| blob | 21469176ee4816f4c7570dc44f101610eac6dee4 |
1 /* TODO:
2 - use consistent non-capitalization in error messages
3 - add standard GNU copyleft comment
5 - Add -r/-R/--recursive
6 - Add -i/--interactive
7 - Reserve -d
8 - Add -L
9 - Deal with the amazing variety of gettimeofday() implementation bugs.
10 (Some systems use a one-arg form; still others insist that the timezone
11 either be NULL or be non-NULL. Whee.)
12 - Add an unlink-all option to emulate rm.
13 */
15 /*
16 * shred.c - by Colin Plumb.
17 *
18 * Do a securer overwrite of given files or devices, to make it harder
19 * for even very expensive hardware probing to recover the data.
20 *
21 * Although this process is also known as "wiping", I prefer the longer
22 * name both because I think it is more evocative of what is happening and
23 * because a longer name conveys a more appropriate sense of deliberateness.
24 *
25 * For the theory behind this, see "Secure Deletion of Data from Magnetic
26 * and Solid-State Memory", on line at
27 * http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
28 *
29 * Just for the record, reversing one or two passes of disk overwrite
30 * is not terribly difficult with hardware help. Hook up a good-quality
31 * digitizing oscilloscope to the output of the head preamplifier and copy
32 * the high-res digitized data to a computer for some off-line analysis.
33 * Read the "current" data and average all the pulses together to get an
34 * "average" pulse on the disk. Subtract this average pulse from all of
35 * the actual pulses and you can clearly see the "echo" of the previous
36 * data on the disk.
37 *
38 * Real hard drives have to balance the cost of the media, the head,
39 * and the read circuitry. They use better-quality media than absolutely
40 * necessary to limit the cost of the read circuitry. By throwing that
41 * assumption out, and the assumption that you want the data processed
42 * as fast as the hard drive can spin, you can do better.
43 *
44 * If asked to wipe a file, this also unlinks it, renaming it to in a
45 * clever way to try to leave no trace of the original filename.
46 *
47 * Copyright 1997, 1998, 1999 Colin Plumb <colin@nyx.net>. This program
48 * may be freely distributed under the terms of the GNU GPL, the BSD license,
49 * or Larry Wall's "Artistic License" Even if you use the BSD license,
50 * which does not require it, I'd really like to get improvements back.
51 *
52 * The ISAAC code still bears some resemblance to the code written
53 * by Bob Jenkins, but he permits pretty unlimited use.
54 *
55 * This was inspired by a desire to improve on some code titled:
56 * Wipe V1.0-- Overwrite and delete files. S. 2/3/96
57 * but I've rewritten everything here so completely that no trace of
58 * the original remains.
59 *
60 * Thanks to:
61 * Bob Jenkins, for his good RNG work and patience with the FSF copyright
62 * paperwork.
63 * Jim Meyering, for his work merging this into the GNU fileutils while
64 * still letting me feel a sense of ownership and pride. Getting me to
65 * tolerate the GNU brace style was quite a feat of diplomacy.
66 * Paul Eggert, for lots of useful discussion and code. I disagree with
67 * an awful lot of his suggestions, but they're disagreements worth having.
68 *
69 * Things to think about:
70 * - Security: Is there any risk to the race
71 * between overwriting and unlinking a file? Will it do anything
72 * drastically bad if told to attack a named pipe or socket?
73 */
75 /* The official name of this program (e.g., no `g' prefix). */
80 #if HAVE_CONFIG_H
81 # include <config.h>
82 #endif
84 #include <getopt.h>
85 #include <stdio.h>
86 #include <assert.h>
87 #include <setjmp.h>
88 #include <signal.h>
89 #include <sys/types.h>
91 #if HAVE_CONFIG_H
92 /* Default fileutils build */
104 /*
105 * Standalone build - this file compiles by itself without autoconf and
106 * the like. No i18n, and I still have to write a stub for getopt_long,
107 * but it's a lot less intertwingled than the usual GNU utilities.
108 */
114 # include <errno.h>
123 # if __GNUC__ < 2 || __GNUC__ == 2 && __GNUC_MINOR__ < 5 || __STRICT_ANSI__
124 # define attribute(x)
125 # else
126 # define attribute __attribute__
127 # if __GNUC__ == 2 && __GNUC_MINOR__ < 7
128 /* The __-protected forms were introduced in GCC 2.6.4 */
129 # define __format__ format
130 # define __printf__ printf
131 # endif
132 # endif
134 /* Reasonable default assumptions for time-getting */
135 # ifndef HAVE_GETTIMEOFDAY
137 # endif
139 # ifdef CLOCK_REALTIME
140 # ifndef HAVE_CLOCK_GETTIME
141 # define HAVE_CLOCK_GETTIME 1
142 # endif
143 # endif
145 # ifndef STDOUT_FILENO
146 # define STDOUT_FILENO 1
147 # endif
149 # define RETSIGTYPE int
151 # ifndef S_IWUSR
152 # ifdef S_IWRITE
153 # define S_IWUSR S_IWRITE
154 # else
155 # define S_IWUSR 0200
156 # endif
157 # endif
159 /* POSIX doesn't require st_blksize, and 65536 is a reasonable
160 upper bound for existing filesystem practice. */
161 # define ST_BLKSIZE(Stat) 65536
163 # define uintmax_t unsigned long
165 /* Variant human-readable function that ignores last two args */
167 # define LONGEST_HUMAN_READABLE (sizeof (uintmax_t) * CHAR_BIT / 3)
169 /* Variant convert-to-uintmax_t function that accepts metric suffixes */
170 enum strtol_error
171 {
173 };
174 static uintmax_t
177 {
196 /* Now deal with metric-style suffixes */
202 {
224 /*FALLTHROUGH*/
229 /*
230 * If valid_suffixes contains '0', then xD (decimal) and xB (binary)
231 * are allowed as "supersuffixes". Binary is the default.
232 */
234 {
236 end_ptr++;
238 {
240 end_ptr++;
241 }
242 }
243 /* Now do the scaling */
244 p++;
251 else
257 }
259 /* Final wrapup */
266 }
268 /* Dummy i18n stubs */
269 # define _(x) x
270 # define N_(x) x
271 # define setlocale(x,y) (void) 0
272 # define bindtextdomain(x,y) (void) 0
273 # define textdomain(x) (void) 0
275 /*
276 * Print a message with `fprintf (stderr, FORMAT, ...)';
277 * if ERRNUM is nonzero, follow it with ": " and strerror (ERRNUM).
278 * If STATUS is nonzero, terminate the program with `exit (STATUS)'.
279 */
284 static void
286 {
290 {
293 }
298 {
301 }
306 }
308 /*
309 * GNU programs actually check for failure closing standard output.
310 * This seems unnecessary, until your shell script starts hitting
311 * ENOSPC and doing bizarre things with zero-length files.
312 */
313 static void
315 {
320 }
322 /*
323 * Quote the argument (including colon characters) into the buffer.
324 * Return the buffer size used (including trailing null byte.)
325 * If this is larger than the bufsize, it is an estimate of the space
326 * needed.
327 */
328 static size_t
330 {
331 /* Some systems don't have \a or \e, so this is ASCII-dependent */
339 {
341 {
344 }
345 else
346 {
350 {
352 }
353 else
354 {
362 }
363 }
365 }
368 }
370 /* Quote metacharacters in a filename */
373 {
379 {
384 }
386 }
390 {
395 }
399 {
401 }
405 #ifndef O_NOCTTY
407 #endif
409 /* Some systems don't support some file types. */
410 #ifndef S_ISFIFO
411 # define S_ISFIFO(mode) 0
412 #endif
413 #ifndef S_ISLNK
414 # define S_ISLNK(mode) 0
415 #endif
416 #ifndef S_ISSOCK
417 # define S_ISSOCK(mode) 0
418 #endif
422 /* How often to update wiping display */
423 #define VERBOSE_UPDATE 150*1024
425 /* If positive, the units to use when printing sizes;
426 if negative, the human-readable base. */
427 #define OUTPUT_BLOCK_SIZE (-1024)
429 struct Options
430 {
438 };
441 {
452 };
454 /* Global variable for error printing purposes */
457 void
459 {
462 program_name);
463 else
464 {
487 }
489 }
491 #if ! HAVE_FDATASYNC
492 # define fdatasync(fd) -1
493 #endif
495 /*
496 * --------------------------------------------------------------------
497 * Bob Jenkins' cryptographic random number generator, ISAAC.
498 * Hacked by Colin Plumb.
499 *
500 * We need a source of random numbers for some of the overwrite data.
501 * Cryptographically secure is desirable, but it's not life-or-death
502 * so I can be a little bit experimental in the choice of RNGs here.
503 *
504 * This generator is based somewhat on RC4, but has analysis
505 * (http://ourworld.compuserve.com/homepages/bob_jenkins/randomnu.htm)
506 * pointing to it actually being better. I like it because it's nice
507 * and fast, and because the author did good work analyzing it.
508 * --------------------------------------------------------------------
509 */
511 #if defined __STDC__ && __STDC__
512 # define UINT_MAX_32_BITS 4294967295U
513 #else
514 # define UINT_MAX_32_BITS 0xFFFFFFFF
515 #endif
517 #if ULONG_MAX == UINT_MAX_32_BITS
519 #else
520 # if UINT_MAX == UINT_MAX_32_BITS
522 # else
523 # if USHRT_MAX == UINT_MAX_32_BITS
525 # else
526 # if UCHAR_MAX == UINT_MAX_32_BITS
528 # else
529 "No 32-bit type available!"
530 # endif
531 # endif
532 # endif
533 #endif
535 /* Size of the state tables to use. (You may change ISAAC_LOG) */
536 #define ISAAC_LOG 8
537 #define ISAAC_WORDS (1 << ISAAC_LOG)
538 #define ISAAC_BYTES (ISAAC_WORDS * sizeof (word32))
540 /* RNG state variables */
541 struct isaac_state
542 {
546 };
548 /* This index operation is more efficient on many processors */
549 #define ind(mm, x) \
550 (* (word32 *) ((char *) (mm) + ((x) & (ISAAC_WORDS - 1) * sizeof (word32))))
552 /*
553 * The central step. This uses two temporaries, x and y. mm is the
554 * whole state array, while m is a pointer to the current word. off is
555 * the offset from m to the word ISAAC_WORDS/2 words away in the mm array,
556 * i.e. +/- ISAAC_WORDS/2.
557 */
558 #define isaac_step(mix, a, b, mm, m, off, r) \
559 ( \
560 a = ((a) ^ (mix)) + (m)[off], \
561 x = *(m), \
562 *(m) = y = ind (mm, x) + (a) + (b), \
563 *(r) = b = ind (mm, (y) >> ISAAC_LOG) + x \
564 )
566 /*
567 * Refill the entire R array, and update S.
568 */
569 static void
571 {
579 do
580 {
586 }
588 do
589 {
595 }
599 }
601 /*
602 * The basic seed-scrambling step for initialization, based on Bob
603 * Jenkins' 256-bit hash.
604 */
605 #define mix(a,b,c,d,e,f,g,h) \
606 ( a ^= b << 11, d += a, \
607 b += c, b ^= c >> 2, e += b, \
608 c += d, c ^= d << 8, f += c, \
609 d += e, d ^= e >> 16, g += d, \
610 e += f, e ^= f << 10, h += e, \
611 f += g, f ^= g >> 4, a += f, \
612 g += h, g ^= h << 8, b += g, \
613 h += a, h ^= a >> 9, c += h, \
614 a += b )
616 /* The basic ISAAC initialization pass. */
617 static void
619 {
631 {
651 }
661 }
664 /*
665 * Initialize the ISAAC RNG with the given seed material.
666 * Its size MUST be a multiple of ISAAC_BYTES, and may be
667 * stored in the s->mm array.
668 *
669 * This is a generalization of the original ISAAC initialization code
670 * to support larger seed sizes. For seed sizes of 0 and ISAAC_BYTES,
671 * it is identical.
672 */
673 static void
675 {
677 {
682 # if 0
683 /* The initialization of iv is a precomputed form of: */
688 # endif
695 {
696 /* First pass (as in reference ISAAC code) */
698 /* Second and subsequent passes (extension to ISAAC) */
700 {
705 }
706 }
707 else
708 {
709 /* The no seed case (as in reference ISAAC code) */
712 }
714 /* Final pass */
716 }
717 #endif
719 /* Start seeding an ISAAC structire */
720 static void
722 {
724 {
727 };
730 #if 0
731 /* The initialization of iv is a precomputed form of: */
736 #endif
739 /* We could initialize s->mm to zero, but why bother? */
741 /* s->c gets used for a data pointer during the seeding phase */
743 }
745 /* Add a buffer of seed material */
746 static void
748 {
755 /* Do any full buffers that are necessary */
757 {
766 }
768 /* And the final partial block */
773 }
776 /* End of seeding phase; get everything ready to produce output. */
777 static void
779 {
782 /* Now reinitialize c to start things off right */
784 }
785 #define ISAAC_SEED(s,x) isaac_seed_data (s, &(x), sizeof (x))
788 #if __GNUC__ >= 2 && (__i386__ || __alpha__)
789 /*
790 * Many processors have very-high-resolution timer registers,
791 * The timer registers can be made inaccessible, so we have to deal with the
792 * possibility of SIGILL while we're working.
793 */
795 static RETSIGTYPE
797 {
800 }
802 static void
804 {
807 /* This is how one does try/except in C */
810 {
812 }
813 else
814 {
815 # if __i386__
818 # endif
819 # if __alpha__
822 # endif
823 # if _ARCH_PPC
824 /* Code not used because this instruction is available only on first-
825 generation PPCs and evokes a SIGBUS on some Linux 2.4 kernels. */
826 word32 t;
828 # endif
829 # if __mips
830 /* Code not used because this is not accessible from userland */
831 word32 t;
833 # endif
834 # if __sparc__
835 /* This doesn't compile on all platforms yet. How to fix? */
838 # endif
841 }
842 }
846 /* Do-nothing stub */
847 # define isaac_seed_machdep(s) (void) 0
852 /*
853 * Get seed material. 16 bytes (128 bits) is plenty, but if we have
854 * /dev/urandom, we get 32 bytes = 256 bits for complete overkill.
855 */
856 static void
858 {
866 {
867 #if HAVE_GETHRTIME
870 #else
874 # else
875 # if HAVE_GETTIMEOFDAY
878 # else
881 # endif
882 # endif
883 #endif
885 }
889 {
893 {
897 }
898 else
899 {
902 {
903 /* /dev/random is more precious, so use less */
907 }
908 }
909 }
912 }
914 /* Single-word RNG built on top of ISAAC */
915 struct irand_state
916 {
920 };
922 static void
924 {
927 }
929 /*
930 * We take from the end of the block deliberately, so if we need
931 * only a small number of values, we choose the final ones which are
932 * marginally better mixed than the initial ones.
933 */
934 static word32
936 {
938 {
941 }
943 }
945 /*
946 * Return a uniformly distributed random number between 0 and n,
947 * inclusive. Thus, the result is modulo n+1.
948 *
949 * Theory of operation: as x steps through every possible 32-bit number,
950 * x % n takes each value at least 2^32 / n times (rounded down), but
951 * the values less than 2^32 % n are taken one additional time. Thus,
952 * x % n is not perfectly uniform. To fix this, the values of x less
953 * than 2^32 % n are disallowed, and if the RNG produces one, we ask
954 * for a new value.
955 */
956 static word32
958 {
959 word32 x;
960 word32 lim;
966 do
967 {
969 }
972 }
974 /*
975 * Fill a buffer with a fixed pattern.
976 *
977 * The buffer must be at least 3 bytes long, even if
978 * size is less. Larger sizes are filled exactly.
979 */
980 static void
982 {
995 /* Invert the first bit of every 512-byte sector. */
999 }
1001 /*
1002 * Fill a buffer, R (of size SIZE_MAX), with random data.
1003 * SIZE is rounded UP to a multiple of ISAAC_BYTES.
1004 */
1005 static void
1007 {
1012 {
1015 }
1016 }
1018 /*
1019 * Generate a 6-character (+ nul) pass name string
1020 * FIXME: allow translation of "random".
1021 */
1022 #define PASS_NAME_SIZE 7
1023 static void
1025 {
1028 else
1030 }
1032 /*
1033 * Do pass number k of n, writing "size" bytes of the given pattern "type"
1034 * to the file descriptor fd. Qname, k and n are passed in only for verbose
1035 * progress message purposes. If n == 0, no progress messages are printed.
1036 *
1037 * If *sizep == -1, the size is unknown, and it will be filled in as soon
1038 * as writing fails.
1039 */
1040 static int
1043 {
1050 #if ISAAC_WORDS > 1024
1052 #else
1054 #endif
1058 {
1061 }
1063 /* Constant fill patterns need only be set up once. */
1065 {
1068 {
1070 }
1073 }
1074 else
1075 {
1077 }
1079 /* Set position if first status update */
1082 {
1087 }
1091 {
1092 /* How much to write this time? */
1095 {
1101 }
1104 /* Loop to retry partial writes. */
1106 {
1109 {
1112 {
1113 /* Ah, we have found the end of the file */
1116 }
1117 else
1118 {
1122 qname,
1125 /*
1126 * I sometimes use shred on bad media, before throwing it
1127 * out. Thus, I don't want it to give up on bad blocks.
1128 * This code assumes 512-byte blocks and tries to skip
1129 * over them. It works because lim is always a multiple
1130 * of 512, except at the end.
1131 */
1134 {
1137 {
1140 }
1142 }
1144 }
1145 }
1146 }
1148 /* Okay, we have written "lim" bytes. */
1151 {
1154 }
1158 /* Time to print progress? */
1160 {
1165 OUTPUT_BLOCK_SIZE);
1170 OUTPUT_BLOCK_SIZE));
1171 else
1178 /*
1179 * Force periodic syncs to keep displayed progress accurate
1180 * FIXME: Should these be present even if -v is not enabled,
1181 * to keep the buffer cache from filling with dirty pages?
1182 * It's a common problem with programs that do lots of writes,
1183 * like mkfs.
1184 */
1186 {
1189 }
1190 }
1191 }
1193 /* Force what we just wrote to hit the media. */
1195 {
1198 }
1200 }
1202 /*
1203 * The passes start and end with a random pass, and the passes in between
1204 * are done in random order. The idea is to deprive someone trying to
1205 * reverse the process of knowledge of the overwrite patterns, so they
1206 * have the additional step of figuring out what was done to the disk
1207 * before they can try to reverse or cancel it.
1208 *
1209 * First, all possible 1-bit patterns. There are two of them.
1210 * Then, all possible 2-bit patterns. There are four, but the two
1211 * which are also 1-bit patterns can be omitted.
1212 * Then, all possible 3-bit patterns. Likewise, 8-2 = 6.
1213 * Then, all possible 4-bit patterns. 16-4 = 12.
1214 *
1215 * The basic passes are:
1216 * 1-bit: 0x000, 0xFFF
1217 * 2-bit: 0x555, 0xAAA
1218 * 3-bit: 0x249, 0x492, 0x924, 0x6DB, 0xB6D, 0xDB6 (+ 1-bit)
1219 * 100100100100 110110110110
1220 * 9 2 4 D B 6
1221 * 4-bit: 0x111, 0x222, 0x333, 0x444, 0x666, 0x777,
1222 * 0x888, 0x999, 0xBBB, 0xCCC, 0xDDD, 0xEEE (+ 1-bit, 2-bit)
1223 * Adding three random passes at the beginning, middle and end
1224 * produces the default 25-pass structure.
1225 *
1226 * The next extension would be to 5-bit and 6-bit patterns.
1227 * There are 30 uncovered 5-bit patterns and 64-8-2 = 46 uncovered
1228 * 6-bit patterns, so they would increase the time required
1229 * significantly. 4-bit patterns are enough for most purposes.
1230 *
1231 * The main gotcha is that this would require a trickier encoding,
1232 * since lcm(2,3,4) = 12 bits is easy to fit into an int, but
1233 * lcm(2,3,4,5) = 60 bits is not.
1234 *
1235 * One extension that is included is to complement the first bit in each
1236 * 512-byte block, to alter the phase of the encoded data in the more
1237 * complex encodings. This doesn't apply to MFM, so the 1-bit patterns
1238 * are considered part of the 3-bit ones and the 2-bit patterns are
1239 * considered part of the 4-bit patterns.
1240 *
1241 *
1242 * How does the generalization to variable numbers of passes work?
1243 *
1244 * Here's how...
1245 * Have an ordered list of groups of passes. Each group is a set.
1246 * Take as many groups as will fit, plus a random subset of the
1247 * last partial group, and place them into the passes list.
1248 * Then shuffle the passes list into random order and use that.
1249 *
1250 * One extra detail: if we can't include a large enough fraction of the
1251 * last group to be interesting, then just substitute random passes.
1252 *
1253 * If you want more passes than the entire list of groups can
1254 * provide, just start repeating from the beginning of the list.
1255 */
1256 static int const
1257 patterns[] =
1258 {
1267 /* The following patterns have the frst bit per block flipped */
1273 };
1275 /*
1276 * Generate a random wiping pass pattern with num passes.
1277 * This is a two-stage process. First, the passes to include
1278 * are chosen, and then they are shuffled into the desired
1279 * order.
1280 */
1281 static void
1283 {
1297 /* Stage 1: choose the passes to use */
1304 {
1309 }
1314 {
1318 }
1321 }
1328 }
1333 }
1334 else
1336 do
1337 {
1339 {
1341 n--;
1342 }
1343 p++;
1344 }
1347 }
1348 }
1350 /* assert (d == dest+top); */
1352 /*
1353 * We now have fixed patterns in the dest buffer up to
1354 * "top", and we need to scramble them, with "randpasses"
1355 * random passes evenly spaced among them.
1356 *
1357 * We want one at the beginning, one at the end, and
1358 * evenly spaced in between. To do this, we basically
1359 * use Bresenham's line draw (a.k.a DDA) algorithm
1360 * to draw a line with slope (randpasses-1)/(num-1).
1361 * (We use a positive accumulator and count down to
1362 * do this.)
1363 *
1364 * So for each desired output value, we do the following:
1365 * - If it should be a random pass, copy the pass type
1366 * to top++, out of the way of the other passes, and
1367 * set the current pass to -1 (random).
1368 * - If it should be a normal pattern pass, choose an
1369 * entry at random between here and top-1 (inclusive)
1370 * and swap the current entry with that one.
1371 */
1375 {
1377 {
1381 }
1382 else
1383 {
1388 }
1390 }
1391 /* assert (top == num); */
1394 }
1396 /*
1397 * The core routine to actually do the work. This overwrites the first
1398 * size bytes of the given fd. Returns -1 on error, 0 on success.
1399 */
1400 static int
1403 {
1415 {
1418 }
1420 /* If we know that we can't possibly shred the file, give up now.
1421 Otherwise, we may go into a infinite loop writing data before we
1422 find that we can't rewind the device. */
1426 {
1429 }
1431 /* Allocate pass array */
1436 {
1437 /* Accept a length of zero only if it's a regular file.
1438 For any other type of file, try to get the size another way. */
1440 {
1443 {
1446 }
1447 }
1448 else
1449 {
1452 {
1453 /* We are unable to determine the length, up front.
1454 Let dopass do that as part of its first iteration. */
1456 }
1457 }
1460 {
1463 /* If in rounding up, we've just overflowed, use the maximum. */
1466 }
1467 }
1469 /* Schedule the passes in random order. */
1472 /* Do the work */
1474 {
1476 {
1480 }
1481 }
1490 /* Okay, now deallocate the data. The effect of ftruncate on
1491 non-regular files is unspecified, so don't worry about any
1492 errors reported for them. */
1495 {
1498 }
1501 }
1503 /* A wrapper with a little more checking for fds on the command line */
1504 static int
1507 {
1511 {
1514 }
1516 {
1519 }
1521 }
1523 /* --- Name-wiping code --- */
1525 /* Characters allowed in a file name - a safe universal set. */
1529 /*
1530 * This increments the name, considering it as a big-endian base-N number
1531 * with the digits taken from nameset. Characters not in the nameset
1532 * are considered to come before nameset[0].
1533 *
1534 * It's not obvious, but this will explode if name[0..len-1] contains
1535 * any 0 bytes.
1536 *
1537 * This returns the carry (1 on overflow).
1538 */
1539 static int
1541 {
1548 /* If the character is not found, replace it with a 0 digit */
1550 {
1553 }
1554 /* If this character has a successor, use it */
1556 {
1559 }
1560 /* Otherwise, set this digit to 0 and increment the prefix */
1563 }
1565 /*
1566 * Repeatedly rename a file with shorter and shorter names,
1567 * to obliterate all traces of the file name on any system that
1568 * adds a trailing delimiter to on-disk file names and reuses
1569 * the same directory slot. Finally, unlink it.
1570 * The passed-in filename is modified in place to the new filename.
1571 * (Which is unlinked if this function succeeds, but is still present if
1572 * it fails for some reason.)
1573 *
1574 * The main loop is written carefully to not get stuck if all possible
1575 * names of a given length are occupied. It counts down the length from
1576 * the original to 0. While the length is non-zero, it tries to find an
1577 * unused file name of the given length. It continues until either the
1578 * name is available and the rename succeeds, or it runs out of names
1579 * to try (incname wraps and returns 1). Finally, it unlinks the file.
1580 *
1581 * The unlink is Unix-specific, as ANSI-standard remove has more
1582 * portability problems with C libraries making it "safe". rename
1583 * is ANSI-standard.
1584 *
1585 * To force the directory data out, we try to open the directory and
1586 * invoke fdatasync on it. This is rather non-standard, so we don't
1587 * insist that it works, just fall back to a global sync in that case.
1588 * This is fairly significantly Unix-specific. Of course, on any
1589 * filesystem with synchronous metadata updates, this is unnecessary.
1590 */
1591 static int
1593 {
1603 /* Find the file name portion */
1605 /* Temporary hackery to get a directory fd */
1607 {
1611 }
1612 else
1613 {
1615 }
1620 {
1623 do
1624 {
1627 {
1629 {
1634 {
1635 /*
1636 * People seem to understand this better than talking
1637 * about renaming oldname. newname doesn't need
1638 * quoting because we picked it.
1639 */
1642 }
1645 }
1646 else
1647 {
1648 /* The rename failed: give up on this length. */
1650 }
1651 }
1652 else
1653 {
1654 /* newname exists, so increment BASE so we use another */
1655 }
1656 }
1658 len--;
1659 }
1668 }
1670 /*
1671 * Finally, the function that actually takes a filename and grinds
1672 * it into hamburger.
1673 *
1674 * FIXME
1675 * Detail to note: since we do not restore errno to EACCES after
1676 * a failed chmod, we end up printing the error code from the chmod.
1677 * This is actually the error that stopped us from proceeding, so
1678 * it's arguably the right one, and in practice it'll be either EACCES
1679 * again or EPERM, which both give similar error messages.
1680 * Does anyone disagree?
1681 */
1682 static int
1685 {
1690 {
1692 {
1695 }
1698 {
1699 /* We accept /dev/fd/# even if the OS doesn't support it */
1705 /* If it's completely decimal with no leading zeros... */
1709 {
1711 }
1713 }
1714 }
1716 {
1719 }
1723 {
1726 }
1728 {
1732 }
1734 }
1736 int
1738 {
1762 {
1764 {
1773 {
1778 {
1781 }
1783 }
1791 {
1795 {
1798 }
1800 }
1815 case_GETOPT_HELP_CHAR;
1821 }
1822 }
1828 {
1831 }
1834 {
1837 {
1840 }
1841 else
1842 {
1843 /* Plain filename - Note that this overwrites *argv! */
1846 }
1847 }
1849 /* Just on general principles, wipe s. */
1853 }
1854 /*
1855 * vim:sw=2:sts=2:
1856 */