Conrad Meyer 900c4ed3ca rm(1): Formalize non-functional status of -P flag
-P was introduced in 4.4BSD-Lite2 around 1994.  It overwrote file contents
with a pass of 0xff, 0x00, then 0xff, in a low effort attempt to "really
delete" files.

It has no user-visible effect; at the end of the day, the file is unlinked via
the filesystem.  Furthermore, the utility of overwriting files with patterned
data is extremely limited due to caveats at every layer of the stack[0] and
therefore mostly futile.  At the least, three passes is likely wasteful on
modern hardware[1].  It could also be seen as a violation of the "Unix
Philosophy" to do one thing per tiny, composable program.

Since 1994, FreeBSD has left it alone; OpenBSD replaced it with a single
pass of arc4random(3) output in 2012[2]; and NetBSD implemented partial, but
explicitly incomplete support for U.S. DoD 5220.22-M, "National Industrial
Security Program Operating Manual" in 2004[3].

NetBSD's enhanced comment above rm_overwrite makes a strong case for removing
the flag entirely:

> This is an expensive way to keep people from recovering files from your
> non-snapshotted FFS filesystems using fsdb(8).  Really.  No more.
>
> It is impossible to actually conform to the exact procedure given in
> [NISPOM] if one is overwriting a file, not an entire disk, because the
> procedure requires examination and comparison of the disk's defect lists.
> Any program that claims to securely erase *files* while conforming to the
> standard, then, is not correct.
>
> Furthermore, the presence of track caches, disk and controller write
> caches, and so forth make it extremely difficult to ensure that data have
> actually been written to the disk, particularly when one tries to repeatedly
> overwrite the same sectors in quick succession.  We call fsync(), but
> controllers with nonvolatile cache, as well as IDE disks that just plain lie
> about the stable storage of data, will defeat this.
>
> [NISPOM] requires physical media destruction, rather than any technique of
> the sort attempted here, for secret data.

As a first step towards evental removal, make it a placebo.  It's not like
it was serving any security function.  It is not defined in or mentioned by
POSIX.

If you are security conscious and need to erase your files, use a
woodchipper.  At a minimum, the entire disk needs to be overwritten, not
just one file.

[0]: https://www.ru.nl/publish/pages/909282/draft-paper.pdf
[1]: https://commons.erau.edu/cgi/viewcontent.cgi?article=1131&context=jdfsl
[2]: https://github.com/openbsd/src/commit/7c5c57ba81b5fe8ff2d4899ff643af18c
[3]: https://github.com/NetBSD/src/commit/fdf0a7a25e59af958fca1e2159921562cd

Reviewed by:	markj, Daniel O'Connor <darius AT dons.net.au> (previous version)
Differential Revision:	https://reviews.freebsd.org/D17906
2018-11-10 20:26:55 +00:00

236 lines
6.0 KiB
Groff

.\"-
.\" Copyright (c) 1990, 1993, 1994
.\" The Regents of the University of California. All rights reserved.
.\"
.\" This code is derived from software contributed to Berkeley by
.\" the Institute of Electrical and Electronics Engineers, Inc.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)rm.1 8.5 (Berkeley) 12/5/94
.\" $FreeBSD$
.\"
.Dd November 10, 2018
.Dt RM 1
.Os
.Sh NAME
.Nm rm ,
.Nm unlink
.Nd remove directory entries
.Sh SYNOPSIS
.Nm
.Op Fl f | i
.Op Fl dIRrvWx
.Ar
.Nm unlink
.Op Fl -
.Ar file
.Sh DESCRIPTION
The
.Nm
utility attempts to remove the non-directory type files specified on the
command line.
If the permissions of the file do not permit writing, and the standard
input device is a terminal, the user is prompted (on the standard error
output) for confirmation.
.Pp
The options are as follows:
.Bl -tag -width indent
.It Fl d
Attempt to remove directories as well as other types of files.
.It Fl f
Attempt to remove the files without prompting for confirmation,
regardless of the file's permissions.
If the file does not exist, do not display a diagnostic message or modify
the exit status to reflect an error.
The
.Fl f
option overrides any previous
.Fl i
options.
.It Fl i
Request confirmation before attempting to remove each file, regardless of
the file's permissions, or whether or not the standard input device is a
terminal.
The
.Fl i
option overrides any previous
.Fl f
options.
.It Fl I
Request confirmation once if more than three files are being removed or if a
directory is being recursively removed.
This is a far less intrusive option than
.Fl i
yet provides almost the same level of protection against mistakes.
.It Fl P
This flag has no effect.
It is kept only for backwards compatibility with
.Bx 4.4 Lite2 .
.It Fl R
Attempt to remove the file hierarchy rooted in each
.Ar file
argument.
The
.Fl R
option implies the
.Fl d
option.
If the
.Fl i
option is specified, the user is prompted for confirmation before
each directory's contents are processed (as well as before the attempt
is made to remove the directory).
If the user does not respond affirmatively, the file hierarchy rooted in
that directory is skipped.
.It Fl r
Equivalent to
.Fl R .
.It Fl v
Be verbose when deleting files, showing them as they are removed.
.It Fl W
Attempt to undelete the named files.
Currently, this option can only be used to recover
files covered by whiteouts in a union file system (see
.Xr undelete 2 ) .
.It Fl x
When removing a hierarchy, do not cross mount points.
.El
.Pp
The
.Nm
utility removes symbolic links, not the files referenced by the links.
.Pp
It is an error to attempt to remove the files
.Pa / ,
.Pa .\&
or
.Pa .. .
.Pp
When the utility is called as
.Nm unlink ,
only one argument,
which must not be a directory,
may be supplied.
No options may be supplied in this simple mode of operation,
which performs an
.Xr unlink 2
operation on the passed argument.
However, the usual option-end delimiter,
.Fl - ,
may optionally precede the argument.
.Sh EXIT STATUS
The
.Nm
utility exits 0 if all of the named files or file hierarchies were removed,
or if the
.Fl f
option was specified and all of the existing files or file hierarchies were
removed.
If an error occurs,
.Nm
exits with a value >0.
.Sh NOTES
The
.Nm
command uses
.Xr getopt 3
to parse its arguments, which allows it to accept
the
.Sq Li --
option which will cause it to stop processing flag options at that
point.
This will allow the removal of file names that begin
with a dash
.Pq Sq - .
For example:
.Pp
.Dl "rm -- -filename"
.Pp
The same behavior can be obtained by using an absolute or relative
path reference.
For example:
.Pp
.Dl "rm /home/user/-filename"
.Dl "rm ./-filename"
.Sh EXAMPLES
Recursively remove all files contained within the
.Pa foobar
directory hierarchy:
.Pp
.Dl $ rm -rf foobar
.Pp
Any of these commands will remove the file
.Pa -f :
.Bd -literal -offset indent
$ rm -- -f
$ rm ./-f
$ unlink -f
.Ed
.Sh COMPATIBILITY
The
.Nm
utility differs from historical implementations in that the
.Fl f
option only masks attempts to remove non-existent files instead of
masking a large variety of errors.
The
.Fl v
option is non-standard and its use in scripts is not recommended.
.Pp
Also, historical
.Bx
implementations prompted on the standard output,
not the standard error output.
.Pp
The
.Fl P
option does not have any effect as of
.Fx 13
and may be removed in the future.
.Sh SEE ALSO
.Xr chflags 1 ,
.Xr rmdir 1 ,
.Xr undelete 2 ,
.Xr unlink 2 ,
.Xr fts 3 ,
.Xr getopt 3 ,
.Xr symlink 7
.Sh STANDARDS
The
.Nm
command conforms to
.St -p1003.1-2013 .
.Pp
The simplified
.Nm unlink
command conforms to
.St -susv2 .
.Sh HISTORY
A
.Nm
command appeared in
.At v1 .