171 needstat = !fflag && !iflag && stdin_ok; 172 173 /* 174 * If the -i option is specified, the user can skip on the pre-order 175 * visit. The fts_number field flags skipped directories. 176 */ 177 #define SKIPPED 1 178 179 flags = FTS_PHYSICAL; 180 if (!needstat) 181 flags |= FTS_NOSTAT; 182 #ifndef __ANDROID__ 183 if (Wflag) 184 flags |= FTS_WHITEOUT; 185 #endif 186 if (xflag) 187 flags |= FTS_XDEV; 188 if ((fts = fts_open(argv, flags, NULL)) == NULL) 189 err(1, "fts_open failed"); 190 while ((p = fts_read(fts)) != NULL) { 191 192 switch (p->fts_info) { 193 case FTS_DNR: 194 if (!fflag || p->fts_errno != ENOENT) { 195 warnx("%s: %s", p->fts_path, 196 strerror(p->fts_errno)); 197 eval = 1; 198 } 199 continue; 200 case FTS_ERR: 201 errx(EXIT_FAILURE, "%s: %s", p->fts_path, 202 strerror(p->fts_errno)); 203 /* NOTREACHED */ 204 case FTS_NS: 205 /* 206 * FTS_NS: assume that if can't stat the file, it 207 * can't be unlinked. 208 */ 209 if (fflag && NONEXISTENT(p->fts_errno)) 210 continue; 211 if (needstat) { 212 warnx("%s: %s", p->fts_path, 213 strerror(p->fts_errno)); 214 eval = 1; 215 continue; 216 } 217 break; 218 case FTS_D: 219 /* Pre-order: give user chance to skip. */ 220 if (!fflag && !check(p->fts_path, p->fts_accpath, 221 p->fts_statp)) { 222 (void)fts_set(fts, p, FTS_SKIP); 223 p->fts_number = SKIPPED; 224 } 225 continue; 226 case FTS_DP: 227 /* Post-order: see if user skipped. */ 228 if (p->fts_number == SKIPPED) 229 continue; 230 break; 231 default: 232 if (!fflag && 233 !check(p->fts_path, p->fts_accpath, p->fts_statp)) 234 continue; 235 } 236 237 rval = 0; 238 /* 239 * If we can't read or search the directory, may still be 240 * able to remove it. Don't print out the un{read,search}able 241 * message unless the remove fails. 242 */ 243 switch (p->fts_info) { 244 case FTS_DP: 245 case FTS_DNR: 246 rval = rmdir(p->fts_accpath); 247 if (rval != 0 && fflag && errno == ENOENT) 248 continue; 249 break; 250 251 #ifndef __ANDROID__ 252 case FTS_W: 253 rval = undelete(p->fts_accpath); 254 if (rval != 0 && fflag && errno == ENOENT) 255 continue; 256 break; 257 #endif 258 259 default: 260 if (Pflag) { 261 if (rm_overwrite(p->fts_accpath, NULL)) 262 continue; 263 } 264 rval = unlink(p->fts_accpath); 265 if (rval != 0 && fflag && NONEXISTENT(errno)) 266 continue; 267 break; 268 } 269 if (rval != 0) { 270 warn("%s", p->fts_path); 271 eval = 1; 272 } else if (vflag || pinfo) { 273 pinfo = 0; 274 (void)printf("%s\n", p->fts_path); 275 } 276 } 277 if (errno) 278 err(1, "fts_read"); 279 fts_close(fts); 280 } 281 282 static void 283 rm_file(char **argv) 284 { 285 struct stat sb; 286 int rval; 287 char *f; 288 289 /* 290 * Remove a file. POSIX 1003.2 states that, by default, attempting 291 * to remove a directory is an error, so must always stat the file. 292 */ 293 while ((f = *argv++) != NULL) { 294 /* Assume if can't stat the file, can't unlink it. */ 295 if (lstat(f, &sb)) { 296 #ifndef __ANDROID__ 297 if (Wflag) { 298 sb.st_mode = S_IFWHT|S_IWUSR|S_IRUSR; 299 } else { 300 #endif 301 if (!fflag || !NONEXISTENT(errno)) { 302 warn("%s", f); 303 eval = 1; 304 } 305 continue; 306 #ifndef __ANDROID__ 307 } 308 } else if (Wflag) { 309 warnx("%s: %s", f, strerror(EEXIST)); 310 eval = 1; 311 continue; 312 #endif 313 } 314 315 if (S_ISDIR(sb.st_mode) && !dflag) { 316 warnx("%s: is a directory", f); 317 eval = 1; 318 continue; 319 } 320 if (!fflag && !S_ISWHT(sb.st_mode) && !check(f, f, &sb)) 321 continue; 322 #ifndef __ANDROID__ 323 if (S_ISWHT(sb.st_mode)) 324 rval = undelete(f); 325 else if (S_ISDIR(sb.st_mode)) 326 #else 327 if (S_ISDIR(sb.st_mode)) 328 #endif 329 rval = rmdir(f); 330 else { 331 if (Pflag) { 332 if (rm_overwrite(f, &sb)) 333 continue; 334 } 335 rval = unlink(f); 336 } 337 if (rval && (!fflag || !NONEXISTENT(errno))) { 338 warn("%s", f); 339 eval = 1; 340 } 341 if (vflag && rval == 0) 342 (void)printf("%s\n", f); 343 } 344 } 345 346 /* 347 * rm_overwrite -- 348 * Overwrite the file 3 times with varying bit patterns. 349 * 350 * This is an expensive way to keep people from recovering files from your 351 * non-snapshotted FFS filesystems using fsdb(8). Really. No more. Only 352 * regular files are deleted, directories (and therefore names) will remain. 353 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a 354 * System V file system). In a logging file system, you'll have to have 355 * kernel support. 356 * 357 * A note on standards: U.S. DoD 5220.22-M "National Industrial Security 358 * Program Operating Manual" ("NISPOM") is often cited as a reference 359 * for clearing and sanitizing magnetic media. In fact, a matrix of 360 * "clearing" and "sanitization" methods for various media was given in 361 * Chapter 8 of the original 1995 version of NISPOM. However, that 362 * matrix was *removed from the document* when Chapter 8 was rewritten 363 * in Change 2 to the document in 2001. Recently, the Defense Security 364 * Service has made a revised clearing and sanitization matrix available 365 * in Microsoft Word format on the DSS web site. The standardization 366 * status of this matrix is unclear. Furthermore, one must be very 367 * careful when referring to this matrix: it is intended for the "clearing" 368 * prior to reuse or "sanitization" prior to disposal of *entire media*, 369 * not individual files and the only non-physically-destructive method of 370 * "sanitization" that is permitted for magnetic disks of any kind is 371 * specifically noted to be prohibited for media that have contained 372 * Top Secret data. 373 * 374 * It is impossible to actually conform to the exact procedure given in 375 * the matrix if one is overwriting a file, not an entire disk, because 376 * the procedure requires examination and comparison of the disk's defect 377 * lists. Any program that claims to securely erase *files* while 378 * conforming to the standard, then, is not correct. We do as much of 379 * what the standard requires as can actually be done when erasing a 380 * file, rather than an entire disk; but that does not make us conformant. 381 * 382 * Furthermore, the presence of track caches, disk and controller write 383 * caches, and so forth make it extremely difficult to ensure that data 384 * have actually been written to the disk, particularly when one tries 385 * to repeatedly overwrite the same sectors in quick succession. We call 386 * fsync(), but controllers with nonvolatile cache, as well as IDE disks 387 * that just plain lie about the stable storage of data, will defeat this. 388 * 389 * Finally, widely respected research suggests that the given procedure 390 * is nowhere near sufficient to prevent the recovery of data using special 391 * forensic equipment and techniques that are well-known. This is 392 * presumably one reason that the matrix requires physical media destruction, 393 * rather than any technique of the sort attempted here, for secret data. 394 * 395 * Caveat Emptor. 396 * 397 * rm_overwrite will return 0 on success. 398 */ 399 400 static int 401 rm_overwrite(char *file, struct stat *sbp) 402 { 403 struct stat sb, sb2; 404 int fd, randint; 405 char randchar; 406 407 fd = -1; 408 if (sbp == NULL) { 409 if (lstat(file, &sb)) 410 goto err; 411 sbp = &sb; 412 } 413 if (!S_ISREG(sbp->st_mode)) 414 return 0; 415 416 /* flags to try to defeat hidden caching by forcing seeks */ 417 if ((fd = open(file, O_RDWR|O_SYNC|O_RSYNC|O_NOFOLLOW, 0)) == -1) 418 goto err; 419 420 if (fstat(fd, &sb2)) { 421 goto err; 422 } 423 424 if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino || 425 !S_ISREG(sb2.st_mode)) { 426 errno = EPERM; 427 goto err; 428 } 429 430 #define RAND_BYTES 1 431 #define THIS_BYTE 0 432 433 #define WRITE_PASS(mode, byte) do { \ 434 off_t len; \ 435 size_t wlen, i; \ 436 char buf[8 * 1024]; \ 437 \ 438 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \ 439 goto err; \ 440 \ 441 if (mode == THIS_BYTE) \ 442 memset(buf, byte, sizeof(buf)); \ 443 for (len = sbp->st_size; len > 0; len -= wlen) { \ 444 if (mode == RAND_BYTES) { \ 445 for (i = 0; i < sizeof(buf); \ 446 i+= sizeof(u_int32_t)) \ 447 *(int *)(buf + i) = arc4random(); \ 448 } \ 449 wlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \ 450 if ((size_t)write(fd, buf, wlen) != wlen) \ 451 goto err; \ 452 } \ 453 sync(); /* another poke at hidden caches */ \ 454 } while (/* CONSTCOND */ 0) 455 456 #define READ_PASS(byte) do { \ 457 off_t len; \ 458 size_t rlen; \ 459 char pattern[8 * 1024]; \ 460 char buf[8 * 1024]; \ 461 \ 462 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \ 463 goto err; \ 464 \ 465 memset(pattern, byte, sizeof(pattern)); \ 466 for(len = sbp->st_size; len > 0; len -= rlen) { \ 467 rlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \ 468 if((size_t)read(fd, buf, rlen) != rlen) \ 469 goto err; \ 470 if(memcmp(buf, pattern, rlen)) \ 471 goto err; \ 472 } \ 473 sync(); /* another poke at hidden caches */ \ 474 } while (/* CONSTCOND */ 0) 475 476 /* 477 * DSS sanitization matrix "clear" for magnetic disks: 478 * option 'c' "Overwrite all addressable locations with a single 479 * character." 480 */ 481 randint = arc4random(); 482 randchar = *(char *)&randint; 483 WRITE_PASS(THIS_BYTE, randchar); 484 485 /* 486 * DSS sanitization matrix "sanitize" for magnetic disks: 487 * option 'd', sub 2 "Overwrite all addressable locations with a 488 * character, then its complement. Verify "complement" character 489 * was written successfully to all addressable locations, then 490 * overwrite all addressable locations with random characters; or 491 * verify third overwrite of random characters." The rest of the 492 * text in d-sub-2 specifies requirements for overwriting spared 493 * sectors; we cannot conform to it when erasing only a file, thus 494 * we do not conform to the standard. 495 */ 496 497 /* 1. "a character" */ 498 WRITE_PASS(THIS_BYTE, 0xff); 499 500 /* 2. "its complement" */ 501 WRITE_PASS(THIS_BYTE, 0x00); 502 503 /* 3. "Verify 'complement' character" */ 504 READ_PASS(0x00); 505 506 /* 4. "overwrite all addressable locations with random characters" */ 507 508 WRITE_PASS(RAND_BYTES, 0x00); 509 510 /* 511 * As the file might be huge, and we note that this revision of 512 * the matrix says "random characters", not "a random character" 513 * as the original did, we do not verify the random-character 514 * write; the "or" in the standard allows this. 515 */ 516 517 if (close(fd) == -1) { 518 fd = -1; 519 goto err; 520 } 521 522 return 0; 523 524 err: eval = 1; 525 warn("%s", file); 526 if (fd != -1) 527 close(fd); 528 return 1; 529 } 530 531 static int 532 check(char *path, char *name, struct stat *sp) 533 { 534 int ch, first; 535 char modep[15]; 536 537 /* Check -i first. */ 538 if (iflag) 539 (void)fprintf(stderr, "remove '%s'? ", path); 540 else { 541 /* 542 * If it's not a symbolic link and it's unwritable and we're 543 * talking to a terminal, ask. Symbolic links are excluded 544 * because their permissions are meaningless. Check stdin_ok 545 * first because we may not have stat'ed the file. 546 */ 547 if (!stdin_ok || S_ISLNK(sp->st_mode) || 548 !(access(name, W_OK) && (errno != ETXTBSY))) 549 return (1); 550 strmode(sp->st_mode, modep); 551 if (Pflag) { 552 warnx( 553 "%s: -P was specified but file could not" 554 " be overwritten", path); 555 return 0; 556 } 557 (void)fprintf(stderr, "override %s%s%s:%s for '%s'? ", 558 modep + 1, modep[9] == ' ' ? "" : " ", 559 user_from_uid(sp->st_uid, 0), 560 group_from_gid(sp->st_gid, 0), path); 561 } 562 (void)fflush(stderr); 563 564 first = ch = getchar(); 565 while (ch != '\n' && ch != EOF) 566 ch = getchar(); 567 return (first == 'y' || first == 'Y'); 568 } 569 570 /* 571 * POSIX.2 requires that if "." or ".." are specified as the basename 572 * portion of an operand, a diagnostic message be written to standard 573 * error and nothing more be done with such operands. 574 * 575 * Since POSIX.2 defines basename as the final portion of a path after 576 * trailing slashes have been removed, we'll remove them here. 577 */ 578 #define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2]))) 579 static void 580 checkdot(char **argv) 581 { 582 char *p, **save, **t; 583 int complained; 584 585 complained = 0; 586 for (t = argv; *t;) { 587 /* strip trailing slashes */ 588 p = strrchr(*t, '\0'); 589 while (--p > *t && *p == '/') 590 *p = '\0'; 591 592 /* extract basename */ 593 if ((p = strrchr(*t, '/')) != NULL) 594 ++p; 595 else 596 p = *t; 597 598 if (ISDOT(p)) { 599 if (!complained++) 600 warnx("\".\" and \"..\" may not be removed"); 601 eval = 1; 602 for (save = t; (t[0] = t[1]) != NULL; ++t) 603 continue; 604 t = save; 605 } else 606 ++t; 607 } 608 } 609 610 static void 611 usage(void) 612 { 613 614 (void)fprintf(stderr, "usage: %s [-f|-i] [-dPRrvWx] file ...\n", 615 getprogname()); 616 exit(1); 617 /* NOTREACHED */ 618 } 619 620 static void 621 progress(int sig __unused) 622 { 623 624 pinfo++; 625 } 626