| blob | 23a4944b0dd28489ca7cc8d3eea5267e403da60a |
1 /* shred.c - overwrite files and devices to make it harder to recover data
3 Copyright (C) 1999-2006 Free Software Foundation, Inc.
4 Copyright (C) 1997, 1998, 1999 Colin Plumb.
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2, or (at your option)
9 any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software Foundation,
18 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 Written by Colin Plumb. */
22 /* TODO:
23 - use consistent non-capitalization in error messages
24 - add standard GNU copyleft comment
26 - Add -r/-R/--recursive
27 - Add -i/--interactive
28 - Reserve -d
29 - Add -L
30 - Add an unlink-all option to emulate rm.
31 */
33 /*
34 * Do a more secure overwrite of given files or devices, to make it harder
35 * for even very expensive hardware probing to recover the data.
36 *
37 * Although this process is also known as "wiping", I prefer the longer
38 * name both because I think it is more evocative of what is happening and
39 * because a longer name conveys a more appropriate sense of deliberateness.
40 *
41 * For the theory behind this, see "Secure Deletion of Data from Magnetic
42 * and Solid-State Memory", on line at
43 * http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
44 *
45 * Just for the record, reversing one or two passes of disk overwrite
46 * is not terribly difficult with hardware help. Hook up a good-quality
47 * digitizing oscilloscope to the output of the head preamplifier and copy
48 * the high-res digitized data to a computer for some off-line analysis.
49 * Read the "current" data and average all the pulses together to get an
50 * "average" pulse on the disk. Subtract this average pulse from all of
51 * the actual pulses and you can clearly see the "echo" of the previous
52 * data on the disk.
53 *
54 * Real hard drives have to balance the cost of the media, the head,
55 * and the read circuitry. They use better-quality media than absolutely
56 * necessary to limit the cost of the read circuitry. By throwing that
57 * assumption out, and the assumption that you want the data processed
58 * as fast as the hard drive can spin, you can do better.
59 *
60 * If asked to wipe a file, this also unlinks it, renaming it to in a
61 * clever way to try to leave no trace of the original filename.
62 *
63 * This was inspired by a desire to improve on some code titled:
64 * Wipe V1.0-- Overwrite and delete files. S. 2/3/96
65 * but I've rewritten everything here so completely that no trace of
66 * the original remains.
67 *
68 * Thanks to:
69 * Bob Jenkins, for his good RNG work and patience with the FSF copyright
70 * paperwork.
71 * Jim Meyering, for his work merging this into the GNU fileutils while
72 * still letting me feel a sense of ownership and pride. Getting me to
73 * tolerate the GNU brace style was quite a feat of diplomacy.
74 * Paul Eggert, for lots of useful discussion and code. I disagree with
75 * an awful lot of his suggestions, but they're disagreements worth having.
76 *
77 * Things to think about:
78 * - Security: Is there any risk to the race
79 * between overwriting and unlinking a file? Will it do anything
80 * drastically bad if told to attack a named pipe or socket?
81 */
83 /* The official name of this program (e.g., no `g' prefix). */
88 #include <config.h>
90 #include <getopt.h>
91 #include <stdio.h>
92 #include <assert.h>
93 #include <setjmp.h>
94 #include <sys/types.h>
108 /* Default number of times to overwrite. */
111 /* How many seconds to wait before checking whether to output another
112 verbose output line. */
115 /* Sector size and corresponding mask, for recovering after write failures.
116 The size must be a power of 2. */
121 struct Options
122 {
130 };
132 /* For long options that have no equivalent short option, use a
133 non-character as a pseudo short option, starting with CHAR_MAX + 1. */
134 enum
135 {
137 };
140 {
152 };
154 /* Global variable for error printing purposes */
157 void
159 {
162 program_name);
163 else
164 {
240 }
242 }
245 /*
246 * Fill a buffer with a fixed pattern.
247 *
248 * The buffer must be at least 3 bytes long, even if
249 * size is less. Larger sizes are filled exactly.
250 */
251 static void
253 {
266 /* Invert the first bit of every sector. */
270 }
272 /*
273 * Generate a 6-character (+ nul) pass name string
274 * FIXME: allow translation of "random".
275 */
276 #define PASS_NAME_SIZE 7
277 static void
279 {
282 else
284 }
286 /* Request that all data for FD be transferred to the corresponding
287 storage device. QNAME is the file name (quoted for colons).
288 Report any errors found. Return 0 on success, -1
289 (setting errno) on failure. It is not an error if fdatasync and/or
290 fsync is not supported for this file, or if the file is not a
291 writable file descriptor. */
292 static int
294 {
297 #if HAVE_FDATASYNC
302 {
306 }
307 #endif
313 {
317 }
321 }
323 /* Turn on or off direct I/O mode for file descriptor FD, if possible.
324 Try to turn it on if ENABLE is true. Otherwise, try to turn it off. */
325 static void
327 {
329 {
332 {
338 }
339 }
341 #if HAVE_DIRECTIO && defined DIRECTIO_ON && defined DIRECTIO_OFF
342 /* This is Solaris-specific. See the following for details:
343 http://docs.sun.com/db/doc/816-0213/6m6ne37so?q=directio&a=view */
345 #endif
346 }
348 /*
349 * Do pass number k of n, writing "size" bytes of the given pattern "type"
350 * to the file descriptor fd. Qname, k and n are passed in only for verbose
351 * progress message purposes. If n == 0, no progress messages are printed.
352 *
353 * If *sizep == -1, the size is unknown, and it will be filled in as soon
354 * as writing fails.
355 *
356 * Return 1 on write error, -1 on other error, 0 on success.
357 */
358 static int
361 {
370 /* Fill pattern buffer. Aligning it to a 32-bit boundary speeds up randread
371 in some cases. */
373 union
374 {
375 fill_pattern_buffer buffer;
385 /* Printable previous offset into the file */
390 {
393 }
395 /* Constant fill patterns need only be set up once. */
397 {
401 }
402 else
403 {
405 }
407 /* Set position if first status update */
409 {
413 }
417 {
418 /* How much to write this time? */
421 {
427 }
430 /* Loop to retry partial writes. */
432 {
435 {
437 {
438 /* Ah, we have found the end of the file */
441 }
442 else
443 {
447 /* If the first write of the first pass for a given file
448 has just failed with EINVAL, turn off direct mode I/O
449 and try again. This works around a bug in linux-2.4
450 whereby opening with O_DIRECT would succeed for some
451 file system types (e.g., ext3), but any attempt to
452 access a file through the resulting descriptor would
453 fail with EINVAL. */
455 {
459 }
463 /* 'shred' is often used on bad media, before throwing it
464 out. Thus, it shouldn't give up on bad blocks. This
465 code works because lim is always a multiple of
466 SECTOR_SIZE, except at the end. */
469 {
472 {
473 /* Arrange to skip this block. */
477 }
479 }
481 }
482 }
483 }
485 /* Okay, we have written "soff" bytes. */
488 {
491 }
495 /* Time to print progress? */
499 {
510 {
514 else
515 {
530 percent);
531 }
537 /*
538 * Force periodic syncs to keep displayed progress accurate
539 * FIXME: Should these be present even if -v is not enabled,
540 * to keep the buffer cache from filling with dirty pages?
541 * It's a common problem with programs that do lots of writes,
542 * like mkfs.
543 */
545 {
549 }
550 }
551 }
552 }
554 /* Force what we just wrote to hit the media. */
556 {
560 }
563 }
565 /*
566 * The passes start and end with a random pass, and the passes in between
567 * are done in random order. The idea is to deprive someone trying to
568 * reverse the process of knowledge of the overwrite patterns, so they
569 * have the additional step of figuring out what was done to the disk
570 * before they can try to reverse or cancel it.
571 *
572 * First, all possible 1-bit patterns. There are two of them.
573 * Then, all possible 2-bit patterns. There are four, but the two
574 * which are also 1-bit patterns can be omitted.
575 * Then, all possible 3-bit patterns. Likewise, 8-2 = 6.
576 * Then, all possible 4-bit patterns. 16-4 = 12.
577 *
578 * The basic passes are:
579 * 1-bit: 0x000, 0xFFF
580 * 2-bit: 0x555, 0xAAA
581 * 3-bit: 0x249, 0x492, 0x924, 0x6DB, 0xB6D, 0xDB6 (+ 1-bit)
582 * 100100100100 110110110110
583 * 9 2 4 D B 6
584 * 4-bit: 0x111, 0x222, 0x333, 0x444, 0x666, 0x777,
585 * 0x888, 0x999, 0xBBB, 0xCCC, 0xDDD, 0xEEE (+ 1-bit, 2-bit)
586 * Adding three random passes at the beginning, middle and end
587 * produces the default 25-pass structure.
588 *
589 * The next extension would be to 5-bit and 6-bit patterns.
590 * There are 30 uncovered 5-bit patterns and 64-8-2 = 46 uncovered
591 * 6-bit patterns, so they would increase the time required
592 * significantly. 4-bit patterns are enough for most purposes.
593 *
594 * The main gotcha is that this would require a trickier encoding,
595 * since lcm(2,3,4) = 12 bits is easy to fit into an int, but
596 * lcm(2,3,4,5) = 60 bits is not.
597 *
598 * One extension that is included is to complement the first bit in each
599 * 512-byte block, to alter the phase of the encoded data in the more
600 * complex encodings. This doesn't apply to MFM, so the 1-bit patterns
601 * are considered part of the 3-bit ones and the 2-bit patterns are
602 * considered part of the 4-bit patterns.
603 *
604 *
605 * How does the generalization to variable numbers of passes work?
606 *
607 * Here's how...
608 * Have an ordered list of groups of passes. Each group is a set.
609 * Take as many groups as will fit, plus a random subset of the
610 * last partial group, and place them into the passes list.
611 * Then shuffle the passes list into random order and use that.
612 *
613 * One extra detail: if we can't include a large enough fraction of the
614 * last group to be interesting, then just substitute random passes.
615 *
616 * If you want more passes than the entire list of groups can
617 * provide, just start repeating from the beginning of the list.
618 */
619 static int const
620 patterns[] =
621 {
630 /* The following patterns have the frst bit per block flipped */
636 };
638 /*
639 * Generate a random wiping pass pattern with num passes.
640 * This is a two-stage process. First, the passes to include
641 * are chosen, and then they are shuffled into the desired
642 * order.
643 */
644 static void
646 {
657 /* Stage 1: choose the passes to use */
664 {
669 }
674 {
678 }
681 }
688 }
693 }
694 else
696 do
697 {
699 {
701 n--;
702 }
703 p++;
704 }
707 }
708 }
710 /* assert (d == dest+top); */
712 /*
713 * We now have fixed patterns in the dest buffer up to
714 * "top", and we need to scramble them, with "randpasses"
715 * random passes evenly spaced among them.
716 *
717 * We want one at the beginning, one at the end, and
718 * evenly spaced in between. To do this, we basically
719 * use Bresenham's line draw (a.k.a DDA) algorithm
720 * to draw a line with slope (randpasses-1)/(num-1).
721 * (We use a positive accumulator and count down to
722 * do this.)
723 *
724 * So for each desired output value, we do the following:
725 * - If it should be a random pass, copy the pass type
726 * to top++, out of the way of the other passes, and
727 * set the current pass to -1 (random).
728 * - If it should be a normal pattern pass, choose an
729 * entry at random between here and top-1 (inclusive)
730 * and swap the current entry with that one.
731 */
735 {
737 {
741 }
742 else
743 {
748 }
750 }
751 /* assert (top == num); */
752 }
754 /*
755 * The core routine to actually do the work. This overwrites the first
756 * size bytes of the given fd. Return true if successful.
757 */
758 static bool
761 {
775 {
778 }
780 /* If we know that we can't possibly shred the file, give up now.
781 Otherwise, we may go into a infinite loop writing data before we
782 find that we can't rewind the device. */
786 {
789 }
793 /* Allocate pass array */
798 {
799 /* Accept a length of zero only if it's a regular file.
800 For any other type of file, try to get the size another way. */
802 {
805 {
808 }
809 }
810 else
811 {
814 {
815 /* We are unable to determine the length, up front.
816 Let dopass do that as part of its first iteration. */
818 }
819 }
821 /* Allow `rounding up' only for regular files. */
823 {
826 /* If in rounding up, we've just overflowed, use the maximum. */
829 }
830 }
832 /* Schedule the passes in random order. */
837 /* Do the work */
839 {
842 {
844 {
848 }
850 }
851 }
857 {
860 {
864 }
865 }
867 /* Okay, now deallocate the data. The effect of ftruncate on
868 non-regular files is unspecified, so don't worry about any
869 errors reported for them. */
872 {
875 }
878 }
880 /* A wrapper with a little more checking for fds on the command line */
881 static bool
884 {
888 {
891 }
893 {
896 }
898 }
900 /* --- Name-wiping code --- */
902 /* Characters allowed in a file name - a safe universal set. */
906 /* Increment NAME (with LEN bytes). NAME must be a big-endian base N
907 number with the digits taken from nameset. Return true if
908 successful if not (because NAME already has the greatest possible
909 value. */
911 static bool
913 {
915 {
918 /* If this character has a successor, use it. */
920 {
923 }
925 /* Otherwise, set this digit to 0 and increment the prefix. */
927 }
930 }
932 /*
933 * Repeatedly rename a file with shorter and shorter names,
934 * to obliterate all traces of the file name on any system that
935 * adds a trailing delimiter to on-disk file names and reuses
936 * the same directory slot. Finally, unlink it.
937 * The passed-in filename is modified in place to the new filename.
938 * (Which is unlinked if this function succeeds, but is still present if
939 * it fails for some reason.)
940 *
941 * The main loop is written carefully to not get stuck if all possible
942 * names of a given length are occupied. It counts down the length from
943 * the original to 0. While the length is non-zero, it tries to find an
944 * unused file name of the given length. It continues until either the
945 * name is available and the rename succeeds, or it runs out of names
946 * to try (incname wraps and returns 1). Finally, it unlinks the file.
947 *
948 * The unlink is Unix-specific, as ANSI-standard remove has more
949 * portability problems with C libraries making it "safe". rename
950 * is ANSI-standard.
951 *
952 * To force the directory data out, we try to open the directory and
953 * invoke fdatasync and/or fsync on it. This is non-standard, so don't
954 * insist that it works: just fall back to a global sync in that case.
955 * This is fairly significantly Unix-specific. Of course, on any
956 * file system with synchronous metadata updates, this is unnecessary.
957 */
958 static bool
960 {
975 {
978 do
979 {
982 {
984 {
988 {
989 /*
990 * People seem to understand this better than talking
991 * about renaming oldname. newname doesn't need
992 * quoting because we picked it. oldname needs to
993 * be quoted only the first time.
994 */
998 }
1001 }
1002 else
1003 {
1004 /* The rename failed: give up on this length. */
1006 }
1007 }
1008 else
1009 {
1010 /* newname exists, so increment BASE so we use another */
1011 }
1012 }
1014 len--;
1015 }
1017 {
1020 }
1024 {
1028 {
1031 }
1032 }
1037 }
1039 /*
1040 * Finally, the function that actually takes a filename and grinds
1041 * it into hamburger.
1042 *
1043 * FIXME
1044 * Detail to note: since we do not restore errno to EACCES after
1045 * a failed chmod, we end up printing the error code from the chmod.
1046 * This is actually the error that stopped us from proceeding, so
1047 * it's arguably the right one, and in practice it'll be either EACCES
1048 * again or EPERM, which both give similar error messages.
1049 * Does anyone disagree?
1050 */
1051 static bool
1054 {
1064 {
1067 }
1071 {
1074 }
1078 }
1081 /* Buffers for random data. */
1084 /* Just on general principles, wipe buffers containing information
1085 that may be related to the possibly-pseudorandom values used during
1086 shredding. */
1087 static void
1089 {
1091 }
1094 int
1096 {
1117 {
1119 {
1125 {
1129 {
1132 }
1134 }
1148 {
1152 {
1155 }
1157 }
1172 case_GETOPT_HELP_CHAR;
1178 }
1179 }
1185 {
1188 }
1196 {
1199 {
1201 }
1202 else
1203 {
1204 /* Plain filename - Note that this overwrites *argv! */
1206 }
1208 }
1211 }
1212 /*
1213 * vim:sw=2:sts=2:
1214 */