| blob | e8b7c8d0807cab12f50cda8ce71e6a2945f0ee3e |
1 /* TODO:
2 - use consistent non-capitalization in error messages
3 - add standard GNU copyleft comment
5 - Add -r/-R/--recursive
6 - Add -i/--interactive
7 - Reserve -d
8 - Add -L
9 - Deal with the amazing variety of gettimeofday() implementation bugs.
10 (Some systems use a one-arg form; still others insist that the timezone
11 either be NULL or be non-NULL. Whee.)
12 - Add an unlink-all option to emulate rm.
13 */
15 /*
16 * shred.c - by Colin Plumb.
17 *
18 * Do a securer overwrite of given files or devices, to make it harder
19 * for even very expensive hardware probing to recover the data.
20 *
21 * Although this process is also known as "wiping", I prefer the longer
22 * name both because I think it is more evocative of what is happening and
23 * because a longer name conveys a more appropriate sense of deliberateness.
24 *
25 * For the theory behind this, see "Secure Deletion of Data from Magnetic
26 * and Solid-State Memory", on line at
27 * http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
28 *
29 * Just for the record, reversing one or two passes of disk overwrite
30 * is not terribly difficult with hardware help. Hook up a good-quality
31 * digitizing oscilloscope to the output of the head preamplifier and copy
32 * the high-res digitized data to a computer for some off-line analysis.
33 * Read the "current" data and average all the pulses together to get an
34 * "average" pulse on the disk. Subtract this average pulse from all of
35 * the actual pulses and you can clearly see the "echo" of the previous
36 * data on the disk.
37 *
38 * Real hard drives have to balance the cost of the media, the head,
39 * and the read circuitry. They use better-quality media than absolutely
40 * necessary to limit the cost of the read circuitry. By throwing that
41 * assumption out, and the assumption that you want the data processed
42 * as fast as the hard drive can spin, you can do better.
43 *
44 * If asked to wipe a file, this also unlinks it, renaming it to in a
45 * clever way to try to leave no trace of the original filename.
46 *
47 * Copyright 1997, 1998, 1999 Colin Plumb <colin@nyx.net>. This program
48 * may be freely distributed under the terms of the GNU GPL, the BSD license,
49 * or Larry Wall's "Artistic License" Even if you use the BSD license,
50 * which does not require it, I'd really like to get improvements back.
51 *
52 * The ISAAC code still bears some resemblance to the code written
53 * by Bob Jenkins, but he permits pretty unlimited use.
54 *
55 * This was inspired by a desire to improve on some code titled:
56 * Wipe V1.0-- Overwrite and delete files. S. 2/3/96
57 * but I've rewritten everything here so completely that no trace of
58 * the original remains.
59 *
60 * Thanks to:
61 * Bob Jenkins, for his good RNG work and patience with the FSF copyright
62 * paperwork.
63 * Jim Meyering, for his work merging this into the GNU fileutils while
64 * still letting me feel a sense of ownership and pride. Getting me to
65 * tolerate the GNU brace style was quite a feat of diplomacy.
66 * Paul Eggert, for lots of useful discussion and code. I disagree with
67 * an awful lot of his suggestions, but they're disagreements worth having.
68 *
69 * Things to think about:
70 * - Security: Is there any risk to the race
71 * between overwriting and unlinking a file? Will it do anything
72 * drastically bad if told to attack a named pipe or socket?
73 */
75 /* The official name of this program (e.g., no `g' prefix). */
80 #if HAVE_CONFIG_H
81 # include <config.h>
82 #endif
84 #include <getopt.h>
85 #include <stdio.h>
86 #include <setjmp.h>
87 #include <signal.h>
89 #if HAVE_CONFIG_H
90 /* Default fileutils build */
101 /*
102 * Standalone build - this file compiles by itself without autoconf and
103 * the like. No i18n, and I still have to write a stub for getopt_long,
104 * but it's a lot less intertwingled than the usual GNU utilities.
105 */
111 # include <errno.h>
120 # if __GNUC__ < 2 || __GNUC__ == 2 && __GNUC_MINOR__ < 5 || __STRICT_ANSI__
121 # define attribute(x)
122 # else
123 # define attribute __attribute__
124 # if __GNUC__ == 2 && __GNUC_MINOR__ < 7
125 /* The __-protected forms were introduced in GCC 2.6.4 */
126 # define __format__ format
127 # define __printf__ printf
128 # endif
129 # endif
131 /* Reasonable default assumptions for time-getting */
132 # ifndef HAVE_GETTIMEOFDAY
134 # endif
136 # ifdef CLOCK_REALTIME
137 # ifndef HAVE_CLOCK_GETTIME
138 # define HAVE_CLOCK_GETTIME 1
139 # endif
140 # endif
142 # ifndef STDOUT_FILENO
143 # define STDOUT_FILENO 1
144 # endif
146 # define RETSIGTYPE int
148 # ifndef S_IWUSR
149 # ifdef S_IWRITE
150 # define S_IWUSR S_IWRITE
151 # else
152 # define S_IWUSR 0200
153 # endif
154 # endif
156 /* POSIX doesn't require st_blksize, and 65536 is a reasonable
157 upper bound for existing filesystem practice. */
158 # define ST_BLKSIZE(Stat) 65536
160 # define uintmax_t unsigned long
162 /* Variant human-readable function that ignores last two args */
164 # define LONGEST_HUMAN_READABLE (sizeof (uintmax_t) * CHAR_BIT / 3)
166 /* Variant convert-to-uintmax_t function that accepts metric suffixes */
167 enum strtol_error
168 {
170 };
171 static uintmax_t
174 {
193 /* Now deal with metric-style suffixes */
199 {
221 /*FALLTHROUGH*/
226 /*
227 * If valid_suffixes contains '0', then xD (decimal) and xB (binary)
228 * are allowed as "supersuffixes". Binary is the default.
229 */
231 {
233 end_ptr++;
235 {
237 end_ptr++;
238 }
239 }
240 /* Now do the scaling */
241 p++;
248 else
254 }
256 /* Final wrapup */
263 }
265 /* Dummy i18n stubs */
266 # define _(x) x
267 # define N_(x) x
268 # define setlocale(x,y) (void) 0
269 # define bindtextdomain(x,y) (void) 0
270 # define textdomain(x) (void) 0
272 /*
273 * Print a message with `fprintf (stderr, FORMAT, ...)';
274 * if ERRNUM is nonzero, follow it with ": " and strerror (ERRNUM).
275 * If STATUS is nonzero, terminate the program with `exit (STATUS)'.
276 */
281 static void
283 {
287 {
290 }
295 {
298 }
303 }
305 /*
306 * GNU programs actually check for failure closing standard output.
307 * This seems unnecessary, until your shell script starts hitting
308 * ENOSPC and doing bizarre things with zero-length files.
309 */
310 static void
312 {
317 }
319 /*
320 * Quote the argument (including colon characters) into the buffer.
321 * Return the buffer size used (including trailing null byte.)
322 * If this is larger than the bufsize, it is an estimate of the space
323 * needed.
324 */
325 static size_t
327 {
328 /* Some systems don't have \a or \e, so this is ASCII-dependent */
336 {
338 {
341 }
342 else
343 {
347 {
349 }
350 else
351 {
359 }
360 }
362 }
365 }
367 /* Quote metacharacters in a filename */
370 {
376 {
381 }
383 }
387 {
392 }
396 {
398 }
402 #ifndef O_NOCTTY
404 #endif
406 /* Some systems don't support some file types. */
407 #ifndef S_ISFIFO
408 # define S_ISFIFO(mode) 0
409 #endif
410 #ifndef S_ISLNK
411 # define S_ISLNK(mode) 0
412 #endif
413 #ifndef S_ISSOCK
414 # define S_ISSOCK(mode) 0
415 #endif
419 /* How often to update wiping display */
420 #define VERBOSE_UPDATE 150*1024
422 /* If positive, the units to use when printing sizes;
423 if negative, the human-readable base. */
424 #define OUTPUT_BLOCK_SIZE (-1024)
426 struct Options
427 {
435 };
438 {
449 };
451 /* Global variable for error printing purposes */
454 void
456 {
459 program_name);
460 else
461 {
480 }
482 }
484 #if ! HAVE_FDATASYNC
485 # define fdatasync(fd) -1
486 #endif
488 /*
489 * --------------------------------------------------------------------
490 * Bob Jenkins' cryptographic random number generator, ISAAC.
491 * Hacked by Colin Plumb.
492 *
493 * We need a source of random numbers for some of the overwrite data.
494 * Cryptographically secure is desirable, but it's not life-or-death
495 * so I can be a little bit experimental in the choice of RNGs here.
496 *
497 * This generator is based somewhat on RC4, but has analysis
498 * (http://ourworld.compuserve.com/homepages/bob_jenkins/randomnu.htm)
499 * pointing to it actually being better. I like it because it's nice
500 * and fast, and because the author did good work analyzing it.
501 * --------------------------------------------------------------------
502 */
504 #if ULONG_MAX == 0xffffffff
506 #else
507 # if UINT_MAX == 0xffffffff
509 # else
510 # if USHRT_MAX == 0xffffffff
512 # else
513 # if UCHAR_MAX == 0xffffffff
515 # else
516 "No 32-bit type available!"
517 # endif
518 # endif
519 # endif
520 #endif
522 /* Size of the state tables to use. (You may change ISAAC_LOG) */
523 #define ISAAC_LOG 8
524 #define ISAAC_WORDS (1 << ISAAC_LOG)
525 #define ISAAC_BYTES (ISAAC_WORDS * sizeof (word32))
527 /* RNG state variables */
528 struct isaac_state
529 {
533 };
535 /* This index operation is more efficient on many processors */
536 #define ind(mm, x) \
537 (* (word32 *) ((char *) (mm) + ((x) & (ISAAC_WORDS - 1) * sizeof (word32))))
539 /*
540 * The central step. This uses two temporaries, x and y. mm is the
541 * whole state array, while m is a pointer to the current word. off is
542 * the offset from m to the word ISAAC_WORDS/2 words away in the mm array,
543 * i.e. +/- ISAAC_WORDS/2.
544 */
545 #define isaac_step(mix, a, b, mm, m, off, r) \
546 ( \
547 a = ((a) ^ (mix)) + (m)[off], \
548 x = *(m), \
549 *(m) = y = ind (mm, x) + (a) + (b), \
550 *(r) = b = ind (mm, (y) >> ISAAC_LOG) + x \
551 )
553 /*
554 * Refill the entire R array, and update S.
555 */
556 static void
558 {
566 do
567 {
573 }
575 do
576 {
582 }
586 }
588 /*
589 * The basic seed-scrambling step for initialization, based on Bob
590 * Jenkins' 256-bit hash.
591 */
592 #define mix(a,b,c,d,e,f,g,h) \
593 ( a ^= b << 11, d += a, \
594 b += c, b ^= c >> 2, e += b, \
595 c += d, c ^= d << 8, f += c, \
596 d += e, d ^= e >> 16, g += d, \
597 e += f, e ^= f << 10, h += e, \
598 f += g, f ^= g >> 4, a += f, \
599 g += h, g ^= h << 8, b += g, \
600 h += a, h ^= a >> 9, c += h, \
601 a += b )
603 /* The basic ISAAC initialization pass. */
604 static void
606 {
618 {
638 }
648 }
651 /*
652 * Initialize the ISAAC RNG with the given seed material.
653 * Its size MUST be a multiple of ISAAC_BYTES, and may be
654 * stored in the s->mm array.
655 *
656 * This is a generalization of the original ISAAC initialization code
657 * to support larger seed sizes. For seed sizes of 0 and ISAAC_BYTES,
658 * it is identical.
659 */
660 static void
662 {
664 {
669 # if 0
670 /* The initialization of iv is a precomputed form of: */
675 # endif
682 {
683 /* First pass (as in reference ISAAC code) */
685 /* Second and subsequent passes (extension to ISAAC) */
687 {
692 }
693 }
694 else
695 {
696 /* The no seed case (as in reference ISAAC code) */
699 }
701 /* Final pass */
703 }
704 #endif
706 /* Start seeding an ISAAC structire */
707 static void
709 {
711 {
714 };
717 #if 0
718 /* The initialization of iv is a precomputed form of: */
723 #endif
726 /* We could initialize s->mm to zero, but why bother? */
728 /* s->c gets used for a data pointer during the seeding phase */
730 }
732 /* Add a buffer of seed material */
733 static void
735 {
742 /* Do any full buffers that are necessary */
744 {
753 }
755 /* And the final partial block */
760 }
763 /* End of seeding phase; get everything ready to produce output. */
764 static void
766 {
769 /* Now reinitialize c to start things off right */
771 }
772 #define ISAAC_SEED(s,x) isaac_seed_data (s, &(x), sizeof (x))
775 #if __GNUC__ >= 2 && (__i386__ || __alpha__ || _ARCH_PPC)
776 /*
777 * Many processors have very-high-resolution timer registers,
778 * The timer registers can be made inaccessible, so we have to deal with the
779 * possibility of SIGILL while we're working.
780 */
782 static RETSIGTYPE
784 {
787 }
789 static void
791 {
794 /* This is how one does try/except in C */
797 {
799 }
800 else
801 {
802 # if __i386__
805 # endif
806 # if __alpha__
809 # endif
810 # if _ARCH_PPC
811 word32 t;
813 # endif
814 # if __mips
815 /* Code not used because this is not accessible from userland */
816 word32 t;
818 # endif
819 # if __sparc__
820 /* This doesn't compile on all platforms yet. How to fix? */
823 # endif
826 }
827 }
831 /* Do-nothing stub */
832 # define isaac_seed_machdep(s) (void) 0
837 /*
838 * Get seed material. 16 bytes (128 bits) is plenty, but if we have
839 * /dev/urandom, we get 32 bytes = 256 bits for complete overkill.
840 */
841 static void
843 {
851 {
852 #if HAVE_GETHRTIME
855 #else
859 # else
860 # if HAVE_GETTIMEOFDAY
863 # else
866 # endif
867 # endif
868 #endif
870 }
874 {
878 {
882 }
883 else
884 {
887 {
888 /* /dev/random is more precious, so use less */
892 }
893 }
894 }
897 }
899 /* Single-word RNG built on top of ISAAC */
900 struct irand_state
901 {
905 };
907 static void
909 {
912 }
914 /*
915 * We take from the end of the block deliberately, so if we need
916 * only a small number of values, we choose the final ones which are
917 * marginally better mixed than the initial ones.
918 */
919 static word32
921 {
923 {
926 }
928 }
930 /*
931 * Return a uniformly distributed random number between 0 and n,
932 * inclusive. Thus, the result is modulo n+1.
933 *
934 * Theory of operation: as x steps through every possible 32-bit number,
935 * x % n takes each value at least 2^32 / n times (rounded down), but
936 * the values less than 2^32 % n are taken one additional time. Thus,
937 * x % n is not perfectly uniform. To fix this, the values of x less
938 * than 2^32 % n are disallowed, and if the RNG produces one, we ask
939 * for a new value.
940 */
941 static word32
943 {
944 word32 x;
945 word32 lim;
951 do
952 {
954 }
957 }
959 /*
960 * Fill a buffer with a fixed pattern.
961 *
962 * The buffer must be at least 3 bytes long, even if
963 * size is less. Larger sizes are filled exactly.
964 */
965 static void
967 {
980 /* Invert the first bit of every 512-byte sector. */
984 }
986 /*
987 * Fill a buffer with random data.
988 * size is rounded UP to a multiple of ISAAC_BYTES.
989 */
990 static void
992 {
996 {
999 }
1000 }
1002 /*
1003 * Generate a 6-character (+ nul) pass name string
1004 * FIXME: allow translation of "random".
1005 */
1006 #define PASS_NAME_SIZE 7
1007 static void
1009 {
1012 else
1014 }
1016 /*
1017 * Do pass number k of n, writing "size" bytes of the given pattern "type"
1018 * to the file descriptor fd. Qname, k and n are passed in only for verbose
1019 * progress message purposes. If n == 0, no progress messages are printed.
1020 *
1021 * If *sizep == -1, the size is unknown, and it will be filled in as soon
1022 * as writing fails.
1023 */
1024 static int
1027 {
1034 #if ISAAC_WORDS > 1024
1036 #else
1038 #endif
1042 {
1045 }
1047 /* Constant fill patterns need only be set up once. */
1049 {
1052 {
1054 }
1057 }
1058 else
1059 {
1061 }
1063 /* Set position if first status update */
1066 {
1071 }
1075 {
1076 /* How much to write this time? */
1079 {
1083 }
1086 /* Loop to retry partial writes. */
1088 {
1091 {
1094 {
1095 /* Ah, we have found the end of the file */
1098 }
1099 else
1100 {
1104 qname,
1107 /*
1108 * I sometimes use shred on bad media, before throwing it
1109 * out. Thus, I don't want it to give up on bad blocks.
1110 * This code assumes 512-byte blocks and tries to skip
1111 * over them. It works because lim is always a multiple
1112 * of 512, except at the end.
1113 */
1116 {
1119 {
1122 }
1124 }
1126 }
1127 }
1128 }
1130 /* Okay, we have written "lim" bytes. */
1133 {
1136 }
1140 /* Time to print progress? */
1142 {
1147 OUTPUT_BLOCK_SIZE);
1152 OUTPUT_BLOCK_SIZE));
1153 else
1160 /*
1161 * Force periodic syncs to keep displayed progress accurate
1162 * FIXME: Should these be present even if -v is not enabled,
1163 * to keep the buffer cache from filling with dirty pages?
1164 * It's a common problem with programs that do lots of writes,
1165 * like mkfs.
1166 */
1168 {
1171 }
1172 }
1173 }
1175 /* Force what we just wrote to hit the media. */
1177 {
1180 }
1182 }
1184 /*
1185 * The passes start and end with a random pass, and the passes in between
1186 * are done in random order. The idea is to deprive someone trying to
1187 * reverse the process of knowledge of the overwrite patterns, so they
1188 * have the additional step of figuring out what was done to the disk
1189 * before they can try to reverse or cancel it.
1190 *
1191 * First, all possible 1-bit patterns. There are two of them.
1192 * Then, all possible 2-bit patterns. There are four, but the two
1193 * which are also 1-bit patterns can be omitted.
1194 * Then, all possible 3-bit patterns. Likewise, 8-2 = 6.
1195 * Then, all possible 4-bit patterns. 16-4 = 12.
1196 *
1197 * The basic passes are:
1198 * 1-bit: 0x000, 0xFFF
1199 * 2-bit: 0x555, 0xAAA
1200 * 3-bit: 0x249, 0x492, 0x924, 0x6DB, 0xB6D, 0xDB6 (+ 1-bit)
1201 * 100100100100 110110110110
1202 * 9 2 4 D B 6
1203 * 4-bit: 0x111, 0x222, 0x333, 0x444, 0x666, 0x777,
1204 * 0x888, 0x999, 0xBBB, 0xCCC, 0xDDD, 0xEEE (+ 1-bit, 2-bit)
1205 * Adding three random passes at the beginning, middle and end
1206 * produces the default 25-pass structure.
1207 *
1208 * The next extension would be to 5-bit and 6-bit patterns.
1209 * There are 30 uncovered 5-bit patterns and 64-8-2 = 46 uncovered
1210 * 6-bit patterns, so they would increase the time required
1211 * significantly. 4-bit patterns are enough for most purposes.
1212 *
1213 * The main gotcha is that this would require a trickier encoding,
1214 * since lcm(2,3,4) = 12 bits is easy to fit into an int, but
1215 * lcm(2,3,4,5) = 60 bits is not.
1216 *
1217 * One extension that is included is to complement the first bit in each
1218 * 512-byte block, to alter the phase of the encoded data in the more
1219 * complex encodings. This doesn't apply to MFM, so the 1-bit patterns
1220 * are considered part of the 3-bit ones and the 2-bit patterns are
1221 * considered part of the 4-bit patterns.
1222 *
1223 *
1224 * How does the generalization to variable numbers of passes work?
1225 *
1226 * Here's how...
1227 * Have an ordered list of groups of passes. Each group is a set.
1228 * Take as many groups as will fit, plus a random subset of the
1229 * last partial group, and place them into the passes list.
1230 * Then shuffle the passes list into random order and use that.
1231 *
1232 * One extra detail: if we can't include a large enough fraction of the
1233 * last group to be interesting, then just substitute random passes.
1234 *
1235 * If you want more passes than the entire list of groups can
1236 * provide, just start repeating from the beginning of the list.
1237 */
1238 static int const
1239 patterns[] =
1240 {
1249 /* The following patterns have the frst bit per block flipped */
1255 };
1257 /*
1258 * Generate a random wiping pass pattern with num passes.
1259 * This is a two-stage process. First, the passes to include
1260 * are chosen, and then they are shuffled into the desired
1261 * order.
1262 */
1263 static void
1265 {
1279 /* Stage 1: choose the passes to use */
1286 {
1291 }
1296 {
1300 }
1303 }
1310 }
1315 }
1316 else
1318 do
1319 {
1321 {
1323 n--;
1324 }
1325 p++;
1326 }
1329 }
1330 }
1332 /* assert (d == dest+top); */
1334 /*
1335 * We now have fixed patterns in the dest buffer up to
1336 * "top", and we need to scramble them, with "randpasses"
1337 * random passes evenly spaced among them.
1338 *
1339 * We want one at the beginning, one at the end, and
1340 * evenly spaced in between. To do this, we basically
1341 * use Bresenham's line draw (a.k.a DDA) algorithm
1342 * to draw a line with slope (randpasses-1)/(num-1).
1343 * (We use a positive accumulator and count down to
1344 * do this.)
1345 *
1346 * So for each desired output value, we do the following:
1347 * - If it should be a random pass, copy the pass type
1348 * to top++, out of the way of the other passes, and
1349 * set the current pass to -1 (random).
1350 * - If it should be a normal pattern pass, choose an
1351 * entry at random between here and top-1 (inclusive)
1352 * and swap the current entry with that one.
1353 */
1357 {
1359 {
1363 }
1364 else
1365 {
1370 }
1372 }
1373 /* assert (top == num); */
1376 }
1378 /*
1379 * The core routine to actually do the work. This overwrites the first
1380 * size bytes of the given fd. Returns -1 on error, 0 on success.
1381 */
1382 static int
1385 {
1397 {
1400 }
1402 /* If we know that we can't possibly shred the file, give up now.
1403 Otherwise, we may go into a infinite loop writing data before we
1404 find that we can't rewind the device. */
1408 {
1411 }
1413 /* Allocate pass array */
1418 {
1423 {
1426 }
1428 {
1432 }
1433 }
1435 /* Schedule the passes in random order. */
1438 /* Do the work */
1440 {
1442 {
1446 }
1447 }
1456 /* Okay, now deallocate the data. The effect of ftruncate on
1457 non-regular files is unspecified, so don't worry about any
1458 errors reported for them. */
1461 {
1464 }
1467 }
1469 /* A wrapper with a little more checking for fds on the command line */
1470 static int
1473 {
1477 {
1480 }
1482 {
1485 }
1487 }
1489 /* --- Name-wiping code --- */
1491 /* Characters allowed in a file name - a safe universal set. */
1495 /*
1496 * This increments the name, considering it as a big-endian base-N number
1497 * with the digits taken from nameset. Characters not in the nameset
1498 * are considered to come before nameset[0].
1499 *
1500 * It's not obvious, but this will explode if name[0..len-1] contains
1501 * any 0 bytes.
1502 *
1503 * This returns the carry (1 on overflow).
1504 */
1505 static int
1507 {
1514 /* If the character is not found, replace it with a 0 digit */
1516 {
1519 }
1520 /* If this character has a successor, use it */
1522 {
1525 }
1526 /* Otherwise, set this digit to 0 and increment the prefix */
1529 }
1531 /*
1532 * Repeatedly rename a file with shorter and shorter names,
1533 * to obliterate all traces of the file name on any system that
1534 * adds a trailing delimiter to on-disk file names and reuses
1535 * the same directory slot. Finally, unlink it.
1536 * The passed-in filename is modified in place to the new filename.
1537 * (Which is unlinked if this function succeeds, but is still present if
1538 * it fails for some reason.)
1539 *
1540 * The main loop is written carefully to not get stuck if all possible
1541 * names of a given length are occupied. It counts down the length from
1542 * the original to 0. While the length is non-zero, it tries to find an
1543 * unused file name of the given length. It continues until either the
1544 * name is available and the rename succeeds, or it runs out of names
1545 * to try (incname wraps and returns 1). Finally, it unlinks the file.
1546 *
1547 * The unlink is Unix-specific, as ANSI-standard remove has more
1548 * portability problems with C libraries making it "safe". rename
1549 * is ANSI-standard.
1550 *
1551 * To force the directory data out, we try to open the directory and
1552 * invoke fdatasync on it. This is rather non-standard, so we don't
1553 * insist that it works, just fall back to a global sync in that case.
1554 * This is fairly significantly Unix-specific. Of course, on any
1555 * filesystem with synchronous metadata updates, this is unnecessary.
1556 */
1557 static int
1559 {
1569 /* Find the file name portion */
1571 /* Temporary hackery to get a directory fd */
1573 {
1577 }
1578 else
1579 {
1581 }
1586 {
1589 do
1590 {
1593 {
1598 {
1599 /*
1600 * People seem to understand this better than talking
1601 * about renaming oldname. newname doesn't need
1602 * quoting because we picked it.
1603 */
1605 }
1608 }
1609 }
1611 len--;
1612 }
1621 }
1623 /*
1624 * Finally, the function that actually takes a filename and grinds
1625 * it into hamburger.
1626 *
1627 * FIXME
1628 * Detail to note: since we do not restore errno to EACCES after
1629 * a failed chmod, we end up printing the error code from the chmod.
1630 * This is actually the error that stopped us from proceeding, so
1631 * it's arguably the right one, and in practice it'll be either EACCES
1632 * again or EPERM, which both give similar error messages.
1633 * Does anyone disagree?
1634 */
1635 static int
1638 {
1643 {
1645 {
1648 }
1651 {
1652 /* We accept /dev/fd/# even if the OS doesn't support it */
1658 /* If it's completely decimal with no leading zeros... */
1662 {
1664 }
1666 }
1667 }
1669 {
1672 }
1676 {
1679 }
1681 {
1685 }
1687 }
1689 int
1691 {
1713 {
1715 {
1724 {
1729 {
1732 }
1734 }
1742 {
1746 {
1749 }
1751 }
1766 case_GETOPT_HELP_CHAR;
1772 }
1773 }
1779 {
1782 }
1785 {
1788 {
1791 }
1792 else
1793 {
1794 /* Plain filename - Note that this overwrites *argv! */
1797 }
1798 }
1800 /* Just on general principles, wipe s. */
1806 }
1807 /*
1808 * vim:sw=2:sts=2:
1809 */