e9e0688cbd
-P was introduced in 4.4BSD-Lite2 around 1994. It overwrote file contents with a pass of 0xff, 0x00, then 0xff, in a low effort attempt to "really delete" files. It has no user-visible effect; at the end of the day, the file is unlinked via the filesystem. Furthermore, the utility of overwriting files with patterned data is extremely limited due to caveats at every layer of the stack[0] and therefore mostly futile. At the least, three passes is likely wasteful on modern hardware[1]. It could also be seen as a violation of the "Unix Philosophy" to do one thing per tiny, composable program. Since 1994, FreeBSD has left it alone; OpenBSD replaced it with a single pass of arc4random(3) output in 2012[2]; and NetBSD implemented partial, but explicitly incomplete support for U.S. DoD 5220.22-M, "National Industrial Security Program Operating Manual" in 2004[3]. NetBSD's enhanced comment above rm_overwrite makes a strong case for removing the flag entirely: > This is an expensive way to keep people from recovering files from your > non-snapshotted FFS filesystems using fsdb(8). Really. No more. > > It is impossible to actually conform to the exact procedure given in > [NISPOM] if one is overwriting a file, not an entire disk, because the > procedure requires examination and comparison of the disk's defect lists. > Any program that claims to securely erase *files* while conforming to the > standard, then, is not correct. > > Furthermore, the presence of track caches, disk and controller write > caches, and so forth make it extremely difficult to ensure that data have > actually been written to the disk, particularly when one tries to repeatedly > overwrite the same sectors in quick succession. We call fsync(), but > controllers with nonvolatile cache, as well as IDE disks that just plain lie > about the stable storage of data, will defeat this. > > [NISPOM] requires physical media destruction, rather than any technique of > the sort attempted here, for secret data. As a first step towards evental removal, make it a placebo. It's not like it was serving any security function. It is not defined in or mentioned by POSIX. If you are security conscious and need to erase your files, use a woodchipper. At a minimum, the entire disk needs to be overwritten, not just one file. [0]: https://www.ru.nl/publish/pages/909282/draft-paper.pdf [1]: https://commons.erau.edu/cgi/viewcontent.cgi?article=1131&context=jdfsl [2]: https://github.com/openbsd/src/commit/7c5c57ba81b5fe8ff2d4899ff643af18c [3]: https://github.com/NetBSD/src/commit/fdf0a7a25e59af958fca1e2159921562cd Reviewed by: markj, Daniel O'Connor <darius AT dons.net.au> (previous version) Differential Revision: https://reviews.freebsd.org/D17906
236 lines
6.0 KiB
Groff
236 lines
6.0 KiB
Groff
.\"-
|
|
.\" Copyright (c) 1990, 1993, 1994
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" This code is derived from software contributed to Berkeley by
|
|
.\" the Institute of Electrical and Electronics Engineers, Inc.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)rm.1 8.5 (Berkeley) 12/5/94
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd November 10, 2018
|
|
.Dt RM 1
|
|
.Os
|
|
.Sh NAME
|
|
.Nm rm ,
|
|
.Nm unlink
|
|
.Nd remove directory entries
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl f | i
|
|
.Op Fl dIRrvWx
|
|
.Ar
|
|
.Nm unlink
|
|
.Op Fl -
|
|
.Ar file
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
utility attempts to remove the non-directory type files specified on the
|
|
command line.
|
|
If the permissions of the file do not permit writing, and the standard
|
|
input device is a terminal, the user is prompted (on the standard error
|
|
output) for confirmation.
|
|
.Pp
|
|
The options are as follows:
|
|
.Bl -tag -width indent
|
|
.It Fl d
|
|
Attempt to remove directories as well as other types of files.
|
|
.It Fl f
|
|
Attempt to remove the files without prompting for confirmation,
|
|
regardless of the file's permissions.
|
|
If the file does not exist, do not display a diagnostic message or modify
|
|
the exit status to reflect an error.
|
|
The
|
|
.Fl f
|
|
option overrides any previous
|
|
.Fl i
|
|
options.
|
|
.It Fl i
|
|
Request confirmation before attempting to remove each file, regardless of
|
|
the file's permissions, or whether or not the standard input device is a
|
|
terminal.
|
|
The
|
|
.Fl i
|
|
option overrides any previous
|
|
.Fl f
|
|
options.
|
|
.It Fl I
|
|
Request confirmation once if more than three files are being removed or if a
|
|
directory is being recursively removed.
|
|
This is a far less intrusive option than
|
|
.Fl i
|
|
yet provides almost the same level of protection against mistakes.
|
|
.It Fl P
|
|
This flag has no effect.
|
|
It is kept only for backwards compatibility with
|
|
.Bx 4.4 Lite2 .
|
|
.It Fl R
|
|
Attempt to remove the file hierarchy rooted in each
|
|
.Ar file
|
|
argument.
|
|
The
|
|
.Fl R
|
|
option implies the
|
|
.Fl d
|
|
option.
|
|
If the
|
|
.Fl i
|
|
option is specified, the user is prompted for confirmation before
|
|
each directory's contents are processed (as well as before the attempt
|
|
is made to remove the directory).
|
|
If the user does not respond affirmatively, the file hierarchy rooted in
|
|
that directory is skipped.
|
|
.It Fl r
|
|
Equivalent to
|
|
.Fl R .
|
|
.It Fl v
|
|
Be verbose when deleting files, showing them as they are removed.
|
|
.It Fl W
|
|
Attempt to undelete the named files.
|
|
Currently, this option can only be used to recover
|
|
files covered by whiteouts in a union file system (see
|
|
.Xr undelete 2 ) .
|
|
.It Fl x
|
|
When removing a hierarchy, do not cross mount points.
|
|
.El
|
|
.Pp
|
|
The
|
|
.Nm
|
|
utility removes symbolic links, not the files referenced by the links.
|
|
.Pp
|
|
It is an error to attempt to remove the files
|
|
.Pa / ,
|
|
.Pa .\&
|
|
or
|
|
.Pa .. .
|
|
.Pp
|
|
When the utility is called as
|
|
.Nm unlink ,
|
|
only one argument,
|
|
which must not be a directory,
|
|
may be supplied.
|
|
No options may be supplied in this simple mode of operation,
|
|
which performs an
|
|
.Xr unlink 2
|
|
operation on the passed argument.
|
|
However, the usual option-end delimiter,
|
|
.Fl - ,
|
|
may optionally precede the argument.
|
|
.Sh EXIT STATUS
|
|
The
|
|
.Nm
|
|
utility exits 0 if all of the named files or file hierarchies were removed,
|
|
or if the
|
|
.Fl f
|
|
option was specified and all of the existing files or file hierarchies were
|
|
removed.
|
|
If an error occurs,
|
|
.Nm
|
|
exits with a value >0.
|
|
.Sh NOTES
|
|
The
|
|
.Nm
|
|
command uses
|
|
.Xr getopt 3
|
|
to parse its arguments, which allows it to accept
|
|
the
|
|
.Sq Li --
|
|
option which will cause it to stop processing flag options at that
|
|
point.
|
|
This will allow the removal of file names that begin
|
|
with a dash
|
|
.Pq Sq - .
|
|
For example:
|
|
.Pp
|
|
.Dl "rm -- -filename"
|
|
.Pp
|
|
The same behavior can be obtained by using an absolute or relative
|
|
path reference.
|
|
For example:
|
|
.Pp
|
|
.Dl "rm /home/user/-filename"
|
|
.Dl "rm ./-filename"
|
|
.Sh EXAMPLES
|
|
Recursively remove all files contained within the
|
|
.Pa foobar
|
|
directory hierarchy:
|
|
.Pp
|
|
.Dl $ rm -rf foobar
|
|
.Pp
|
|
Any of these commands will remove the file
|
|
.Pa -f :
|
|
.Bd -literal -offset indent
|
|
$ rm -- -f
|
|
$ rm ./-f
|
|
$ unlink -f
|
|
.Ed
|
|
.Sh COMPATIBILITY
|
|
The
|
|
.Nm
|
|
utility differs from historical implementations in that the
|
|
.Fl f
|
|
option only masks attempts to remove non-existent files instead of
|
|
masking a large variety of errors.
|
|
The
|
|
.Fl v
|
|
option is non-standard and its use in scripts is not recommended.
|
|
.Pp
|
|
Also, historical
|
|
.Bx
|
|
implementations prompted on the standard output,
|
|
not the standard error output.
|
|
.Pp
|
|
The
|
|
.Fl P
|
|
option does not have any effect as of
|
|
.Fx 13
|
|
and may be removed in the future.
|
|
.Sh SEE ALSO
|
|
.Xr chflags 1 ,
|
|
.Xr rmdir 1 ,
|
|
.Xr undelete 2 ,
|
|
.Xr unlink 2 ,
|
|
.Xr fts 3 ,
|
|
.Xr getopt 3 ,
|
|
.Xr symlink 7
|
|
.Sh STANDARDS
|
|
The
|
|
.Nm
|
|
command conforms to
|
|
.St -p1003.1-2013 .
|
|
.Pp
|
|
The simplified
|
|
.Nm unlink
|
|
command conforms to
|
|
.St -susv2 .
|
|
.Sh HISTORY
|
|
A
|
|
.Nm
|
|
command appeared in
|
|
.At v1 .
|