1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-15 10:17:20 +00:00
freebsd/bin
Conrad Meyer 900c4ed3ca rm(1): Formalize non-functional status of -P flag
-P was introduced in 4.4BSD-Lite2 around 1994.  It overwrote file contents
with a pass of 0xff, 0x00, then 0xff, in a low effort attempt to "really
delete" files.

It has no user-visible effect; at the end of the day, the file is unlinked via
the filesystem.  Furthermore, the utility of overwriting files with patterned
data is extremely limited due to caveats at every layer of the stack[0] and
therefore mostly futile.  At the least, three passes is likely wasteful on
modern hardware[1].  It could also be seen as a violation of the "Unix
Philosophy" to do one thing per tiny, composable program.

Since 1994, FreeBSD has left it alone; OpenBSD replaced it with a single
pass of arc4random(3) output in 2012[2]; and NetBSD implemented partial, but
explicitly incomplete support for U.S. DoD 5220.22-M, "National Industrial
Security Program Operating Manual" in 2004[3].

NetBSD's enhanced comment above rm_overwrite makes a strong case for removing
the flag entirely:

> This is an expensive way to keep people from recovering files from your
> non-snapshotted FFS filesystems using fsdb(8).  Really.  No more.
>
> It is impossible to actually conform to the exact procedure given in
> [NISPOM] if one is overwriting a file, not an entire disk, because the
> procedure requires examination and comparison of the disk's defect lists.
> Any program that claims to securely erase *files* while conforming to the
> standard, then, is not correct.
>
> Furthermore, the presence of track caches, disk and controller write
> caches, and so forth make it extremely difficult to ensure that data have
> actually been written to the disk, particularly when one tries to repeatedly
> overwrite the same sectors in quick succession.  We call fsync(), but
> controllers with nonvolatile cache, as well as IDE disks that just plain lie
> about the stable storage of data, will defeat this.
>
> [NISPOM] requires physical media destruction, rather than any technique of
> the sort attempted here, for secret data.

As a first step towards evental removal, make it a placebo.  It's not like
it was serving any security function.  It is not defined in or mentioned by
POSIX.

If you are security conscious and need to erase your files, use a
woodchipper.  At a minimum, the entire disk needs to be overwritten, not
just one file.

[0]: https://www.ru.nl/publish/pages/909282/draft-paper.pdf
[1]: https://commons.erau.edu/cgi/viewcontent.cgi?article=1131&context=jdfsl
[2]: https://github.com/openbsd/src/commit/7c5c57ba81b5fe8ff2d4899ff643af18c
[3]: https://github.com/NetBSD/src/commit/fdf0a7a25e59af958fca1e2159921562cd

Reviewed by:	markj, Daniel O'Connor <darius AT dons.net.au> (previous version)
Differential Revision:	https://reviews.freebsd.org/D17906
2018-11-10 20:26:55 +00:00
..
cat stddef.h is not used by cat.c, remove the include. 2018-01-07 07:08:59 +00:00
chflags Add an example to the chflags(1) man page. 2018-06-12 16:44:13 +00:00
chio DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
chmod General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
cp General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
csh Finish moving dot.cshrc and dot.profile to bin/csh/ and bin/sh/. 2018-08-29 16:59:19 +00:00
date date(1): Add ISO 8601 formatting option 2018-08-04 21:54:30 +00:00
dd capsicum: use a new capsicum helpers in tools 2018-11-04 19:24:49 +00:00
df Add a deprecation warning when using the feature which mounts devices 2018-02-10 00:22:25 +00:00
domainname General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
echo Convert cap_enter() < 0 && errno != ENOSYS to caph_enter() < 0. 2018-06-19 23:43:14 +00:00
ed Drop ed(1) "crypto" 2018-11-04 17:56:16 +00:00
expr expr(1): Fix overflow detection when operand is INTMAX_MIN 2018-04-14 04:35:10 +00:00
freebsd-version Add a -r option to print the running kernel version. 2017-11-14 10:15:17 +00:00
getfacl Avoid copying a struct stat for acl_from_stat() calls. 2018-11-01 17:45:29 +00:00
hostname General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
kenv Fix mandoc -Tlint warnings in bin/ 2017-12-07 01:57:27 +00:00
kill General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
ln General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
ls ls(1): Gate the do_color_* definitions behind COLORLS 2018-08-18 21:03:19 +00:00
mkdir General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
mv General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
pax pax(1): Honour the restrict in sigaction(). 2018-01-27 18:24:13 +00:00
pkill various: general adoption of SPDX licensing ID tags. 2017-11-27 15:37:16 +00:00
ps ps(1): Pet mandoc and igor 2018-10-31 17:47:08 +00:00
pwait DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
pwd pwd: mark usage as dead 2018-06-17 05:14:50 +00:00
realpath General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
rm rm(1): Formalize non-functional status of -P flag 2018-11-10 20:26:55 +00:00
rmail DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
rmdir General further adoption of SPDX licensing ID tags. 2017-11-20 19:49:47 +00:00
setfacl Don't set NFSv4 ACL inheritance flags on non-directories. 2018-10-26 21:17:06 +00:00
sh sh: Unify EXERROR and EXEXEC 2018-11-09 14:58:24 +00:00
sleep Convert cap_enter() < 0 && errno != ENOSYS to caph_enter() < 0. 2018-06-19 23:43:14 +00:00
stty stty.1: Document kern.tty_info_kstacks behavior (r339471) 2018-10-20 18:53:32 +00:00
sync DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
test DIRDEPS_BUILD: Update dependencies. 2017-10-31 00:07:04 +00:00
tests
uuidgen Convert cap_enter() < 0 && errno != ENOSYS to caph_enter() < 0. 2018-06-19 23:43:14 +00:00
Makefile Remove rcmds. 2017-10-06 08:43:14 +00:00
Makefile.inc