Correct a security issue introduced in previous commit:

instead of removing the file and issue a warning about
the removal, do not do any operation at all in case -P
is specified when the dinode has hard links.

With -f and -P specified together, we assume that the
user wants rm to overwrite the contents of the file
and remove it (destroy the contents of file but leave
its hard links as is).

The reason of doing it this way is that, in case where
a hard link is created by a malicious user (currently
this is permitted even if the user has no access to the
file).  Losing the link can potentially mean that the
actual owner would lose control completely to the user
who wants to obtain access in a future day.

Discussed with:	Peter Jermey

bin/rm/rm.1

@@ -88,7 +88,9 @@ yet provides almost the same level of protection against mistakes.
 Overwrite regular files before deleting them.
 Files are overwritten three times, first with the byte pattern 0xff,
 then 0x00, and then 0xff again, before they are deleted.
-Files with multiple links will not be overwritten.
+Files with multiple links will not be overwritten nor deleted unless
+.Fl f
+is specified, a warning is generated instead.
 .Pp
 Specifying this flag for a read only file will cause
 .Nm
@@ -170,6 +172,12 @@ path reference.
 For example:
 .Dl rm /home/user/-filename
 .Dl rm ./-filename
+.Pp
+When
+.Fl P
+is specified with
+.Fl f
+the file will be overwritten and removed even if it has hard links.
 .Sh COMPATIBILITY
 The
 .Nm

bin/rm/rm.c

@@ -400,10 +400,10 @@ rm_overwrite(char *file, struct stat *sbp)
 	}
 	if (!S_ISREG(sbp->st_mode))
 		return (1);
-	if (sbp->st_nlink > 1) {
+	if (sbp->st_nlink > 1 && !fflag) {
 		warnx("%s (inode %u): not overwritten due to multiple links",
 		    file, sbp->st_ino);
-		return (1);
+		return (0);
 	}
 	if ((fd = open(file, O_WRONLY, 0)) == -1)
 		goto err;