freebsd-skq/bin/rm/rm.1

236 lines
6.0 KiB
Groff
Raw Normal View History

.\"-
1994-05-26 06:18:55 +00:00
.\" Copyright (c) 1990, 1993, 1994
.\" The Regents of the University of California. All rights reserved.
.\"
.\" This code is derived from software contributed to Berkeley by
.\" the Institute of Electrical and Electronics Engineers, Inc.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the University nor the names of its contributors
1994-05-26 06:18:55 +00:00
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)rm.1 8.5 (Berkeley) 12/5/94
1999-08-27 23:15:48 +00:00
.\" $FreeBSD$
1994-05-26 06:18:55 +00:00
.\"
rm(1): Formalize non-functional status of -P flag -P was introduced in 4.4BSD-Lite2 around 1994. It overwrote file contents with a pass of 0xff, 0x00, then 0xff, in a low effort attempt to "really delete" files. It has no user-visible effect; at the end of the day, the file is unlinked via the filesystem. Furthermore, the utility of overwriting files with patterned data is extremely limited due to caveats at every layer of the stack[0] and therefore mostly futile. At the least, three passes is likely wasteful on modern hardware[1]. It could also be seen as a violation of the "Unix Philosophy" to do one thing per tiny, composable program. Since 1994, FreeBSD has left it alone; OpenBSD replaced it with a single pass of arc4random(3) output in 2012[2]; and NetBSD implemented partial, but explicitly incomplete support for U.S. DoD 5220.22-M, "National Industrial Security Program Operating Manual" in 2004[3]. NetBSD's enhanced comment above rm_overwrite makes a strong case for removing the flag entirely: > This is an expensive way to keep people from recovering files from your > non-snapshotted FFS filesystems using fsdb(8). Really. No more. > > It is impossible to actually conform to the exact procedure given in > [NISPOM] if one is overwriting a file, not an entire disk, because the > procedure requires examination and comparison of the disk's defect lists. > Any program that claims to securely erase *files* while conforming to the > standard, then, is not correct. > > Furthermore, the presence of track caches, disk and controller write > caches, and so forth make it extremely difficult to ensure that data have > actually been written to the disk, particularly when one tries to repeatedly > overwrite the same sectors in quick succession. We call fsync(), but > controllers with nonvolatile cache, as well as IDE disks that just plain lie > about the stable storage of data, will defeat this. > > [NISPOM] requires physical media destruction, rather than any technique of > the sort attempted here, for secret data. As a first step towards evental removal, make it a placebo. It's not like it was serving any security function. It is not defined in or mentioned by POSIX. If you are security conscious and need to erase your files, use a woodchipper. At a minimum, the entire disk needs to be overwritten, not just one file. [0]: https://www.ru.nl/publish/pages/909282/draft-paper.pdf [1]: https://commons.erau.edu/cgi/viewcontent.cgi?article=1131&context=jdfsl [2]: https://github.com/openbsd/src/commit/7c5c57ba81b5fe8ff2d4899ff643af18c [3]: https://github.com/NetBSD/src/commit/fdf0a7a25e59af958fca1e2159921562cd Reviewed by: markj, Daniel O'Connor <darius AT dons.net.au> (previous version) Differential Revision: https://reviews.freebsd.org/D17906
2018-11-10 20:26:55 +00:00
.Dd November 10, 2018
1994-05-26 06:18:55 +00:00
.Dt RM 1
.Os
.Sh NAME
.Nm rm ,
.Nm unlink
1994-05-26 06:18:55 +00:00
.Nd remove directory entries
.Sh SYNOPSIS
.Nm
.Op Fl f | i
rm(1): Formalize non-functional status of -P flag -P was introduced in 4.4BSD-Lite2 around 1994. It overwrote file contents with a pass of 0xff, 0x00, then 0xff, in a low effort attempt to "really delete" files. It has no user-visible effect; at the end of the day, the file is unlinked via the filesystem. Furthermore, the utility of overwriting files with patterned data is extremely limited due to caveats at every layer of the stack[0] and therefore mostly futile. At the least, three passes is likely wasteful on modern hardware[1]. It could also be seen as a violation of the "Unix Philosophy" to do one thing per tiny, composable program. Since 1994, FreeBSD has left it alone; OpenBSD replaced it with a single pass of arc4random(3) output in 2012[2]; and NetBSD implemented partial, but explicitly incomplete support for U.S. DoD 5220.22-M, "National Industrial Security Program Operating Manual" in 2004[3]. NetBSD's enhanced comment above rm_overwrite makes a strong case for removing the flag entirely: > This is an expensive way to keep people from recovering files from your > non-snapshotted FFS filesystems using fsdb(8). Really. No more. > > It is impossible to actually conform to the exact procedure given in > [NISPOM] if one is overwriting a file, not an entire disk, because the > procedure requires examination and comparison of the disk's defect lists. > Any program that claims to securely erase *files* while conforming to the > standard, then, is not correct. > > Furthermore, the presence of track caches, disk and controller write > caches, and so forth make it extremely difficult to ensure that data have > actually been written to the disk, particularly when one tries to repeatedly > overwrite the same sectors in quick succession. We call fsync(), but > controllers with nonvolatile cache, as well as IDE disks that just plain lie > about the stable storage of data, will defeat this. > > [NISPOM] requires physical media destruction, rather than any technique of > the sort attempted here, for secret data. As a first step towards evental removal, make it a placebo. It's not like it was serving any security function. It is not defined in or mentioned by POSIX. If you are security conscious and need to erase your files, use a woodchipper. At a minimum, the entire disk needs to be overwritten, not just one file. [0]: https://www.ru.nl/publish/pages/909282/draft-paper.pdf [1]: https://commons.erau.edu/cgi/viewcontent.cgi?article=1131&context=jdfsl [2]: https://github.com/openbsd/src/commit/7c5c57ba81b5fe8ff2d4899ff643af18c [3]: https://github.com/NetBSD/src/commit/fdf0a7a25e59af958fca1e2159921562cd Reviewed by: markj, Daniel O'Connor <darius AT dons.net.au> (previous version) Differential Revision: https://reviews.freebsd.org/D17906
2018-11-10 20:26:55 +00:00
.Op Fl dIRrvWx
.Ar
.Nm unlink
.Op Fl -
.Ar file
1994-05-26 06:18:55 +00:00
.Sh DESCRIPTION
The
1998-05-18 06:37:35 +00:00
.Nm
1994-05-26 06:18:55 +00:00
utility attempts to remove the non-directory type files specified on the
command line.
If the permissions of the file do not permit writing, and the standard
input device is a terminal, the user is prompted (on the standard error
output) for confirmation.
.Pp
The options are as follows:
.Bl -tag -width indent
1994-05-26 06:18:55 +00:00
.It Fl d
Attempt to remove directories as well as other types of files.
.It Fl f
Attempt to remove the files without prompting for confirmation,
regardless of the file's permissions.
If the file does not exist, do not display a diagnostic message or modify
the exit status to reflect an error.
The
.Fl f
option overrides any previous
2001-07-15 07:53:42 +00:00
.Fl i
1994-05-26 06:18:55 +00:00
options.
.It Fl i
Request confirmation before attempting to remove each file, regardless of
the file's permissions, or whether or not the standard input device is a
terminal.
The
.Fl i
option overrides any previous
2001-07-15 07:53:42 +00:00
.Fl f
1994-05-26 06:18:55 +00:00
options.
.It Fl I
Request confirmation once if more than three files are being removed or if a
directory is being recursively removed.
This is a far less intrusive option than
.Fl i
yet provides almost the same level of protection against mistakes.
1994-05-26 06:18:55 +00:00
.It Fl P
rm(1): Formalize non-functional status of -P flag -P was introduced in 4.4BSD-Lite2 around 1994. It overwrote file contents with a pass of 0xff, 0x00, then 0xff, in a low effort attempt to "really delete" files. It has no user-visible effect; at the end of the day, the file is unlinked via the filesystem. Furthermore, the utility of overwriting files with patterned data is extremely limited due to caveats at every layer of the stack[0] and therefore mostly futile. At the least, three passes is likely wasteful on modern hardware[1]. It could also be seen as a violation of the "Unix Philosophy" to do one thing per tiny, composable program. Since 1994, FreeBSD has left it alone; OpenBSD replaced it with a single pass of arc4random(3) output in 2012[2]; and NetBSD implemented partial, but explicitly incomplete support for U.S. DoD 5220.22-M, "National Industrial Security Program Operating Manual" in 2004[3]. NetBSD's enhanced comment above rm_overwrite makes a strong case for removing the flag entirely: > This is an expensive way to keep people from recovering files from your > non-snapshotted FFS filesystems using fsdb(8). Really. No more. > > It is impossible to actually conform to the exact procedure given in > [NISPOM] if one is overwriting a file, not an entire disk, because the > procedure requires examination and comparison of the disk's defect lists. > Any program that claims to securely erase *files* while conforming to the > standard, then, is not correct. > > Furthermore, the presence of track caches, disk and controller write > caches, and so forth make it extremely difficult to ensure that data have > actually been written to the disk, particularly when one tries to repeatedly > overwrite the same sectors in quick succession. We call fsync(), but > controllers with nonvolatile cache, as well as IDE disks that just plain lie > about the stable storage of data, will defeat this. > > [NISPOM] requires physical media destruction, rather than any technique of > the sort attempted here, for secret data. As a first step towards evental removal, make it a placebo. It's not like it was serving any security function. It is not defined in or mentioned by POSIX. If you are security conscious and need to erase your files, use a woodchipper. At a minimum, the entire disk needs to be overwritten, not just one file. [0]: https://www.ru.nl/publish/pages/909282/draft-paper.pdf [1]: https://commons.erau.edu/cgi/viewcontent.cgi?article=1131&context=jdfsl [2]: https://github.com/openbsd/src/commit/7c5c57ba81b5fe8ff2d4899ff643af18c [3]: https://github.com/NetBSD/src/commit/fdf0a7a25e59af958fca1e2159921562cd Reviewed by: markj, Daniel O'Connor <darius AT dons.net.au> (previous version) Differential Revision: https://reviews.freebsd.org/D17906
2018-11-10 20:26:55 +00:00
This flag has no effect.
It is kept only for backwards compatibility with
.Bx 4.4 Lite2 .
1994-05-26 06:18:55 +00:00
.It Fl R
Attempt to remove the file hierarchy rooted in each
.Ar file
argument.
2001-07-15 07:53:42 +00:00
The
1994-05-26 06:18:55 +00:00
.Fl R
option implies the
.Fl d
option.
If the
.Fl i
2001-07-15 07:53:42 +00:00
option is specified, the user is prompted for confirmation before
1994-05-26 06:18:55 +00:00
each directory's contents are processed (as well as before the attempt
is made to remove the directory).
If the user does not respond affirmatively, the file hierarchy rooted in
that directory is skipped.
.It Fl r
Equivalent to
.Fl R .
.It Fl v
Be verbose when deleting files, showing them as they are removed.
.It Fl W
1998-05-18 06:37:35 +00:00
Attempt to undelete the named files.
Currently, this option can only be used to recover
files covered by whiteouts in a union file system (see
.Xr undelete 2 ) .
.It Fl x
When removing a hierarchy, do not cross mount points.
1994-05-26 06:18:55 +00:00
.El
.Pp
The
1998-05-18 06:37:35 +00:00
.Nm
1994-05-26 06:18:55 +00:00
utility removes symbolic links, not the files referenced by the links.
.Pp
It is an error to attempt to remove the files
2004-10-04 19:03:44 +00:00
.Pa / ,
.Pa .\&
or
2004-10-04 19:03:44 +00:00
.Pa .. .
1994-05-26 06:18:55 +00:00
.Pp
When the utility is called as
.Nm unlink ,
only one argument,
which must not be a directory,
may be supplied.
No options may be supplied in this simple mode of operation,
which performs an
.Xr unlink 2
operation on the passed argument.
However, the usual option-end delimiter,
.Fl - ,
may optionally precede the argument.
.Sh EXIT STATUS
1994-05-26 06:18:55 +00:00
The
1998-05-18 06:37:35 +00:00
.Nm
1994-05-26 06:18:55 +00:00
utility exits 0 if all of the named files or file hierarchies were removed,
or if the
.Fl f
option was specified and all of the existing files or file hierarchies were
removed.
If an error occurs,
1998-05-18 06:37:35 +00:00
.Nm
1994-05-26 06:18:55 +00:00
exits with a value >0.
.Sh NOTES
The
.Nm
command uses
.Xr getopt 3
to parse its arguments, which allows it to accept
the
.Sq Li --
option which will cause it to stop processing flag options at that
point.
This will allow the removal of file names that begin
with a dash
.Pq Sq - .
For example:
.Pp
.Dl "rm -- -filename"
.Pp
The same behavior can be obtained by using an absolute or relative
path reference.
For example:
.Pp
.Dl "rm /home/user/-filename"
.Dl "rm ./-filename"
.Sh EXAMPLES
Recursively remove all files contained within the
.Pa foobar
directory hierarchy:
.Pp
.Dl $ rm -rf foobar
.Pp
Any of these commands will remove the file
.Pa -f :
.Bd -literal -offset indent
$ rm -- -f
$ rm ./-f
$ unlink -f
.Ed
1994-05-26 06:18:55 +00:00
.Sh COMPATIBILITY
The
1998-05-18 06:37:35 +00:00
.Nm
1994-05-26 06:18:55 +00:00
utility differs from historical implementations in that the
.Fl f
option only masks attempts to remove non-existent files instead of
masking a large variety of errors.
2001-07-15 07:53:42 +00:00
The
.Fl v
option is non-standard and its use in scripts is not recommended.
1994-05-26 06:18:55 +00:00
.Pp
Also, historical
.Bx
implementations prompted on the standard output,
not the standard error output.
rm(1): Formalize non-functional status of -P flag -P was introduced in 4.4BSD-Lite2 around 1994. It overwrote file contents with a pass of 0xff, 0x00, then 0xff, in a low effort attempt to "really delete" files. It has no user-visible effect; at the end of the day, the file is unlinked via the filesystem. Furthermore, the utility of overwriting files with patterned data is extremely limited due to caveats at every layer of the stack[0] and therefore mostly futile. At the least, three passes is likely wasteful on modern hardware[1]. It could also be seen as a violation of the "Unix Philosophy" to do one thing per tiny, composable program. Since 1994, FreeBSD has left it alone; OpenBSD replaced it with a single pass of arc4random(3) output in 2012[2]; and NetBSD implemented partial, but explicitly incomplete support for U.S. DoD 5220.22-M, "National Industrial Security Program Operating Manual" in 2004[3]. NetBSD's enhanced comment above rm_overwrite makes a strong case for removing the flag entirely: > This is an expensive way to keep people from recovering files from your > non-snapshotted FFS filesystems using fsdb(8). Really. No more. > > It is impossible to actually conform to the exact procedure given in > [NISPOM] if one is overwriting a file, not an entire disk, because the > procedure requires examination and comparison of the disk's defect lists. > Any program that claims to securely erase *files* while conforming to the > standard, then, is not correct. > > Furthermore, the presence of track caches, disk and controller write > caches, and so forth make it extremely difficult to ensure that data have > actually been written to the disk, particularly when one tries to repeatedly > overwrite the same sectors in quick succession. We call fsync(), but > controllers with nonvolatile cache, as well as IDE disks that just plain lie > about the stable storage of data, will defeat this. > > [NISPOM] requires physical media destruction, rather than any technique of > the sort attempted here, for secret data. As a first step towards evental removal, make it a placebo. It's not like it was serving any security function. It is not defined in or mentioned by POSIX. If you are security conscious and need to erase your files, use a woodchipper. At a minimum, the entire disk needs to be overwritten, not just one file. [0]: https://www.ru.nl/publish/pages/909282/draft-paper.pdf [1]: https://commons.erau.edu/cgi/viewcontent.cgi?article=1131&context=jdfsl [2]: https://github.com/openbsd/src/commit/7c5c57ba81b5fe8ff2d4899ff643af18c [3]: https://github.com/NetBSD/src/commit/fdf0a7a25e59af958fca1e2159921562cd Reviewed by: markj, Daniel O'Connor <darius AT dons.net.au> (previous version) Differential Revision: https://reviews.freebsd.org/D17906
2018-11-10 20:26:55 +00:00
.Pp
The
.Fl P
option does not have any effect as of
.Fx 13
and may be removed in the future.
.Sh SEE ALSO
.Xr chflags 1 ,
.Xr rmdir 1 ,
.Xr undelete 2 ,
.Xr unlink 2 ,
.Xr fts 3 ,
.Xr getopt 3 ,
.Xr symlink 7
1994-05-26 06:18:55 +00:00
.Sh STANDARDS
The
1998-05-18 06:37:35 +00:00
.Nm
command conforms to
.St -p1003.1-2013 .
.Pp
The simplified
.Nm unlink
command conforms to
.St -susv2 .
.Sh HISTORY
A
.Nm
command appeared in
.At v1 .