xref: /openbsd/bin/rm/rm.c (revision a6445c1d) 
1 /*	$OpenBSD: rm.c,v 1.29 2014/05/21 06:23:02 guenther Exp $	*/
2 /*	$NetBSD: rm.c,v 1.19 1995/09/07 06:48:50 jtc Exp $	*/
3 
4 /*-
5  * Copyright (c) 1990, 1993, 1994
6  *	The Regents of the University of California.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  * 3. Neither the name of the University nor the names of its contributors
17  *    may be used to endorse or promote products derived from this software
18  *    without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
21  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
24  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30  * SUCH DAMAGE.
31  */
32 
33 #include <sys/types.h>
34 #include <sys/stat.h>
35 #include <sys/param.h>
36 #include <sys/mount.h>
37 
38 #include <locale.h>
39 #include <err.h>
40 #include <errno.h>
41 #include <fcntl.h>
42 #include <fts.h>
43 #include <stdio.h>
44 #include <stdlib.h>
45 #include <string.h>
46 #include <unistd.h>
47 #include <pwd.h>
48 #include <grp.h>
49 
50 extern char *__progname;
51 
52 int dflag, eval, fflag, iflag, Pflag, stdin_ok;
53 
54 int	check(char *, char *, struct stat *);
55 void	checkdot(char **);
56 void	rm_file(char **);
57 int	rm_overwrite(char *, struct stat *);
58 int	pass(int, off_t, char *, size_t);
59 void	rm_tree(char **);
60 void	usage(void);
61 
62 /*
63  * rm --
64  *	This rm is different from historic rm's, but is expected to match
65  *	POSIX 1003.2 behavior.  The most visible difference is that -f
66  *	has two specific effects now, ignore non-existent files and force
67  * 	file removal.
68  */
69 int
70 main(int argc, char *argv[])
71 {
72 	int ch, rflag;
73 
74 	setlocale(LC_ALL, "");
75 
76 	Pflag = rflag = 0;
77 	while ((ch = getopt(argc, argv, "dfiPRr")) != -1)
78 		switch(ch) {
79 		case 'd':
80 			dflag = 1;
81 			break;
82 		case 'f':
83 			fflag = 1;
84 			iflag = 0;
85 			break;
86 		case 'i':
87 			fflag = 0;
88 			iflag = 1;
89 			break;
90 		case 'P':
91 			Pflag = 1;
92 			break;
93 		case 'R':
94 		case 'r':			/* Compatibility. */
95 			rflag = 1;
96 			break;
97 		default:
98 			usage();
99 		}
100 	argc -= optind;
101 	argv += optind;
102 
103 	if (argc < 1 && fflag == 0)
104 		usage();
105 
106 	checkdot(argv);
107 
108 	if (*argv) {
109 		stdin_ok = isatty(STDIN_FILENO);
110 
111 		if (rflag)
112 			rm_tree(argv);
113 		else
114 			rm_file(argv);
115 	}
116 
117 	exit (eval);
118 }
119 
120 void
121 rm_tree(char **argv)
122 {
123 	FTS *fts;
124 	FTSENT *p;
125 	int needstat;
126 	int flags;
127 
128 	/*
129 	 * Remove a file hierarchy.  If forcing removal (-f), or interactive
130 	 * (-i) or can't ask anyway (stdin_ok), don't stat the file.
131 	 */
132 	needstat = !fflag && !iflag && stdin_ok;
133 
134 	/*
135 	 * If the -i option is specified, the user can skip on the pre-order
136 	 * visit.  The fts_number field flags skipped directories.
137 	 */
138 #define	SKIPPED	1
139 
140 	flags = FTS_PHYSICAL;
141 	if (!needstat)
142 		flags |= FTS_NOSTAT;
143 	if (!(fts = fts_open(argv, flags, NULL)))
144 		err(1, NULL);
145 	while ((p = fts_read(fts)) != NULL) {
146 		switch (p->fts_info) {
147 		case FTS_DNR:
148 			if (!fflag || p->fts_errno != ENOENT) {
149 				warnx("%s: %s",
150 				    p->fts_path, strerror(p->fts_errno));
151 				eval = 1;
152 			}
153 			continue;
154 		case FTS_ERR:
155 			errc(1, p->fts_errno, "%s", p->fts_path);
156 		case FTS_NS:
157 			/*
158 			 * FTS_NS: assume that if can't stat the file, it
159 			 * can't be unlinked.
160 			 */
161 			if (!needstat)
162 				break;
163 			if (!fflag || p->fts_errno != ENOENT) {
164 				warnx("%s: %s",
165 				    p->fts_path, strerror(p->fts_errno));
166 				eval = 1;
167 			}
168 			continue;
169 		case FTS_D:
170 			/* Pre-order: give user chance to skip. */
171 			if (!fflag && !check(p->fts_path, p->fts_accpath,
172 			    p->fts_statp)) {
173 				(void)fts_set(fts, p, FTS_SKIP);
174 				p->fts_number = SKIPPED;
175 			}
176 			continue;
177 		case FTS_DP:
178 			/* Post-order: see if user skipped. */
179 			if (p->fts_number == SKIPPED)
180 				continue;
181 			break;
182 		default:
183 			if (!fflag &&
184 			    !check(p->fts_path, p->fts_accpath, p->fts_statp))
185 				continue;
186 		}
187 
188 		/*
189 		 * If we can't read or search the directory, may still be
190 		 * able to remove it.  Don't print out the un{read,search}able
191 		 * message unless the remove fails.
192 		 */
193 		switch (p->fts_info) {
194 		case FTS_DP:
195 		case FTS_DNR:
196 			if (!rmdir(p->fts_accpath) ||
197 			    (fflag && errno == ENOENT))
198 				continue;
199 			break;
200 
201 		case FTS_F:
202 		case FTS_NSOK:
203 			if (Pflag)
204 				rm_overwrite(p->fts_accpath, p->fts_info ==
205 				    FTS_NSOK ? NULL : p->fts_statp);
206 			/* FALLTHROUGH */
207 		default:
208 			if (!unlink(p->fts_accpath) ||
209 			    (fflag && errno == ENOENT))
210 				continue;
211 		}
212 		warn("%s", p->fts_path);
213 		eval = 1;
214 	}
215 	if (errno)
216 		err(1, "fts_read");
217 	fts_close(fts);
218 }
219 
220 void
221 rm_file(char **argv)
222 {
223 	struct stat sb;
224 	int rval;
225 	char *f;
226 
227 	/*
228 	 * Remove a file.  POSIX 1003.2 states that, by default, attempting
229 	 * to remove a directory is an error, so must always stat the file.
230 	 */
231 	while ((f = *argv++) != NULL) {
232 		/* Assume if can't stat the file, can't unlink it. */
233 		if (lstat(f, &sb)) {
234 			if (!fflag || errno != ENOENT) {
235 				warn("%s", f);
236 				eval = 1;
237 			}
238 			continue;
239 		}
240 
241 		if (S_ISDIR(sb.st_mode) && !dflag) {
242 			warnx("%s: is a directory", f);
243 			eval = 1;
244 			continue;
245 		}
246 		if (!fflag && !check(f, f, &sb))
247 			continue;
248 		else if (S_ISDIR(sb.st_mode))
249 			rval = rmdir(f);
250 		else {
251 			if (Pflag)
252 				rm_overwrite(f, &sb);
253 			rval = unlink(f);
254 		}
255 		if (rval && (!fflag || errno != ENOENT)) {
256 			warn("%s", f);
257 			eval = 1;
258 		}
259 	}
260 }
261 
262 /*
263  * rm_overwrite --
264  *	Overwrite the file with varying bit patterns.
265  *
266  * XXX
267  * This is a cheap way to *really* delete files.  Note that only regular
268  * files are deleted, directories (and therefore names) will remain.
269  * Also, this assumes a fixed-block file system (like FFS, or a V7 or a
270  * System V file system).  In a logging file system, you'll have to have
271  * kernel support.
272  * Returns 1 for success.
273  */
274 int
275 rm_overwrite(char *file, struct stat *sbp)
276 {
277 	struct stat sb, sb2;
278 	struct statfs fsb;
279 	size_t bsize;
280 	int fd;
281 	char *buf = NULL;
282 
283 	fd = -1;
284 	if (sbp == NULL) {
285 		if (lstat(file, &sb))
286 			goto err;
287 		sbp = &sb;
288 	}
289 	if (!S_ISREG(sbp->st_mode))
290 		return (1);
291 	if (sbp->st_nlink > 1) {
292 		warnx("%s (inode %llu): not overwritten due to multiple links",
293 		    file, (unsigned long long)sbp->st_ino);
294 		return (0);
295 	}
296 	if ((fd = open(file, O_WRONLY|O_NONBLOCK|O_NOFOLLOW, 0)) == -1)
297 		goto err;
298 	if (fstat(fd, &sb2))
299 		goto err;
300 	if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino ||
301 	    !S_ISREG(sb2.st_mode)) {
302 		errno = EPERM;
303 		goto err;
304 	}
305 	if (fstatfs(fd, &fsb) == -1)
306 		goto err;
307 	bsize = MAX(fsb.f_iosize, 1024U);
308 	if ((buf = malloc(bsize)) == NULL)
309 		err(1, "%s: malloc", file);
310 
311 	if (!pass(fd, sbp->st_size, buf, bsize))
312 		goto err;
313 	if (fsync(fd))
314 		goto err;
315 	close(fd);
316 	free(buf);
317 	return (1);
318 
319 err:
320 	warn("%s", file);
321 	close(fd);
322 	eval = 1;
323 	free(buf);
324 	return (0);
325 }
326 
327 int
328 pass(int fd, off_t len, char *buf, size_t bsize)
329 {
330 	size_t wlen;
331 
332 	for (; len > 0; len -= wlen) {
333 		wlen = len < bsize ? len : bsize;
334 		arc4random_buf(buf, wlen);
335 		if (write(fd, buf, wlen) != wlen)
336 			return (0);
337 	}
338 	return (1);
339 }
340 
341 int
342 check(char *path, char *name, struct stat *sp)
343 {
344 	int ch, first;
345 	char modep[15];
346 
347 	/* Check -i first. */
348 	if (iflag)
349 		(void)fprintf(stderr, "remove %s? ", path);
350 	else {
351 		/*
352 		 * If it's not a symbolic link and it's unwritable and we're
353 		 * talking to a terminal, ask.  Symbolic links are excluded
354 		 * because their permissions are meaningless.  Check stdin_ok
355 		 * first because we may not have stat'ed the file.
356 		 */
357 		if (!stdin_ok || S_ISLNK(sp->st_mode) || !access(name, W_OK) ||
358 		    errno != EACCES)
359 			return (1);
360 		strmode(sp->st_mode, modep);
361 		(void)fprintf(stderr, "override %s%s%s/%s for %s? ",
362 		    modep + 1, modep[9] == ' ' ? "" : " ",
363 		    user_from_uid(sp->st_uid, 0),
364 		    group_from_gid(sp->st_gid, 0), path);
365 	}
366 	(void)fflush(stderr);
367 
368 	first = ch = getchar();
369 	while (ch != '\n' && ch != EOF)
370 		ch = getchar();
371 	return (first == 'y' || first == 'Y');
372 }
373 
374 /*
375  * POSIX.2 requires that if "." or ".." are specified as the basename
376  * portion of an operand, a diagnostic message be written to standard
377  * error and nothing more be done with such operands.
378  *
379  * Since POSIX.2 defines basename as the final portion of a path after
380  * trailing slashes have been removed, we'll remove them here.
381  */
382 #define ISDOT(a)	((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2])))
383 void
384 checkdot(char **argv)
385 {
386 	char *p, **save, **t;
387 	int complained;
388 
389 	complained = 0;
390 	for (t = argv; *t;) {
391 		/* strip trailing slashes */
392 		p = strrchr (*t, '\0');
393 		while (--p > *t && *p == '/')
394 			*p = '\0';
395 
396 		/* extract basename */
397 		if ((p = strrchr(*t, '/')) != NULL)
398 			++p;
399 		else
400 			p = *t;
401 
402 		if (ISDOT(p)) {
403 			if (!complained++)
404 				warnx("\".\" and \"..\" may not be removed");
405 			eval = 1;
406 			for (save = t; (t[0] = t[1]) != NULL; ++t)
407 				continue;
408 			t = save;
409 		} else
410 			++t;
411 	}
412 }
413 
414 void
415 usage(void)
416 {
417 	(void)fprintf(stderr, "usage: %s [-dfiPRr] file ...\n", __progname);
418 	exit(1);
419 }
420