freebsd-skq/bin/rm/rm.1
Xin LI 86da4a5eea Correct a security issue introduced in previous commit:
instead of removing the file and issue a warning about
the removal, do not do any operation at all in case -P
is specified when the dinode has hard links.

With -f and -P specified together, we assume that the
user wants rm to overwrite the contents of the file
and remove it (destroy the contents of file but leave
its hard links as is).

The reason of doing it this way is that, in case where
a hard link is created by a malicious user (currently
this is permitted even if the user has no access to the
file).  Losing the link can potentially mean that the
actual owner would lose control completely to the user
who wants to obtain access in a future day.

Discussed with:	Peter Jermey
2006-10-31 02:22:36 +00:00

227 lines
6.1 KiB
Groff

.\"-
.\" Copyright (c) 1990, 1993, 1994
.\" The Regents of the University of California. All rights reserved.
.\"
.\" This code is derived from software contributed to Berkeley by
.\" the Institute of Electrical and Electronics Engineers, Inc.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)rm.1 8.5 (Berkeley) 12/5/94
.\" $FreeBSD$
.\"
.Dd October 30, 2006
.Dt RM 1
.Os
.Sh NAME
.Nm rm ,
.Nm unlink
.Nd remove directory entries
.Sh SYNOPSIS
.Nm
.Op Fl f | i
.Op Fl dIPRrvW
.Ar
.Nm unlink
.Ar file
.Sh DESCRIPTION
The
.Nm
utility attempts to remove the non-directory type files specified on the
command line.
If the permissions of the file do not permit writing, and the standard
input device is a terminal, the user is prompted (on the standard error
output) for confirmation.
.Pp
The options are as follows:
.Bl -tag -width Fl
.It Fl d
Attempt to remove directories as well as other types of files.
.It Fl f
Attempt to remove the files without prompting for confirmation,
regardless of the file's permissions.
If the file does not exist, do not display a diagnostic message or modify
the exit status to reflect an error.
The
.Fl f
option overrides any previous
.Fl i
options.
.It Fl i
Request confirmation before attempting to remove each file, regardless of
the file's permissions, or whether or not the standard input device is a
terminal.
The
.Fl i
option overrides any previous
.Fl f
options.
.It Fl I
Request confirmation once if more than three files are being removed or if a
directory is being recursively removed.
This is a far less intrusive option than
.Fl i
yet provides almost the same level of protection against mistakes.
.It Fl P
Overwrite regular files before deleting them.
Files are overwritten three times, first with the byte pattern 0xff,
then 0x00, and then 0xff again, before they are deleted.
Files with multiple links will not be overwritten nor deleted unless
.Fl f
is specified, a warning is generated instead.
.Pp
Specifying this flag for a read only file will cause
.Nm
to generate an error message and exit.
The file will not be removed or overwritten.
.It Fl R
Attempt to remove the file hierarchy rooted in each file argument.
The
.Fl R
option implies the
.Fl d
option.
If the
.Fl i
option is specified, the user is prompted for confirmation before
each directory's contents are processed (as well as before the attempt
is made to remove the directory).
If the user does not respond affirmatively, the file hierarchy rooted in
that directory is skipped.
.Pp
.It Fl r
Equivalent to
.Fl R .
.It Fl v
Be verbose when deleting files, showing them as they are removed.
.It Fl W
Attempt to undelete the named files.
Currently, this option can only be used to recover
files covered by whiteouts.
.El
.Pp
The
.Nm
utility removes symbolic links, not the files referenced by the links.
.Pp
It is an error to attempt to remove the files
.Pa / ,
.Pa .\&
or
.Pa .. .
.Pp
When the utility is called as
.Nm unlink ,
only one argument,
which must not be a directory,
may be supplied.
No options may be supplied in this simple mode of operation,
which performs an
.Xr unlink 2
operation on the passed argument.
.Pp
The
.Nm
utility exits 0 if all of the named files or file hierarchies were removed,
or if the
.Fl f
option was specified and all of the existing files or file hierarchies were
removed.
If an error occurs,
.Nm
exits with a value >0.
.Sh NOTE
The
.Nm
command uses
.Xr getopt 3
to parse its arguments, which allows it to accept
the
.Sq Li --
option which will cause it to stop processing flag options at that
point.
This will allow the removal of file names that begin
with a dash
.Pq Sq - .
For example:
.Dl rm -- -filename
The same behavior can be obtained by using an absolute or relative
path reference.
For example:
.Dl rm /home/user/-filename
.Dl rm ./-filename
.Pp
When
.Fl P
is specified with
.Fl f
the file will be overwritten and removed even if it has hard links.
.Sh COMPATIBILITY
The
.Nm
utility differs from historical implementations in that the
.Fl f
option only masks attempts to remove non-existent files instead of
masking a large variety of errors.
The
.Fl v
option is non-standard and its use in scripts is not recommended.
.Pp
Also, historical
.Bx
implementations prompted on the standard output,
not the standard error output.
.Sh SEE ALSO
.Xr chflags 1 ,
.Xr rmdir 1 ,
.Xr undelete 2 ,
.Xr unlink 2 ,
.Xr fts 3 ,
.Xr getopt 3 ,
.Xr symlink 7
.Sh STANDARDS
The
.Nm
command conforms to
.St -p1003.2 .
.Pp
The simplified
.Nm unlink
command conforms to
.St -susv2 .
.Sh HISTORY
A
.Nm
command appeared in
.At v1 .
.Sh BUGS
The
.Fl P
option assumes that the underlying file system is a fixed-block file
system.
UFS is a fixed-block file system, LFS is not.
In addition, only regular files are overwritten, other types of files
are not.