Expand PMF_FN_* macros.
[netbsd-mini2440.git] / bin / rm / rm.c
blob7eea5e7ef51c2739729c6d3316a29c7b4ea8a300
1 /* $NetBSD: rm.c,v 1.48 2008/07/20 00:52:40 lukem Exp $ */
3 /*-
4 * Copyright (c) 1990, 1993, 1994, 2003
5 * The Regents of the University of California. All rights reserved.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
32 #include <sys/cdefs.h>
33 #ifndef lint
34 __COPYRIGHT("@(#) Copyright (c) 1990, 1993, 1994\
35 The Regents of the University of California. All rights reserved.");
36 #endif /* not lint */
38 #ifndef lint
39 #if 0
40 static char sccsid[] = "@(#)rm.c 8.8 (Berkeley) 4/27/95";
41 #else
42 __RCSID("$NetBSD: rm.c,v 1.48 2008/07/20 00:52:40 lukem Exp $");
43 #endif
44 #endif /* not lint */
46 #include <sys/param.h>
47 #include <sys/stat.h>
48 #include <sys/types.h>
50 #include <err.h>
51 #include <errno.h>
52 #include <fcntl.h>
53 #include <fts.h>
54 #include <grp.h>
55 #include <locale.h>
56 #include <pwd.h>
57 #include <stdio.h>
58 #include <stdlib.h>
59 #include <string.h>
60 #include <unistd.h>
62 int dflag, eval, fflag, iflag, Pflag, stdin_ok, vflag, Wflag;
64 int check(char *, char *, struct stat *);
65 void checkdot(char **);
66 void rm_file(char **);
67 int rm_overwrite(char *, struct stat *);
68 void rm_tree(char **);
69 void usage(void);
70 int main(int, char *[]);
73 * For the sake of the `-f' flag, check whether an error number indicates the
74 * failure of an operation due to an non-existent file, either per se (ENOENT)
75 * or because its filename argument was illegal (ENAMETOOLONG, ENOTDIR).
77 #define NONEXISTENT(x) \
78 ((x) == ENOENT || (x) == ENAMETOOLONG || (x) == ENOTDIR)
81 * rm --
82 * This rm is different from historic rm's, but is expected to match
83 * POSIX 1003.2 behavior. The most visible difference is that -f
84 * has two specific effects now, ignore non-existent files and force
85 * file removal.
87 int
88 main(int argc, char *argv[])
90 int ch, rflag;
92 setprogname(argv[0]);
93 (void)setlocale(LC_ALL, "");
95 Pflag = rflag = 0;
96 while ((ch = getopt(argc, argv, "dfiPRrvW")) != -1)
97 switch (ch) {
98 case 'd':
99 dflag = 1;
100 break;
101 case 'f':
102 fflag = 1;
103 iflag = 0;
104 break;
105 case 'i':
106 fflag = 0;
107 iflag = 1;
108 break;
109 case 'P':
110 Pflag = 1;
111 break;
112 case 'R':
113 case 'r': /* Compatibility. */
114 rflag = 1;
115 break;
116 case 'v':
117 vflag = 1;
118 break;
119 case 'W':
120 Wflag = 1;
121 break;
122 case '?':
123 default:
124 usage();
126 argc -= optind;
127 argv += optind;
129 if (argc < 1) {
130 if (fflag)
131 return 0;
132 usage();
135 checkdot(argv);
137 if (*argv) {
138 stdin_ok = isatty(STDIN_FILENO);
140 if (rflag)
141 rm_tree(argv);
142 else
143 rm_file(argv);
146 exit(eval);
147 /* NOTREACHED */
150 void
151 rm_tree(char **argv)
153 FTS *fts;
154 FTSENT *p;
155 int flags, needstat, rval;
158 * Remove a file hierarchy. If forcing removal (-f), or interactive
159 * (-i) or can't ask anyway (stdin_ok), don't stat the file.
161 needstat = !fflag && !iflag && stdin_ok;
164 * If the -i option is specified, the user can skip on the pre-order
165 * visit. The fts_number field flags skipped directories.
167 #define SKIPPED 1
169 flags = FTS_PHYSICAL;
170 if (!needstat)
171 flags |= FTS_NOSTAT;
172 if (Wflag)
173 flags |= FTS_WHITEOUT;
174 if ((fts = fts_open(argv, flags, NULL)) == NULL)
175 err(1, "fts_open failed");
176 while ((p = fts_read(fts)) != NULL) {
178 switch (p->fts_info) {
179 case FTS_DNR:
180 if (!fflag || p->fts_errno != ENOENT) {
181 warnx("%s: %s", p->fts_path,
182 strerror(p->fts_errno));
183 eval = 1;
185 continue;
186 case FTS_ERR:
187 errx(EXIT_FAILURE, "%s: %s", p->fts_path,
188 strerror(p->fts_errno));
189 /* NOTREACHED */
190 case FTS_NS:
192 * FTS_NS: assume that if can't stat the file, it
193 * can't be unlinked.
195 if (fflag && NONEXISTENT(p->fts_errno))
196 continue;
197 if (needstat) {
198 warnx("%s: %s", p->fts_path,
199 strerror(p->fts_errno));
200 eval = 1;
201 continue;
203 break;
204 case FTS_D:
205 /* Pre-order: give user chance to skip. */
206 if (!fflag && !check(p->fts_path, p->fts_accpath,
207 p->fts_statp)) {
208 (void)fts_set(fts, p, FTS_SKIP);
209 p->fts_number = SKIPPED;
211 continue;
212 case FTS_DP:
213 /* Post-order: see if user skipped. */
214 if (p->fts_number == SKIPPED)
215 continue;
216 break;
217 default:
218 if (!fflag &&
219 !check(p->fts_path, p->fts_accpath, p->fts_statp))
220 continue;
223 rval = 0;
225 * If we can't read or search the directory, may still be
226 * able to remove it. Don't print out the un{read,search}able
227 * message unless the remove fails.
229 switch (p->fts_info) {
230 case FTS_DP:
231 case FTS_DNR:
232 rval = rmdir(p->fts_accpath);
233 if (rval != 0 && fflag && errno == ENOENT)
234 continue;
235 break;
237 case FTS_W:
238 rval = undelete(p->fts_accpath);
239 if (rval != 0 && fflag && errno == ENOENT)
240 continue;
241 break;
243 default:
244 if (Pflag) {
245 if (rm_overwrite(p->fts_accpath, NULL))
246 continue;
248 rval = unlink(p->fts_accpath);
249 if (rval != 0 && fflag && NONEXISTENT(errno))
250 continue;
251 break;
253 if (rval != 0) {
254 warn("%s", p->fts_path);
255 eval = 1;
256 } else if (vflag)
257 (void)printf("%s\n", p->fts_path);
259 if (errno)
260 err(1, "fts_read");
261 fts_close(fts);
264 void
265 rm_file(char **argv)
267 struct stat sb;
268 int rval;
269 char *f;
272 * Remove a file. POSIX 1003.2 states that, by default, attempting
273 * to remove a directory is an error, so must always stat the file.
275 while ((f = *argv++) != NULL) {
276 /* Assume if can't stat the file, can't unlink it. */
277 if (lstat(f, &sb)) {
278 if (Wflag) {
279 sb.st_mode = S_IFWHT|S_IWUSR|S_IRUSR;
280 } else {
281 if (!fflag || !NONEXISTENT(errno)) {
282 warn("%s", f);
283 eval = 1;
285 continue;
287 } else if (Wflag) {
288 warnx("%s: %s", f, strerror(EEXIST));
289 eval = 1;
290 continue;
293 if (S_ISDIR(sb.st_mode) && !dflag) {
294 warnx("%s: is a directory", f);
295 eval = 1;
296 continue;
298 if (!fflag && !S_ISWHT(sb.st_mode) && !check(f, f, &sb))
299 continue;
300 if (S_ISWHT(sb.st_mode))
301 rval = undelete(f);
302 else if (S_ISDIR(sb.st_mode))
303 rval = rmdir(f);
304 else {
305 if (Pflag) {
306 if (rm_overwrite(f, &sb))
307 continue;
309 rval = unlink(f);
311 if (rval && (!fflag || !NONEXISTENT(errno))) {
312 warn("%s", f);
313 eval = 1;
315 if (vflag && rval == 0)
316 (void)printf("%s\n", f);
321 * rm_overwrite --
322 * Overwrite the file 3 times with varying bit patterns.
324 * This is an expensive way to keep people from recovering files from your
325 * non-snapshotted FFS filesystems using fsdb(8). Really. No more. Only
326 * regular files are deleted, directories (and therefore names) will remain.
327 * Also, this assumes a fixed-block file system (like FFS, or a V7 or a
328 * System V file system). In a logging file system, you'll have to have
329 * kernel support.
331 * A note on standards: U.S. DoD 5220.22-M "National Industrial Security
332 * Program Operating Manual" ("NISPOM") is often cited as a reference
333 * for clearing and sanitizing magnetic media. In fact, a matrix of
334 * "clearing" and "sanitization" methods for various media was given in
335 * Chapter 8 of the original 1995 version of NISPOM. However, that
336 * matrix was *removed from the document* when Chapter 8 was rewritten
337 * in Change 2 to the document in 2001. Recently, the Defense Security
338 * Service has made a revised clearing and sanitization matrix available
339 * in Microsoft Word format on the DSS web site. The standardization
340 * status of this matrix is unclear. Furthermore, one must be very
341 * careful when referring to this matrix: it is intended for the "clearing"
342 * prior to reuse or "sanitization" prior to disposal of *entire media*,
343 * not individual files and the only non-physically-destructive method of
344 * "sanitization" that is permitted for magnetic disks of any kind is
345 * specifically noted to be prohibited for media that have contained
346 * Top Secret data.
348 * It is impossible to actually conform to the exact procedure given in
349 * the matrix if one is overwriting a file, not an entire disk, because
350 * the procedure requires examination and comparison of the disk's defect
351 * lists. Any program that claims to securely erase *files* while
352 * conforming to the standard, then, is not correct. We do as much of
353 * what the standard requires as can actually be done when erasing a
354 * file, rather than an entire disk; but that does not make us conformant.
356 * Furthermore, the presence of track caches, disk and controller write
357 * caches, and so forth make it extremely difficult to ensure that data
358 * have actually been written to the disk, particularly when one tries
359 * to repeatedly overwrite the same sectors in quick succession. We call
360 * fsync(), but controllers with nonvolatile cache, as well as IDE disks
361 * that just plain lie about the stable storage of data, will defeat this.
363 * Finally, widely respected research suggests that the given procedure
364 * is nowhere near sufficient to prevent the recovery of data using special
365 * forensic equipment and techniques that are well-known. This is
366 * presumably one reason that the matrix requires physical media destruction,
367 * rather than any technique of the sort attempted here, for secret data.
369 * Caveat Emptor.
371 * rm_overwrite will return 0 on success.
375 rm_overwrite(char *file, struct stat *sbp)
377 struct stat sb;
378 int fd, randint;
379 char randchar;
381 fd = -1;
382 if (sbp == NULL) {
383 if (lstat(file, &sb))
384 goto err;
385 sbp = &sb;
387 if (!S_ISREG(sbp->st_mode))
388 return 0;
390 /* flags to try to defeat hidden caching by forcing seeks */
391 if ((fd = open(file, O_RDWR|O_SYNC|O_RSYNC, 0)) == -1)
392 goto err;
394 #define RAND_BYTES 1
395 #define THIS_BYTE 0
397 #define WRITE_PASS(mode, byte) do { \
398 off_t len; \
399 size_t wlen, i; \
400 char buf[8 * 1024]; \
402 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \
403 goto err; \
405 if (mode == THIS_BYTE) \
406 memset(buf, byte, sizeof(buf)); \
407 for (len = sbp->st_size; len > 0; len -= wlen) { \
408 if (mode == RAND_BYTES) { \
409 for (i = 0; i < sizeof(buf); \
410 i+= sizeof(u_int32_t)) \
411 *(int *)(buf + i) = arc4random(); \
413 wlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \
414 if ((size_t)write(fd, buf, wlen) != wlen) \
415 goto err; \
417 sync(); /* another poke at hidden caches */ \
418 } while (/* CONSTCOND */ 0)
420 #define READ_PASS(byte) do { \
421 off_t len; \
422 size_t rlen; \
423 char pattern[8 * 1024]; \
424 char buf[8 * 1024]; \
426 if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) \
427 goto err; \
429 memset(pattern, byte, sizeof(pattern)); \
430 for(len = sbp->st_size; len > 0; len -= rlen) { \
431 rlen = len < (off_t)sizeof(buf) ? (size_t)len : sizeof(buf); \
432 if((size_t)read(fd, buf, rlen) != rlen) \
433 goto err; \
434 if(memcmp(buf, pattern, rlen)) \
435 goto err; \
437 sync(); /* another poke at hidden caches */ \
438 } while (/* CONSTCOND */ 0)
441 * DSS sanitization matrix "clear" for magnetic disks:
442 * option 'c' "Overwrite all addressable locations with a single
443 * character."
445 randint = arc4random();
446 randchar = *(char *)&randint;
447 WRITE_PASS(THIS_BYTE, randchar);
450 * DSS sanitization matrix "sanitize" for magnetic disks:
451 * option 'd', sub 2 "Overwrite all addressable locations with a
452 * character, then its complement. Verify "complement" character
453 * was written successfully to all addressable locations, then
454 * overwrite all addressable locations with random characters; or
455 * verify third overwrite of random characters." The rest of the
456 * text in d-sub-2 specifies requirements for overwriting spared
457 * sectors; we cannot conform to it when erasing only a file, thus
458 * we do not conform to the standard.
461 /* 1. "a character" */
462 WRITE_PASS(THIS_BYTE, 0xff);
464 /* 2. "its complement" */
465 WRITE_PASS(THIS_BYTE, 0x00);
467 /* 3. "Verify 'complement' character" */
468 READ_PASS(0x00);
470 /* 4. "overwrite all addressable locations with random characters" */
472 WRITE_PASS(RAND_BYTES, 0x00);
475 * As the file might be huge, and we note that this revision of
476 * the matrix says "random characters", not "a random character"
477 * as the original did, we do not verify the random-character
478 * write; the "or" in the standard allows this.
481 if (close(fd) == -1) {
482 fd = -1;
483 goto err;
486 return 0;
488 err: eval = 1;
489 warn("%s", file);
490 if (fd != -1)
491 close(fd);
492 return 1;
496 check(char *path, char *name, struct stat *sp)
498 int ch, first;
499 char modep[15];
501 /* Check -i first. */
502 if (iflag)
503 (void)fprintf(stderr, "remove '%s'? ", path);
504 else {
506 * If it's not a symbolic link and it's unwritable and we're
507 * talking to a terminal, ask. Symbolic links are excluded
508 * because their permissions are meaningless. Check stdin_ok
509 * first because we may not have stat'ed the file.
511 if (!stdin_ok || S_ISLNK(sp->st_mode) ||
512 !(access(name, W_OK) && (errno != ETXTBSY)))
513 return (1);
514 strmode(sp->st_mode, modep);
515 if (Pflag) {
516 warnx(
517 "%s: -P was specified but file could not"
518 " be overwritten", path);
519 return 0;
521 (void)fprintf(stderr, "override %s%s%s:%s for '%s'? ",
522 modep + 1, modep[9] == ' ' ? "" : " ",
523 user_from_uid(sp->st_uid, 0),
524 group_from_gid(sp->st_gid, 0), path);
526 (void)fflush(stderr);
528 first = ch = getchar();
529 while (ch != '\n' && ch != EOF)
530 ch = getchar();
531 return (first == 'y' || first == 'Y');
535 * POSIX.2 requires that if "." or ".." are specified as the basename
536 * portion of an operand, a diagnostic message be written to standard
537 * error and nothing more be done with such operands.
539 * Since POSIX.2 defines basename as the final portion of a path after
540 * trailing slashes have been removed, we'll remove them here.
542 #define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2])))
543 void
544 checkdot(char **argv)
546 char *p, **save, **t;
547 int complained;
549 complained = 0;
550 for (t = argv; *t;) {
551 /* strip trailing slashes */
552 p = strrchr(*t, '\0');
553 while (--p > *t && *p == '/')
554 *p = '\0';
556 /* extract basename */
557 if ((p = strrchr(*t, '/')) != NULL)
558 ++p;
559 else
560 p = *t;
562 if (ISDOT(p)) {
563 if (!complained++)
564 warnx("\".\" and \"..\" may not be removed");
565 eval = 1;
566 for (save = t; (t[0] = t[1]) != NULL; ++t)
567 continue;
568 t = save;
569 } else
570 ++t;
574 void
575 usage(void)
578 (void)fprintf(stderr, "usage: %s [-f|-i] [-dPRrvW] file ...\n",
579 getprogname());
580 exit(1);
581 /* NOTREACHED */