Commit Graph

126 Commits

Author SHA1 Message Date
Conrad Meyer
900c4ed3ca rm(1): Formalize non-functional status of -P flag
-P was introduced in 4.4BSD-Lite2 around 1994.  It overwrote file contents
with a pass of 0xff, 0x00, then 0xff, in a low effort attempt to "really
delete" files.

It has no user-visible effect; at the end of the day, the file is unlinked via
the filesystem.  Furthermore, the utility of overwriting files with patterned
data is extremely limited due to caveats at every layer of the stack[0] and
therefore mostly futile.  At the least, three passes is likely wasteful on
modern hardware[1].  It could also be seen as a violation of the "Unix
Philosophy" to do one thing per tiny, composable program.

Since 1994, FreeBSD has left it alone; OpenBSD replaced it with a single
pass of arc4random(3) output in 2012[2]; and NetBSD implemented partial, but
explicitly incomplete support for U.S. DoD 5220.22-M, "National Industrial
Security Program Operating Manual" in 2004[3].

NetBSD's enhanced comment above rm_overwrite makes a strong case for removing
the flag entirely:

> This is an expensive way to keep people from recovering files from your
> non-snapshotted FFS filesystems using fsdb(8).  Really.  No more.
>
> It is impossible to actually conform to the exact procedure given in
> [NISPOM] if one is overwriting a file, not an entire disk, because the
> procedure requires examination and comparison of the disk's defect lists.
> Any program that claims to securely erase *files* while conforming to the
> standard, then, is not correct.
>
> Furthermore, the presence of track caches, disk and controller write
> caches, and so forth make it extremely difficult to ensure that data have
> actually been written to the disk, particularly when one tries to repeatedly
> overwrite the same sectors in quick succession.  We call fsync(), but
> controllers with nonvolatile cache, as well as IDE disks that just plain lie
> about the stable storage of data, will defeat this.
>
> [NISPOM] requires physical media destruction, rather than any technique of
> the sort attempted here, for secret data.

As a first step towards evental removal, make it a placebo.  It's not like
it was serving any security function.  It is not defined in or mentioned by
POSIX.

If you are security conscious and need to erase your files, use a
woodchipper.  At a minimum, the entire disk needs to be overwritten, not
just one file.

[0]: https://www.ru.nl/publish/pages/909282/draft-paper.pdf
[1]: https://commons.erau.edu/cgi/viewcontent.cgi?article=1131&context=jdfsl
[2]: https://github.com/openbsd/src/commit/7c5c57ba81b5fe8ff2d4899ff643af18c
[3]: https://github.com/NetBSD/src/commit/fdf0a7a25e59af958fca1e2159921562cd

Reviewed by:	markj, Daniel O'Connor <darius AT dons.net.au> (previous version)
Differential Revision:	https://reviews.freebsd.org/D17906
2018-11-10 20:26:55 +00:00
Ed Maste
19b4f0dca0 Fix unlink(1) for files starting with -
Restore the original behavior of unlink(1), passing the provided filename
directly to unlink(2), handling the first argument being "--" correctly.

This fixes "unlink -foo", broken in r97533.

PR:		228448
Submitted by:	Brennan Vincent <brennan@umanwizard.com> (original version)
Submitted by:	Yuri Pankov
Reported by:	Brennan Vincent <brennan@umanwizard.com>
Reviewed by:	emaste, kevans, vangyzen, 0mp
Approved by:	re (delphij)
Differential Revision: https://reviews.freebsd.org/D17132
2018-09-12 19:41:16 +00:00
Pedro F. Giffuni
8a16b7a18f General further adoption of SPDX licensing ID tags.
Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.
2017-11-20 19:49:47 +00:00
Enji Cooper
6f74a1c952 Fix cosmetic nit when printing out "override $mode" and "$owner/$group ..."
The wrong index was being checked for == ' ' in the resulting stringified
mode from strmode(3) -- it should have been the 11th value, not the 10th.

MFC after:	3 days
PR:		76711
Submitted by:	Vasil Dimov <vd@datamax.bg>
2017-11-05 21:43:26 +00:00
Bryan Drewery
ea825d0274 DIRDEPS_BUILD: Update dependencies.
Sponsored by:	Dell EMC Isilon
2017-10-31 00:07:04 +00:00
Warner Losh
fbbd9655e5 Renumber copyright clause 4
Renumber cluase 4 to 3, per what everybody else did when BSD granted
them permission to remove clause 3. My insistance on keeping the same
numbering for legal reasons is too pedantic, so give up on that point.

Submitted by:	Jan Schaumann <jschauma@stevens.edu>
Pull Request:	https://github.com/freebsd/freebsd/pull/96
2017-02-28 23:42:47 +00:00
Glen Barber
ac2875fa16 Explicitly add unmarked bin/ binaries to the runtime package.
Note: tcsh(1) has a MK_TCSH=no test, so this should be a separate
package, which requires pre-install/post-install scripts, to be
added later.

Sponsored by:	The FreeBSD Foundation
2016-02-09 16:58:50 +00:00
Baptiste Daroussin
8e5c71e2d6 Protecting against rm -rf / is now POSIXLY_CORRECT per posix 1003.1
edition 2013. No need anymore to disable the protection if one set
the POXILY_CORRECT environment variable.

Reviewed by:	imp
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D4092
2015-11-07 02:18:19 +00:00
Xin LI
b81cd10773 Respect locale settings.
MFC after:	2 weeks
2015-08-28 00:49:30 +00:00
Simon J. Gerraty
ccfb965433 Add META_MODE support.
Off by default, build behaves normally.
WITH_META_MODE we get auto objdir creation, the ability to
start build from anywhere in the tree.

Still need to add real targets under targets/ to build packages.

Differential Revision:       D2796
Reviewed by: brooks imp
2015-06-13 19:20:56 +00:00
Simon J. Gerraty
44d314f704 dirdeps.mk now sets DEP_RELDIR 2015-06-08 23:35:17 +00:00
Simon J. Gerraty
ee7b0571c2 Merge head from 7/28 2014-08-19 06:50:54 +00:00
Warner Losh
413a368c90 rm -rf can fail sometimes with an error from fts_read. Make it honor
fflag to ignore fts_read errors, but stop deleting from that directory
because no further progress can be made.

When building a kernel with a high -j value on a high core count
machine, during the cleanobj phase we can wind up doing multiple rm
-rf at the same time for modules that have subdirectories. This
exposed this race (sometimes) as fts_read can return an error if the
directory is removed by another rm -rf. Since the intent of the -f
flag was to ignore errors, even if this was a bug in fts_read, we
should ignore the error like we've been instructed to do.
2014-07-07 23:21:20 +00:00
Joel Dahl
cf20d40493 mdoc: remove superfluous paragraph macros. 2014-06-15 10:43:12 +00:00
Simon J. Gerraty
fae50821ae Updated dependencies 2014-05-16 14:09:51 +00:00
Simon J. Gerraty
76b28ad6ab Updated dependencies 2014-05-10 05:16:28 +00:00
Simon J. Gerraty
d1d0158641 Merge from head 2013-09-05 20:18:59 +00:00
Eitan Adler
4c99904b9a Add two more 'static' qualifiers 2013-04-26 17:56:35 +00:00
Eitan Adler
9d6d3f96d0 Take some improvements from DragonFlyBSD:
- add const where appropriate
	- add static where appropriate
	- fix a whitespace issues

Reviewed by:	brooks
Obtained from:	DragonFlyBSD
MFC After:	1 week
2013-04-26 17:45:40 +00:00
Eitan Adler
d4319e7433 Add -x option to avoid crossing mount points when removing a hierarchy.
Discussed on:	-hackers
Inspired by:	DragonflyBSD
MFC After:	1 week
2013-04-26 17:45:37 +00:00
Simon J. Gerraty
69e6d7b75e sync from head 2013-04-12 20:48:55 +00:00
Joel Dahl
e9e3a1ab1f Add a few examples.
Obtained from:	OpenBSD
2013-03-15 20:12:54 +00:00
Simon J. Gerraty
7cf3a1c6b2 Updated dependencies 2013-03-11 17:21:52 +00:00
Simon J. Gerraty
f5f7c05209 Updated dependencies 2013-02-16 01:23:54 +00:00
Simon J. Gerraty
23090366f7 Sync from head 2012-11-04 02:52:03 +00:00
Matthew D Fleming
6db1a7f11e Fix bin/ build with a 64-bit ino_t.
Original code by:	Gleb Kurtsou
2012-09-27 23:31:12 +00:00
Marcel Moolenaar
7750ad47a9 Sync FreeBSD's bmake branch with Juniper's internal bmake branch.
Requested by: Simon Gerraty <sjg@juniper.net>
2012-08-22 19:25:57 +00:00
Xin LI
930e323894 Polish previous revision: if the fts_* routines have lstat()'ed the
directory entry then use the struct stat from that instead of doing
it again, and skip the rm_overwrite() call if fts_read() indicated
that the entry couldn't be a regular file.

Obtained from:	OpenBSD
MFC after:	1 week
2012-06-20 21:10:38 +00:00
Kevin Lo
4ec1405b39 Fix potential symlink race condition in "rm -P" by adding a check
that the file we have opened is the one we expected.  Also open in
non-blocking mode to avoid a potential hang with FIFOs.

Obtained from:	NetBSD via OpenBSD
2012-06-20 02:21:53 +00:00
Ed Schouten
f9d4afb439 Put some static keywords in the source code.
For these simple utilities, it doesn't harm to make all global variables
static. In fact, this allows the compiler to perform better forms of
optimisation and analysis.
2011-10-31 08:59:17 +00:00
Jilles Tjoelker
0cf90cd1d3 bin: Prefer strrchr() to rindex().
This removes the last index/rindex usage from /bin.
2011-03-15 22:22:11 +00:00
Ulrich Spörlein
ec1e236534 Fix typo and grammar nit
Submitted by:	arundel
MFC after:	7 days (or when the bikeshed has abated)
2010-10-31 19:16:54 +00:00
Ulrich Spörlein
c2c9a54067 Elaborate some more on the non-security implications of using -P
Submitted by:	delphij
Discussion at:	svn-src-all
2010-10-31 09:21:27 +00:00
Dag-Erling Smørgrav
1f9d174116 Language cleanup. 2010-10-27 18:48:23 +00:00
Ulrich Spörlein
a3800f8f0e rm(1): clarify that -P works only when blocks are updated in-place
Suggested by:	pjd, ivoras, arundel
2010-10-08 15:20:20 +00:00
Xin LI
873ddec3fb Clarify the combination effect of -P and -f to make it clear.
Submitted by:	arundel
MFC after:	2 weeks
2010-10-04 06:17:45 +00:00
Jilles Tjoelker
6911f596a1 rm, find -delete: fix removing symlinks with uchg/uappnd set.
Formerly, this tried to clear the flags on the symlink's target
instead of the symlink itself.

As before, this only happens for root or for the unlink(1) variant of rm.

PR:		bin/111226 (part of)
Submitted by:	Martin Kammerhofer
Approved by:	ed (mentor)
MFC after:	3 weeks
2009-05-30 10:42:19 +00:00
Warner Losh
b5260db685 Implement ^T support for rm: now it will report the next file it
removes when you hit ^T.  This is similar to what's done for cp.  The
signal handler and type definitions for "info" were borrowed directly
from cp.
2009-04-29 18:08:18 +00:00
Ruslan Ermilov
88b0915eb1 Give a hint to the reader as to what the "whiteout" actually means. 2006-12-26 13:57:40 +00:00
Ruslan Ermilov
ca3f81d885 Fix markup, add the EXIT STATUS section. 2006-12-26 13:44:41 +00:00
Xin LI
86da4a5eea Correct a security issue introduced in previous commit:
instead of removing the file and issue a warning about
the removal, do not do any operation at all in case -P
is specified when the dinode has hard links.

With -f and -P specified together, we assume that the
user wants rm to overwrite the contents of the file
and remove it (destroy the contents of file but leave
its hard links as is).

The reason of doing it this way is that, in case where
a hard link is created by a malicious user (currently
this is permitted even if the user has no access to the
file).  Losing the link can potentially mean that the
actual owner would lose control completely to the user
who wants to obtain access in a future day.

Discussed with:	Peter Jermey
2006-10-31 02:22:36 +00:00
Xin LI
0b6f55b77c Be more reasonable when overwrite mode is specified while there
is hard links.  Overwritting when links > 1 would cause data
loss, which is usually undesired.

Inspired by:	discussion on -hackers@
Suggested by:	elessar at bsdforen de
Obtained from:	OpenBSD
2006-10-30 03:32:09 +00:00
Maxim Konovalov
da29c6560b o Backout rev. 1.55. Don't waste cpu cycles for bzero(), do not
call chflags() for whiteouted files.

Prodded by:	ru
2006-10-18 13:16:06 +00:00
Maxim Konovalov
cf1db7b34f o Zero out struct stat before usage. lstat(2) can fail and
leave garbage there which will break -W code path.

PR:		bin/84569
Submitted by:	Igor
MFC after:	2 weeks
2006-10-18 08:22:33 +00:00
Maxim Konovalov
089418247a o Be pedantic and do fts_close() when done.
PR:		bin/95292
Submitted by:	Charles Hardin
Obtained from:	NetBSD via OpenBSD, PR
2006-04-15 09:26:23 +00:00
Ruslan Ermilov
8af1113166 -mdoc sweep. 2005-11-17 12:15:23 +00:00
Doug Barton
0b5efa8ad4 Give .Dd a tummy rub, forgotten on my last commit. 2005-09-30 02:12:15 +00:00
Doug Barton
a5f6295013 Handle the case where the -P flag is specified for a read-only file
earlier, and more gracefully. Previously, this combination would be
ignored early in the code where permissions are tested and fail later
with a very unhelpful "permission denied" error.

Instead, test for this flag in the same block that generates the
"override?" messages for read-only files, but instead of trying
to guess what the user has in mind, generate an error and exit.

Update the man page to reflect this new behavior.

Not objected to by:	freebsd-hackers@
2005-09-29 20:40:29 +00:00
Ruslan Ermilov
a89237ae95 Sync program's usage() with manpage's SYNOPSIS. 2005-02-09 17:37:39 +00:00
Xin LI
c49d3c9bac Remove unnecessary SRCS= where could be guessed directly by our
bsd.*.mk infrasture.

Obtained from:	ru
2005-01-27 14:52:47 +00:00