-v option should only act based upon syscall success. test case is
"rm -rfv nonexistent". problem spotted by Alfred Morgan
ok millert

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which mig

For open/openat, if the flags parameter does not contain O_CREAT, the
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert

show more ...

fix a few lines of unusual length

add a -v verbose flag to cp, mv, and rm. useful for monitoring progress,
and present on several other systems. some ok, some less ok.
from Job Snijders

delete useless setlocale(3);
noticed by Jan Stary <hans at stare dot cz>;
return from main while here;
feedback and OK tb@, OK martijn@

revert previous. better fix applied to fts_open.

don't report errors for 'rm -rf ""'. report by rkitover.
ok benno deraadt

don't allow removal of /. more robust approach involving stat this time.
posix uses the language "resolves to the root directory" in this case.
ok millert

style nit - do not add a space between function name and bracket
from Edgar Pettijohn <edgar at pettijohn-web.com>

fix another similar space in line 127. (pointed out by/OK jung@)

OK tb@ jung@

Missing "getpw" pledges, these were unnoticed because nobody expects
a user_from_uid(3) call...

revert previous. changes the behaviour of:
rm -f ""

Don't allow "rm -rf /"

Patch from Theo Buehler who was inspired by watching Bryan Cantrill
in BSD Now 103.

Minor tweak from me to turn the complained variables into flags instead
of counters.

"i t

Don't allow "rm -rf /"

Patch from Theo Buehler who was inspired by watching Bryan Cantrill
in BSD Now 103.

Minor tweak from me to turn the complained variables into flags instead
of counters.

"i think it's ok" tedu@
"this isn't 1980 anymore" deraadt@
ok millert@

show more ...

Change all tame callers to namechange to pledge(2).

the -P flag overwrites files, so it needs tame "stdio rpath wpath cpath".
the remaining code paths can use tame "stdio rpath cpath". One again,
the "cpath" request says a path-based system call will

the -P flag overwrites files, so it needs tame "stdio rpath wpath cpath".
the remaining code paths can use tame "stdio rpath cpath". One again,
the "cpath" request says a path-based system call will be used to
"change" filesystem pathname layout, for instance any of O_CREAT, symlink,
rename, unlink...

show more ...

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_N

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

show more ...

Use errc/warnc to simplify code.

ok jca@ krw@

handle large ino_t

overwrite with random stream; a repeating chunk of random data isn't
random at all
ok tedu@

one random overwrite is sufficient, after some discussion on tech

Polish the rm -rP turd: if the fts_* routines have lstat()'ed the
directory entry then use the struct stat from that instead of doing
it again, and skip the rm_overwrite() call if fts_read() indicate

Polish the rm -rP turd: if the fts_* routines have lstat()'ed the
directory entry then use the struct stat from that instead of doing
it again, and skip the rm_overwrite() call if fts_read() indicated
that the entry couldn't be a regular file.

ok millert@

show more ...

Fix potential symlink race condition in "rm -P" by adding a check
that the file we have opened is the one we expected. Also open in
non-blocking mode to avoid a potential hang with FIFOs. Reported

Fix potential symlink race condition in "rm -P" by adding a check
that the file we have opened is the one we expected. Also open in
non-blocking mode to avoid a potential hang with FIFOs. Reported
by Radoslaw A. Zarzynski. Fix adapted from NetBSD. OK guenther@

show more ...

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(th

rcsid[] and sccsid[] and copyright[] are essentially unmaintained (and
unmaintainable). these days, people use source. these id's do not provide
any benefit, and do hurt the small install media
(the 33,000 line diff is essentially mechanical)
ok with the idea millert, ok dms

show more ...

do not ask the "override?" question if access fails for other resaons than
EACCES. From Tim van der Molen; ok millert@ ray@

Unlink files with multiple links when -P flag is specified instead
of just warning and skipping the file.

OK millert and jmc.

Call fts_close() when done; from NetBSD's Coverity scan; ok millert@
jaredy@