search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
some coverity fixes.
[minix.git] / bin / rm / rm.c
blobddf85dc7119ebcf1a62c59994103ec8d824368e8
1 /* $NetBSD: rm.c,v 1.50 2011/08/29 14:48:46 joerg Exp $ */
2
3 /*-
4 * Copyright (c) 1990, 1993, 1994, 2003
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <sys/cdefs.h>
33 #ifndef lint
34 __COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\
35 The Regents of the University of California. All rights reserved.");
36 #endif /* not lint */
37
38 #ifndef lint
39 #if 0
40 static char sccsid[] = "@(#)rm.c 8.8 (Berkeley) 4/27/95";
41 #else
42 __RCSID("$NetBSD: rm.c,v 1.50 2011/08/29 14:48:46 joerg Exp $");
43 #endif
44 #endif /* not lint */
45
46 #include <sys/param.h>
47 #include <sys/stat.h>
48 #include <sys/types.h>
49
50 #include <err.h>
51 #include <errno.h>
52 #include <fcntl.h>
53 #include <fts.h>
54 #include <grp.h>
55 #include <locale.h>
56 #include <pwd.h>
57 #include <stdio.h>
58 #include <stdlib.h>
59 #include <string.h>
60 #include <unistd.h>
61
62 static int dflag, eval, fflag, iflag, Pflag, stdin_ok, vflag, Wflag;
63
64 static int check(char *, char *, struct stat *);
65 static void checkdot(char **);
66 static void rm_file(char **);
67 static int rm_overwrite(char *, struct stat *);
68 static void rm_tree(char **);
69 __dead static void usage(void);
70
71 #ifdef __minix
72 # ifndef O_SYNC
73 # define O_SYNC 0
74 # endif
75 # ifndef O_RSYNC
76 # define O_RSYNC 0
77 # endif
78 #endif
79
80 /*
81 * For the sake of the `-f' flag, check whether an error number indicates the
82 * failure of an operation due to an non-existent file, either per se (ENOENT)
83 * or because its filename argument was illegal (ENAMETOOLONG, ENOTDIR).
84 */
85 #define NONEXISTENT(x) \
86 ((x) == ENOENT || (x) == ENAMETOOLONG || (x) == ENOTDIR)
87
88 /*
89 * rm --
90 * This rm is different from historic rm's, but is expected to match
91 * POSIX 1003.2 behavior. The most visible difference is that -f
92 * has two specific effects now, ignore non-existent files and force
93 * file removal.
94 */
95 int
96 main(int argc, char *argv[])
97 {
98 int ch, rflag;
99
100 setprogname(argv[0]);
101 (void)setlocale(LC_ALL, "");
102
103 Pflag = rflag = 0;
104 while ((ch = getopt(argc, argv, "dfiPRrvW")) != -1)
105 switch (ch) {
106 case 'd':
107 dflag = 1;
108 break;
109 case 'f':
110 fflag = 1;
111 iflag = 0;
112 break;
113 case 'i':
114 fflag = 0;
115 iflag = 1;
116 break;
117 case 'P':
118 Pflag = 1;
119 break;
120 case 'R':
121 case 'r': /* Compatibility. */
122 rflag = 1;
123 break;
124 case 'v':
125 vflag = 1;
126 break;
127 case 'W':
128 Wflag = 1;
129 break;
130 case '?':
131 default:
132 usage();
133 }
134 argc -= optind;
135 argv += optind;
136
137 if (argc < 1) {
138 if (fflag)
139 return 0;
140 usage();
141 }
142
143 checkdot(argv);
144
145 if (*argv) {
146 stdin_ok = isatty(STDIN_FILENO);
147
148 if (rflag)
149 rm_tree(argv);
150 else
151 rm_file(argv);
152 }
153
154 exit(eval);
155 /* NOTREACHED */
156 }
157
158 static void
159 rm_tree(char **argv)
160 {
161 FTS *fts;
162 FTSENT *p;
163 int flags, needstat, rval;
164
165 /*
166 * Remove a file hierarchy. If forcing removal (-f), or interactive
167 * (-i) or can't ask anyway (stdin_ok), don't stat the file.
168 */
169 needstat = !fflag && !iflag && stdin_ok;
170
171 /*
172 * If the -i option is specified, the user can skip on the pre-order
173 * visit. The fts_number field flags skipped directories.
174 */
175 #define SKIPPED 1
176
177 flags = FTS_PHYSICAL;
178 if (!needstat)
179 flags |= FTS_NOSTAT;
180 #ifndef __minix
181 if (Wflag)
182 flags |= FTS_WHITEOUT;
183 #endif
184 if ((fts = fts_open(argv, flags, NULL)) == NULL)
185 err(1, "fts_open failed");
186 while ((p = fts_read(fts)) != NULL) {
187
188 switch (p->fts_info) {
189 case FTS_DNR:
190 if (!fflag || p->fts_errno != ENOENT) {
191 warnx("%s: %s", p->fts_path,
192 strerror(p->fts_errno));
193 eval = 1;
194 }
195 continue;
196 case FTS_ERR:
197 errx(EXIT_FAILURE, "%s: %s", p->fts_path,
198 strerror(p->fts_errno));
199 /* NOTREACHED */
200 case FTS_NS:
201 /*
202 * FTS_NS: assume that if can't stat the file, it
203 * can't be unlinked.
204 */
205 if (fflag && NONEXISTENT(p->fts_errno))
206 continue;
207 if (needstat) {
208 warnx("%s: %s", p->fts_path,
209 strerror(p->fts_errno));
210 eval = 1;
211 continue;
212 }
213 break;
214 case FTS_D:
215 /* Pre-order: give user chance to skip. */
216 if (!fflag && !check(p->fts_path, p->fts_accpath,
217 p->fts_statp)) {
218 (void)fts_set(fts, p, FTS_SKIP);
219 p->fts_number = SKIPPED;
220 }
221 continue;
222 case FTS_DP:
223 /* Post-order: see if user skipped. */
224 if (p->fts_number == SKIPPED)
225 continue;
226 break;
227 default:
228 if (!fflag &&
229 !check(p->fts_path, p->fts_accpath, p->fts_statp))
230 continue;
231 }
232
233 rval = 0;
234 /*
235 * If we can't read or search the directory, may still be
236 * able to remove it. Don't print out the un{read,search}able
237 * message unless the remove fails.
238 */
239 switch (p->fts_info) {
240 case FTS_DP:
241 case FTS_DNR:
242 rval = rmdir(p->fts_accpath);
243 if (rval != 0 && fflag && errno == ENOENT)
244 continue;
245 break;
246
247 #ifndef __minix
248 case FTS_W:
249 rval = undelete(p->fts_accpath);
250 if (rval != 0 && fflag && errno == ENOENT)
251 continue;
252 break;
253 #endif
254
255 default:
256 if (Pflag) {
257 if (rm_overwrite(p->fts_accpath, NULL))
258 continue;
259 }
260 rval = unlink(p->fts_accpath);
261 if (rval != 0 && fflag && NONEXISTENT(errno))
262 continue;
263 break;
264 }
265 if (rval != 0) {
266 warn("%s", p->fts_path);
267 eval = 1;
268 } else if (vflag)
269 (void)printf("%s\n", p->fts_path);
270 }
271 if (errno)
272 err(1, "fts_read");
273 fts_close(fts);
274 }
275
276 static void
277 rm_file(char **argv)
278 {
279 struct stat sb;
280 int rval;
281 char *f;
282
283 /*
284 * Remove a file. POSIX 1003.2 states that, by default, attempting
285 * to remove a directory is an error, so must always stat the file.
286 */
287 while ((f = *argv++) != NULL) {
288 /* Assume if can't stat the file, can't unlink it. */
289 if (lstat(f, &sb)) {
290 if (Wflag) {
291 #ifdef __minix
292 sb.st_mode = S_IWUSR|S_IRUSR;
293 #else
294 sb.st_mode = S_IFWHT|S_IWUSR|S_IRUSR;
295 #endif
296 } else {
297 if (!fflag || !NONEXISTENT(errno)) {
298 warn("%s", f);
299 eval = 1;
300 }
301 continue;
302 }
303 } else if (Wflag) {
304 warnx("%s: %s", f, strerror(EEXIST));
305 eval = 1;
306 continue;
307 }
308
309 if (S_ISDIR(sb.st_mode) && !dflag) {
310 warnx("%s: is a directory", f);
311 eval = 1;
312 continue;
313 }
314 #ifndef __minix
315 if (!fflag && !S_ISWHT(sb.st_mode) && !check(f, f, &sb))
316 #else
317 if (!fflag && !check(f, f, &sb))
318 #endif
319 continue;
320 #ifndef __minix
321 if (S_ISWHT(sb.st_mode))
322 rval = undelete(f);
323 else
324 #endif
325 if (S_ISDIR(sb.st_mode))
326 rval = rmdir(f);
327 else {
328 if (Pflag) {
329 if (rm_overwrite(f, &sb))
330 continue;
331 }
332 rval = unlink(f);
333 }
334 if (rval && (!fflag || !NONEXISTENT(errno))) {
335 warn("%s", f);
336 eval = 1;
337 }
338 if (vflag && rval == 0)
339 (void)printf("%s\n", f);
340 }
341 }
342
343 /*
344 * rm_overwrite --
345 * Overwrite the file 3 times with varying bit patterns.
346 *
347 * This is an expensive way to keep people from recovering files from your
348 * non-snapshotted FFS filesystems using fsdb(8). Really. No more. Only
349 * regular files are deleted, directories (and therefore names) will remain.
350 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a
351 * System V file system). In a logging file system, you'll have to have
352 * kernel support.
353 *
354 * A note on standards: U.S. DoD 5220.22-M "National Industrial Security
355 * Program Operating Manual" ("NISPOM") is often cited as a reference
356 * for clearing and sanitizing magnetic media. In fact, a matrix of
357 * "clearing" and "sanitization" methods for various media was given in
358 * Chapter 8 of the original 1995 version of NISPOM. However, that
359 * matrix was *removed from the document* when Chapter 8 was rewritten
360 * in Change 2 to the document in 2001. Recently, the Defense Security
361 * Service has made a revised clearing and sanitization matrix available
362 * in Microsoft Word format on the DSS web site. The standardization
363 * status of this matrix is unclear. Furthermore, one must be very
364 * careful when referring to this matrix: it is intended for the "clearing"
365 * prior to reuse or "sanitization" prior to disposal of *entire media*,
366 * not individual files and the only non-physically-destructive method of
367 * "sanitization" that is permitted for magnetic disks of any kind is
368 * specifically noted to be prohibited for media that have contained
369 * Top Secret data.
370 *
371 * It is impossible to actually conform to the exact procedure given in
372 * the matrix if one is overwriting a file, not an entire disk, because
373 * the procedure requires examination and comparison of the disk's defect
374 * lists. Any program that claims to securely erase *files* while
375 * conforming to the standard, then, is not correct. We do as much of
376 * what the standard requires as can actually be done when erasing a
377 * file, rather than an entire disk; but that does not make us conformant.
378 *
379 * Furthermore, the presence of track caches, disk and controller write
380 * caches, and so forth make it extremely difficult to ensure that data
381 * have actually been written to the disk, particularly when one tries
382 * to repeatedly overwrite the same sectors in quick succession. We call
383 * fsync(), but controllers with nonvolatile cache, as well as IDE disks
384 * that just plain lie about the stable storage of data, will defeat this.
385 *
386 * Finally, widely respected research suggests that the given procedure
387 * is nowhere near sufficient to prevent the recovery of data using special
388 * forensic equipment and techniques that are well-known. This is
389 * presumably one reason that the matrix requires physical media destruction,
390 * rather than any technique of the sort attempted here, for secret data.
391 *
392 * Caveat Emptor.
393 *
394 * rm_overwrite will return 0 on success.
395 */
396
397 static int
398 rm_overwrite(char *file, struct stat *sbp)
399 {
400 struct stat sb;
401 int fd, randint;
402 char randchar;
403
404 fd = -1;
405 if (sbp == NULL) {
406 if (lstat(file, &sb))
407 goto err;
408 sbp = &sb;
409 }
410 if (!S_ISREG(sbp->st_mode))
411 return 0;
412
413 /* flags to try to defeat hidden caching by forcing seeks */
414 if ((fd = open(file, O_RDWR|O_SYNC|O_RSYNC, 0)) == -1)
415 goto err;
416
417 #define RAND_BYTES 1
418 #define THIS_BYTE 0
419
420 #define WRITE_PASS(mode, byte) do { \
421 off_t len; \
422 size_t wlen, i; \
423 char buf[8 * 1024]; \
424 \
425 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \
426 goto err; \
427 \
428 if (mode == THIS_BYTE) \
429 memset(buf, byte, sizeof(buf)); \
430 for (len = sbp->st_size; len > 0; len -= wlen) { \
431 if (mode == RAND_BYTES) { \
432 for (i = 0; i < sizeof(buf); \
433 i+= sizeof(u_int32_t)) \
434 *(int *)(buf + i) = arc4random(); \
435 } \
436 wlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \
437 if ((size_t)write(fd, buf, wlen) != wlen) \
438 goto err; \
439 } \
440 sync(); /* another poke at hidden caches */ \
441 } while (/* CONSTCOND */ 0)
442
443 #define READ_PASS(byte) do { \
444 off_t len; \
445 size_t rlen; \
446 char pattern[8 * 1024]; \
447 char buf[8 * 1024]; \
448 \
449 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \
450 goto err; \
451 \
452 memset(pattern, byte, sizeof(pattern)); \
453 for(len = sbp->st_size; len > 0; len -= rlen) { \
454 rlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \
455 if((size_t)read(fd, buf, rlen) != rlen) \
456 goto err; \
457 if(memcmp(buf, pattern, rlen)) \
458 goto err; \
459 } \
460 sync(); /* another poke at hidden caches */ \
461 } while (/* CONSTCOND */ 0)
462
463 /*
464 * DSS sanitization matrix "clear" for magnetic disks:
465 * option 'c' "Overwrite all addressable locations with a single
466 * character."
467 */
468 randint = arc4random();
469 randchar = *(char *)&randint;
470 WRITE_PASS(THIS_BYTE, randchar);
471
472 /*
473 * DSS sanitization matrix "sanitize" for magnetic disks:
474 * option 'd', sub 2 "Overwrite all addressable locations with a
475 * character, then its complement. Verify "complement" character
476 * was written successfully to all addressable locations, then
477 * overwrite all addressable locations with random characters; or
478 * verify third overwrite of random characters." The rest of the
479 * text in d-sub-2 specifies requirements for overwriting spared
480 * sectors; we cannot conform to it when erasing only a file, thus
481 * we do not conform to the standard.
482 */
483
484 /* 1. "a character" */
485 WRITE_PASS(THIS_BYTE, 0xff);
486
487 /* 2. "its complement" */
488 WRITE_PASS(THIS_BYTE, 0x00);
489
490 /* 3. "Verify 'complement' character" */
491 READ_PASS(0x00);
492
493 /* 4. "overwrite all addressable locations with random characters" */
494
495 WRITE_PASS(RAND_BYTES, 0x00);
496
497 /*
498 * As the file might be huge, and we note that this revision of
499 * the matrix says "random characters", not "a random character"
500 * as the original did, we do not verify the random-character
501 * write; the "or" in the standard allows this.
502 */
503
504 if (close(fd) == -1) {
505 fd = -1;
506 goto err;
507 }
508
509 return 0;
510
511 err: eval = 1;
512 warn("%s", file);
513 if (fd != -1)
514 close(fd);
515 return 1;
516 }
517
518 static int
519 check(char *path, char *name, struct stat *sp)
520 {
521 int ch, first;
522 char modep[15];
523
524 /* Check -i first. */
525 if (iflag)
526 (void)fprintf(stderr, "remove '%s'? ", path);
527 else {
528 /*
529 * If it's not a symbolic link and it's unwritable and we're
530 * talking to a terminal, ask. Symbolic links are excluded
531 * because their permissions are meaningless. Check stdin_ok
532 * first because we may not have stat'ed the file.
533 */
534 if (!stdin_ok || S_ISLNK(sp->st_mode) ||
535 !(access(name, W_OK) && (errno != ETXTBSY)))
536 return (1);
537 strmode(sp->st_mode, modep);
538 if (Pflag) {
539 warnx(
540 "%s: -P was specified but file could not"
541 " be overwritten", path);
542 return 0;
543 }
544 (void)fprintf(stderr, "override %s%s%s:%s for '%s'? ",
545 modep + 1, modep[9] == ' ' ? "" : " ",
546 user_from_uid(sp->st_uid, 0),
547 group_from_gid(sp->st_gid, 0), path);
548 }
549 (void)fflush(stderr);
550
551 first = ch = getchar();
552 while (ch != '\n' && ch != EOF)
553 ch = getchar();
554 return (first == 'y' || first == 'Y');
555 }
556
557 /*
558 * POSIX.2 requires that if "." or ".." are specified as the basename
559 * portion of an operand, a diagnostic message be written to standard
560 * error and nothing more be done with such operands.
561 *
562 * Since POSIX.2 defines basename as the final portion of a path after
563 * trailing slashes have been removed, we'll remove them here.
564 */
565 #define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2])))
566 static void
567 checkdot(char **argv)
568 {
569 char *p, **save, **t;
570 int complained;
571
572 complained = 0;
573 for (t = argv; *t;) {
574 /* strip trailing slashes */
575 p = strrchr(*t, '\0');
576 while (--p > *t && *p == '/')
577 *p = '\0';
578
579 /* extract basename */
580 if ((p = strrchr(*t, '/')) != NULL)
581 ++p;
582 else
583 p = *t;
584
585 if (ISDOT(p)) {
586 if (!complained++)
587 warnx("\".\" and \"..\" may not be removed");
588 eval = 1;
589 for (save = t; (t[0] = t[1]) != NULL; ++t)
590 continue;
591 t = save;
592 } else
593 ++t;
594 }
595 }
596
597 static void
598 usage(void)
599 {
600
601 (void)fprintf(stderr, "usage: %s [-f|-i] [-dPRrvW] file ...\n",
602 getprogname());
603 exit(1);
604 /* NOTREACHED */
605 }
MINIX 3 (repo.or.cz mirror)