freebsd-skq/bin/rm/rm.1
Ulrich Spörlein c2c9a54067 Elaborate some more on the non-security implications of using -P
Submitted by:	delphij
Discussion at:	svn-src-all
2010-10-31 09:21:27 +00:00

246 lines
6.7 KiB
Groff

.\"-
.\" Copyright (c) 1990, 1993, 1994
.\" The Regents of the University of California. All rights reserved.
.\"
.\" This code is derived from software contributed to Berkeley by
.\" the Institute of Electrical and Electronics Engineers, Inc.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)rm.1 8.5 (Berkeley) 12/5/94
.\" $FreeBSD$
.\"
.Dd October 31, 2010
.Dt RM 1
.Os
.Sh NAME
.Nm rm ,
.Nm unlink
.Nd remove directory entries
.Sh SYNOPSIS
.Nm
.Op Fl f | i
.Op Fl dIPRrvW
.Ar
.Nm unlink
.Ar file
.Sh DESCRIPTION
The
.Nm
utility attempts to remove the non-directory type files specified on the
command line.
If the permissions of the file do not permit writing, and the standard
input device is a terminal, the user is prompted (on the standard error
output) for confirmation.
.Pp
The options are as follows:
.Bl -tag -width indent
.It Fl d
Attempt to remove directories as well as other types of files.
.It Fl f
Attempt to remove the files without prompting for confirmation,
regardless of the file's permissions.
If the file does not exist, do not display a diagnostic message or modify
the exit status to reflect an error.
The
.Fl f
option overrides any previous
.Fl i
options.
.It Fl i
Request confirmation before attempting to remove each file, regardless of
the file's permissions, or whether or not the standard input device is a
terminal.
The
.Fl i
option overrides any previous
.Fl f
options.
.It Fl I
Request confirmation once if more than three files are being removed or if a
directory is being recursively removed.
This is a far less intrusive option than
.Fl i
yet provides almost the same level of protection against mistakes.
.It Fl P
Overwrite regular files before deleting them.
Files are overwritten three times, first with the byte pattern 0xff,
then 0x00, and then 0xff again, before they are deleted.
Files with multiple links will not be overwritten nor deleted
and a warning will be issued.
If the
.Fl f
option is specified, files with multiple links will also be overwritten
and deleted.
No warning will be issued.
.Pp
Specifying this flag for a read only file will cause
.Nm
to generate an error message and exit.
The file will not be removed or overwritten.
.Pp
N.B.: The
.Fl P
flag is not considered a security feature
.Pq see Sx BUGS .
.It Fl R
Attempt to remove the file hierarchy rooted in each
.Ar file
argument.
The
.Fl R
option implies the
.Fl d
option.
If the
.Fl i
option is specified, the user is prompted for confirmation before
each directory's contents are processed (as well as before the attempt
is made to remove the directory).
If the user does not respond affirmatively, the file hierarchy rooted in
that directory is skipped.
.Pp
.It Fl r
Equivalent to
.Fl R .
.It Fl v
Be verbose when deleting files, showing them as they are removed.
.It Fl W
Attempt to undelete the named files.
Currently, this option can only be used to recover
files covered by whiteouts in a union file system (see
.Xr undelete 2 ) .
.El
.Pp
The
.Nm
utility removes symbolic links, not the files referenced by the links.
.Pp
It is an error to attempt to remove the files
.Pa / ,
.Pa .\&
or
.Pa .. .
.Pp
When the utility is called as
.Nm unlink ,
only one argument,
which must not be a directory,
may be supplied.
No options may be supplied in this simple mode of operation,
which performs an
.Xr unlink 2
operation on the passed argument.
.Sh EXIT STATUS
The
.Nm
utility exits 0 if all of the named files or file hierarchies were removed,
or if the
.Fl f
option was specified and all of the existing files or file hierarchies were
removed.
If an error occurs,
.Nm
exits with a value >0.
.Sh NOTES
The
.Nm
command uses
.Xr getopt 3
to parse its arguments, which allows it to accept
the
.Sq Li --
option which will cause it to stop processing flag options at that
point.
This will allow the removal of file names that begin
with a dash
.Pq Sq - .
For example:
.Pp
.Dl "rm -- -filename"
.Pp
The same behavior can be obtained by using an absolute or relative
path reference.
For example:
.Pp
.Dl "rm /home/user/-filename"
.Dl "rm ./-filename"
.Pp
When
.Fl P
is specified with
.Fl f
the file will be overwritten and removed even if it has hard links.
.Sh COMPATIBILITY
The
.Nm
utility differs from historical implementations in that the
.Fl f
option only masks attempts to remove non-existent files instead of
masking a large variety of errors.
The
.Fl v
option is non-standard and its use in scripts is not recommended.
.Pp
Also, historical
.Bx
implementations prompted on the standard output,
not the standard error output.
.Sh SEE ALSO
.Xr chflags 1 ,
.Xr rmdir 1 ,
.Xr undelete 2 ,
.Xr unlink 2 ,
.Xr fts 3 ,
.Xr getopt 3 ,
.Xr symlink 7
.Sh STANDARDS
The
.Nm
command conforms to
.St -p1003.2 .
.Pp
The simplified
.Nm unlink
command conforms to
.St -susv2 .
.Sh HISTORY
A
.Nm
command appeared in
.At v1 .
.Sh BUGS
The
.Fl P
option assumes that the underlying storage overwrites file block
when data is written to an existing offset.
Several factors including the file system and its backing store could defeat
this assumption.
This includes, but is not limited to file systems that use a
Copy-On-Write strategy (e.g. ZFS or UFS when snapshots are being used), Flash
media that is using a wear leveling algorithm, or when the backing datastore
does journaling, etc.
In addition, only regular files are overwritten, other types of files are not.