Commit Graph

55 Commits

Author SHA1 Message Date
Conrad Meyer
900c4ed3ca rm(1): Formalize non-functional status of -P flag
-P was introduced in 4.4BSD-Lite2 around 1994.  It overwrote file contents
with a pass of 0xff, 0x00, then 0xff, in a low effort attempt to "really
delete" files.

It has no user-visible effect; at the end of the day, the file is unlinked via
the filesystem.  Furthermore, the utility of overwriting files with patterned
data is extremely limited due to caveats at every layer of the stack[0] and
therefore mostly futile.  At the least, three passes is likely wasteful on
modern hardware[1].  It could also be seen as a violation of the "Unix
Philosophy" to do one thing per tiny, composable program.

Since 1994, FreeBSD has left it alone; OpenBSD replaced it with a single
pass of arc4random(3) output in 2012[2]; and NetBSD implemented partial, but
explicitly incomplete support for U.S. DoD 5220.22-M, "National Industrial
Security Program Operating Manual" in 2004[3].

NetBSD's enhanced comment above rm_overwrite makes a strong case for removing
the flag entirely:

> This is an expensive way to keep people from recovering files from your
> non-snapshotted FFS filesystems using fsdb(8).  Really.  No more.
>
> It is impossible to actually conform to the exact procedure given in
> [NISPOM] if one is overwriting a file, not an entire disk, because the
> procedure requires examination and comparison of the disk's defect lists.
> Any program that claims to securely erase *files* while conforming to the
> standard, then, is not correct.
>
> Furthermore, the presence of track caches, disk and controller write
> caches, and so forth make it extremely difficult to ensure that data have
> actually been written to the disk, particularly when one tries to repeatedly
> overwrite the same sectors in quick succession.  We call fsync(), but
> controllers with nonvolatile cache, as well as IDE disks that just plain lie
> about the stable storage of data, will defeat this.
>
> [NISPOM] requires physical media destruction, rather than any technique of
> the sort attempted here, for secret data.

As a first step towards evental removal, make it a placebo.  It's not like
it was serving any security function.  It is not defined in or mentioned by
POSIX.

If you are security conscious and need to erase your files, use a
woodchipper.  At a minimum, the entire disk needs to be overwritten, not
just one file.

[0]: https://www.ru.nl/publish/pages/909282/draft-paper.pdf
[1]: https://commons.erau.edu/cgi/viewcontent.cgi?article=1131&context=jdfsl
[2]: https://github.com/openbsd/src/commit/7c5c57ba81b5fe8ff2d4899ff643af18c
[3]: https://github.com/NetBSD/src/commit/fdf0a7a25e59af958fca1e2159921562cd

Reviewed by:	markj, Daniel O'Connor <darius AT dons.net.au> (previous version)
Differential Revision:	https://reviews.freebsd.org/D17906
2018-11-10 20:26:55 +00:00
Ed Maste
19b4f0dca0 Fix unlink(1) for files starting with -
Restore the original behavior of unlink(1), passing the provided filename
directly to unlink(2), handling the first argument being "--" correctly.

This fixes "unlink -foo", broken in r97533.

PR:		228448
Submitted by:	Brennan Vincent <brennan@umanwizard.com> (original version)
Submitted by:	Yuri Pankov
Reported by:	Brennan Vincent <brennan@umanwizard.com>
Reviewed by:	emaste, kevans, vangyzen, 0mp
Approved by:	re (delphij)
Differential Revision: https://reviews.freebsd.org/D17132
2018-09-12 19:41:16 +00:00
Warner Losh
fbbd9655e5 Renumber copyright clause 4
Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.

Submitted by:	Jan Schaumann <jschauma@stevens.edu>
Pull Request:	https://github.com/freebsd/freebsd/pull/96
2017-02-28 23:42:47 +00:00
Baptiste Daroussin
8e5c71e2d6 Protecting against rm -rf / is now POSIXLY_CORRECT per posix 1003.1
edition 2013. No need anymore to disable the protection if one set
the POXILY_CORRECT environment variable.

Reviewed by:	imp
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D4092
2015-11-07 02:18:19 +00:00
Joel Dahl
cf20d40493 mdoc: remove superfluous paragraph macros. 2014-06-15 10:43:12 +00:00
Eitan Adler
d4319e7433 Add -x option to avoid crossing mount points when removing a hierarchy.
Discussed on:	-hackers
Inspired by:	DragonflyBSD
MFC After:	1 week
2013-04-26 17:45:37 +00:00
Joel Dahl
e9e3a1ab1f Add a few examples.
Obtained from:	OpenBSD
2013-03-15 20:12:54 +00:00
Ulrich Spörlein
ec1e236534 Fix typo and grammar nit
Submitted by:	arundel
MFC after:	7 days (or when the bikeshed has abated)
2010-10-31 19:16:54 +00:00
Ulrich Spörlein
c2c9a54067 Elaborate some more on the non-security implications of using -P
Submitted by:	delphij
Discussion at:	svn-src-all
2010-10-31 09:21:27 +00:00
Dag-Erling Smørgrav
1f9d174116 Language cleanup. 2010-10-27 18:48:23 +00:00
Ulrich Spörlein
a3800f8f0e rm(1): clarify that -P works only when blocks are updated in-place
Suggested by:	pjd, ivoras, arundel
2010-10-08 15:20:20 +00:00
Xin LI
873ddec3fb Clarify the combination effect of -P and -f to make it clear.
Submitted by:	arundel
MFC after:	2 weeks
2010-10-04 06:17:45 +00:00
Ruslan Ermilov
88b0915eb1 Give a hint to the reader as to what the "whiteout" actually means. 2006-12-26 13:57:40 +00:00
Ruslan Ermilov
ca3f81d885 Fix markup, add the EXIT STATUS section. 2006-12-26 13:44:41 +00:00
Xin LI
86da4a5eea Correct a security issue introduced in previous commit:
instead of removing the file and issue a warning about
the removal, do not do any operation at all in case -P
is specified when the dinode has hard links.

With -f and -P specified together, we assume that the
user wants rm to overwrite the contents of the file
and remove it (destroy the contents of file but leave
its hard links as is).

The reason of doing it this way is that, in case where
a hard link is created by a malicious user (currently
this is permitted even if the user has no access to the
file).  Losing the link can potentially mean that the
actual owner would lose control completely to the user
who wants to obtain access in a future day.

Discussed with:	Peter Jermey
2006-10-31 02:22:36 +00:00
Xin LI
0b6f55b77c Be more reasonable when overwrite mode is specified while there
is hard links.  Overwritting when links > 1 would cause data
loss, which is usually undesired.

Inspired by:	discussion on -hackers@
Suggested by:	elessar at bsdforen de
Obtained from:	OpenBSD
2006-10-30 03:32:09 +00:00
Ruslan Ermilov
8af1113166 -mdoc sweep. 2005-11-17 12:15:23 +00:00
Doug Barton
0b5efa8ad4 Give .Dd a tummy rub, forgotten on my last commit. 2005-09-30 02:12:15 +00:00
Doug Barton
a5f6295013 Handle the case where the -P flag is specified for a read-only file
earlier, and more gracefully. Previously, this combination would be
ignored early in the code where permissions are tested and fail later
with a very unhelpful "permission denied" error.

Instead, test for this flag in the same block that generates the
"override?" messages for read-only files, but instead of trying
to guess what the user has in mind, generate an error and exit.

Update the man page to reflect this new behavior.

Not objected to by:	freebsd-hackers@
2005-09-29 20:40:29 +00:00
Ruslan Ermilov
a89237ae95 Sync program's usage() with manpage's SYNOPSIS. 2005-02-09 17:37:39 +00:00
Ruslan Ermilov
6fca4c7c3f Add the new standard EXIT STATUS section where appropriate.
Sort standard sections in the (documented) preferred order.
2005-01-16 16:41:59 +00:00
Warner Losh
9ddb49cbe4 /*- or .\"- or #- to begin license clauses. 2005-01-10 08:39:26 +00:00
Xin LI
164d3f0bdc Correct a typo and make the documentation more mdoc(7) complaint.
Pointed out by:	dd
Approved by:	murray (mentor)
2004-11-01 16:52:34 +00:00
Xin LI
24c0f7385b Add -I, an option that asks for confirmation once if recursively
removing directories or if more than 3 files are listed in the
command line.

This feature is intended to provide a safe net but not being too
annoying like having "rm -i" for every deleting operations, and
is generally good for both newbies and power users, preventing
them from being so easily run into ``rm -rf /'', ``rm -rf *''
and so forth.

Originally implemented by Matthew Dillon for DragonFly, plus
some improvements done by various DragonFly contributors.

Approved by:	murray (mentor; the original dillon's version)
Discussed with:	des
Obtained from:	DragonFly's bin/rm/
		rm.c rev. 1.4 - 1.8
		rm.1 rev. 1.3 - 1.4
MFC After:	1 month
2004-10-28 08:25:30 +00:00
Dag-Erling Smørgrav
3a667dafcc Markup fixes.
Pointed out by:	ru
2004-10-04 19:03:44 +00:00
Dag-Erling Smørgrav
68ef5f71b0 Find out how flame-proof my underwear really is. 2004-10-04 11:26:01 +00:00
Ruslan Ermilov
eccea571a7 Mechanically kill hard sentence breaks. 2004-07-02 21:04:19 +00:00
Mark Murray
6195fb4102 Remove clause 3 from the UCB licenses.
OK'ed by:	imp, core
2004-04-06 20:06:54 +00:00
Tom Rhodes
02b911053d Cross ref chflags(1).
Suggested by:	Craig Carey <research@ijs.co.nz) on -doc.
2003-02-04 20:38:51 +00:00
Tom Rhodes
7d971bbf29 s/filesystem/file system/ as discussed on -developers 2002-08-21 17:32:44 +00:00
Tom Rhodes
ebd4324457 Consistancy check s/file system/filesystem/
Reviewed by:	brian
2002-05-16 01:57:20 +00:00
Doug White
0551940858 Update STANDARDS section on rm(1) to reflect current conformance.
PR:		35471
2002-03-02 05:10:11 +00:00
Dima Dorfman
7ebcc426ef Remove whitespace at EOL. 2001-07-15 07:53:42 +00:00
Ruslan Ermilov
47dec78170 mdoc(7) police: use the default ``file ...'' feature of the .Ar macro. 2001-02-13 09:56:35 +00:00
Ruslan Ermilov
12e720d78b Prepare for mdoc(7)NG. 2000-12-15 17:37:31 +00:00
Ruslan Ermilov
be8b149795 mdoc(7) police: use the new features of the Nm macro. 2000-11-20 11:39:41 +00:00
Sheldon Hearn
9a73cc73e9 Fix cut'n'paste niggles in previous commit. 1999-12-21 08:57:58 +00:00
Sheldon Hearn
d71e172ac6 Add link(1) and unlink(1) as special cases of ln(1) and rm(1)
respectively, in accordance with SUSv2.

This differs from the approach taken in NetBSD, but provides
less obscure error messages in at least the EISDIR case and
does not take up additional disk space for new binaries.

PR:		13071
PR:		13074
Requested by:	James Howard <howardjp@wam.umd.edu>
1999-12-20 16:13:47 +00:00
Michael Haro
777d1f8281 brucify, v' before W', mention -v is non-standard in manpage and
make code slightly easier to read

Reviewed by:	obrien
1999-09-04 03:40:10 +00:00
Michael Haro
bfbdd545e1 add verbose flag
exit(1) --> exit(EX_USAGE)

Reviewed by:	obrien
1999-08-29 02:20:26 +00:00
Peter Wemm
2a4562393f $Id$ -> $FreeBSD$ 1999-08-27 23:15:48 +00:00
Kris Kennaway
f80db2b881 Use .Dq instead of ``'' in manpage
Use optimal blocksize for rm -P, instead of always using 8192-byte blocks
to overwrite the file.

Obtained from:	OpenBSD
1999-05-28 12:47:31 +00:00
Garrett Wollman
bd98a81593 Fix synopsis to match 1003.2. Add text describing the way in which
our implementation does not meet 1003.2 (rather than the now outdated
``is expected to comply' language).
1999-01-28 17:41:02 +00:00
Philippe Charnier
f43e9d2251 .Nm rm -> .Nm. 1998-05-18 06:37:35 +00:00
Steve Price
395f4bf0be Remove remaining Lite1 stuff from the man page and uphold the
precedence in changing sccsid to rcsid as set by Phillippe
Charnier in his previous 100 or so commits.

pointed out by: Bruce Evans <bde@zeta.org.au>
1997-08-07 21:37:39 +00:00
Doug Rabson
e9dff5569a Enable whiteout code since we now have the lite2 support for them. 1997-04-29 10:03:10 +00:00
Mike Pritchard
fa10160c65 Provide examples of how to remove file names that begin with
a dash in non-getopt implementations.  E.g.:
	rm /home/mpp/-filename
	rm ./-filename

Requested by: bde
1997-04-09 05:04:43 +00:00
Mike Pritchard
fe83da2eec Improve the wording in the NOTES section. Closes PR# 3223. 1997-04-08 20:27:48 +00:00
Peter Wemm
b97fa2ef50 Revert $FreeBSD$ to $Id$ 1997-02-22 14:13:04 +00:00
Jordan K. Hubbard
1130b656e5 Make the long-awaited change from $Id$ to $FreeBSD$
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore.  This update would have been
insane otherwise.
1997-01-14 07:20:47 +00:00