1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-04 09:09:56 +00:00
freebsd/bin/rm/rm.c
Xin LI 86da4a5eea Correct a security issue introduced in previous commit:
instead of removing the file and issue a warning about
the removal, do not do any operation at all in case -P
is specified when the dinode has hard links.

With -f and -P specified together, we assume that the
user wants rm to overwrite the contents of the file
and remove it (destroy the contents of file but leave
its hard links as is).

The reason of doing it this way is that, in case where
a hard link is created by a malicious user (currently
this is permitted even if the user has no access to the
file).  Losing the link can potentially mean that the
actual owner would lose control completely to the user
who wants to obtain access in a future day.

Discussed with:	Peter Jermey
2006-10-31 02:22:36 +00:00

595 lines
13 KiB
C

/*-
* Copyright (c) 1990, 1993, 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#if 0
#ifndef lint
static const char copyright[] =
"@(#) Copyright (c) 1990, 1993, 1994\n\
The Regents of the University of California. All rights reserved.\n";
#endif /* not lint */
#ifndef lint
static char sccsid[] = "@(#)rm.c 8.5 (Berkeley) 4/18/94";
#endif /* not lint */
#endif
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/mount.h>
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <fts.h>
#include <grp.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sysexits.h>
#include <unistd.h>
int dflag, eval, fflag, iflag, Pflag, vflag, Wflag, stdin_ok;
int rflag, Iflag;
uid_t uid;
int check(char *, char *, struct stat *);
int check2(char **);
void checkdot(char **);
void checkslash(char **);
void rm_file(char **);
int rm_overwrite(char *, struct stat *);
void rm_tree(char **);
void usage(void);
/*
* rm --
* This rm is different from historic rm's, but is expected to match
* POSIX 1003.2 behavior. The most visible difference is that -f
* has two specific effects now, ignore non-existent files and force
* file removal.
*/
int
main(int argc, char *argv[])
{
int ch;
char *p;
/*
* Test for the special case where the utility is called as
* "unlink", for which the functionality provided is greatly
* simplified.
*/
if ((p = rindex(argv[0], '/')) == NULL)
p = argv[0];
else
++p;
if (strcmp(p, "unlink") == 0) {
while (getopt(argc, argv, "") != -1)
usage();
argc -= optind;
argv += optind;
if (argc != 1)
usage();
rm_file(&argv[0]);
exit(eval);
}
Pflag = rflag = 0;
while ((ch = getopt(argc, argv, "dfiIPRrvW")) != -1)
switch(ch) {
case 'd':
dflag = 1;
break;
case 'f':
fflag = 1;
iflag = 0;
break;
case 'i':
fflag = 0;
iflag = 1;
break;
case 'I':
Iflag = 1;
break;
case 'P':
Pflag = 1;
break;
case 'R':
case 'r': /* Compatibility. */
rflag = 1;
break;
case 'v':
vflag = 1;
break;
case 'W':
Wflag = 1;
break;
default:
usage();
}
argc -= optind;
argv += optind;
if (argc < 1) {
if (fflag)
return (0);
usage();
}
checkdot(argv);
if (getenv("POSIXLY_CORRECT") == NULL)
checkslash(argv);
uid = geteuid();
if (*argv) {
stdin_ok = isatty(STDIN_FILENO);
if (Iflag) {
if (check2(argv) == 0)
exit (1);
}
if (rflag)
rm_tree(argv);
else
rm_file(argv);
}
exit (eval);
}
void
rm_tree(char **argv)
{
FTS *fts;
FTSENT *p;
int needstat;
int flags;
int rval;
/*
* Remove a file hierarchy. If forcing removal (-f), or interactive
* (-i) or can't ask anyway (stdin_ok), don't stat the file.
*/
needstat = !uid || (!fflag && !iflag && stdin_ok);
/*
* If the -i option is specified, the user can skip on the pre-order
* visit. The fts_number field flags skipped directories.
*/
#define SKIPPED 1
flags = FTS_PHYSICAL;
if (!needstat)
flags |= FTS_NOSTAT;
if (Wflag)
flags |= FTS_WHITEOUT;
if (!(fts = fts_open(argv, flags, NULL))) {
if (fflag && errno == ENOENT)
return;
err(1, "fts_open");
}
while ((p = fts_read(fts)) != NULL) {
switch (p->fts_info) {
case FTS_DNR:
if (!fflag || p->fts_errno != ENOENT) {
warnx("%s: %s",
p->fts_path, strerror(p->fts_errno));
eval = 1;
}
continue;
case FTS_ERR:
errx(1, "%s: %s", p->fts_path, strerror(p->fts_errno));
case FTS_NS:
/*
* Assume that since fts_read() couldn't stat the
* file, it can't be unlinked.
*/
if (!needstat)
break;
if (!fflag || p->fts_errno != ENOENT) {
warnx("%s: %s",
p->fts_path, strerror(p->fts_errno));
eval = 1;
}
continue;
case FTS_D:
/* Pre-order: give user chance to skip. */
if (!fflag && !check(p->fts_path, p->fts_accpath,
p->fts_statp)) {
(void)fts_set(fts, p, FTS_SKIP);
p->fts_number = SKIPPED;
}
else if (!uid &&
(p->fts_statp->st_flags & (UF_APPEND|UF_IMMUTABLE)) &&
!(p->fts_statp->st_flags & (SF_APPEND|SF_IMMUTABLE)) &&
chflags(p->fts_accpath,
p->fts_statp->st_flags &= ~(UF_APPEND|UF_IMMUTABLE)) < 0)
goto err;
continue;
case FTS_DP:
/* Post-order: see if user skipped. */
if (p->fts_number == SKIPPED)
continue;
break;
default:
if (!fflag &&
!check(p->fts_path, p->fts_accpath, p->fts_statp))
continue;
}
rval = 0;
if (!uid &&
(p->fts_statp->st_flags & (UF_APPEND|UF_IMMUTABLE)) &&
!(p->fts_statp->st_flags & (SF_APPEND|SF_IMMUTABLE)))
rval = chflags(p->fts_accpath,
p->fts_statp->st_flags &= ~(UF_APPEND|UF_IMMUTABLE));
if (rval == 0) {
/*
* If we can't read or search the directory, may still be
* able to remove it. Don't print out the un{read,search}able
* message unless the remove fails.
*/
switch (p->fts_info) {
case FTS_DP:
case FTS_DNR:
rval = rmdir(p->fts_accpath);
if (rval == 0 || (fflag && errno == ENOENT)) {
if (rval == 0 && vflag)
(void)printf("%s\n",
p->fts_path);
continue;
}
break;
case FTS_W:
rval = undelete(p->fts_accpath);
if (rval == 0 && (fflag && errno == ENOENT)) {
if (vflag)
(void)printf("%s\n",
p->fts_path);
continue;
}
break;
case FTS_NS:
/*
* Assume that since fts_read() couldn't stat
* the file, it can't be unlinked.
*/
if (fflag)
continue;
/* FALLTHROUGH */
default:
if (Pflag)
if (!rm_overwrite(p->fts_accpath, NULL))
continue;
rval = unlink(p->fts_accpath);
if (rval == 0 || (fflag && errno == ENOENT)) {
if (rval == 0 && vflag)
(void)printf("%s\n",
p->fts_path);
continue;
}
}
}
err:
warn("%s", p->fts_path);
eval = 1;
}
if (errno)
err(1, "fts_read");
fts_close(fts);
}
void
rm_file(char **argv)
{
struct stat sb;
int rval;
char *f;
/*
* Remove a file. POSIX 1003.2 states that, by default, attempting
* to remove a directory is an error, so must always stat the file.
*/
while ((f = *argv++) != NULL) {
/* Assume if can't stat the file, can't unlink it. */
if (lstat(f, &sb)) {
if (Wflag) {
sb.st_mode = S_IFWHT|S_IWUSR|S_IRUSR;
} else {
if (!fflag || errno != ENOENT) {
warn("%s", f);
eval = 1;
}
continue;
}
} else if (Wflag) {
warnx("%s: %s", f, strerror(EEXIST));
eval = 1;
continue;
}
if (S_ISDIR(sb.st_mode) && !dflag) {
warnx("%s: is a directory", f);
eval = 1;
continue;
}
if (!fflag && !S_ISWHT(sb.st_mode) && !check(f, f, &sb))
continue;
rval = 0;
if (!uid && !S_ISWHT(sb.st_mode) &&
(sb.st_flags & (UF_APPEND|UF_IMMUTABLE)) &&
!(sb.st_flags & (SF_APPEND|SF_IMMUTABLE)))
rval = chflags(f, sb.st_flags & ~(UF_APPEND|UF_IMMUTABLE));
if (rval == 0) {
if (S_ISWHT(sb.st_mode))
rval = undelete(f);
else if (S_ISDIR(sb.st_mode))
rval = rmdir(f);
else {
if (Pflag)
if (!rm_overwrite(f, &sb))
continue;
rval = unlink(f);
}
}
if (rval && (!fflag || errno != ENOENT)) {
warn("%s", f);
eval = 1;
}
if (vflag && rval == 0)
(void)printf("%s\n", f);
}
}
/*
* rm_overwrite --
* Overwrite the file 3 times with varying bit patterns.
*
* XXX
* This is a cheap way to *really* delete files. Note that only regular
* files are deleted, directories (and therefore names) will remain.
* Also, this assumes a fixed-block file system (like FFS, or a V7 or a
* System V file system). In a logging file system, you'll have to have
* kernel support.
*/
int
rm_overwrite(char *file, struct stat *sbp)
{
struct stat sb;
struct statfs fsb;
off_t len;
int bsize, fd, wlen;
char *buf = NULL;
fd = -1;
if (sbp == NULL) {
if (lstat(file, &sb))
goto err;
sbp = &sb;
}
if (!S_ISREG(sbp->st_mode))
return (1);
if (sbp->st_nlink > 1 && !fflag) {
warnx("%s (inode %u): not overwritten due to multiple links",
file, sbp->st_ino);
return (0);
}
if ((fd = open(file, O_WRONLY, 0)) == -1)
goto err;
if (fstatfs(fd, &fsb) == -1)
goto err;
bsize = MAX(fsb.f_iosize, 1024);
if ((buf = malloc(bsize)) == NULL)
err(1, "%s: malloc", file);
#define PASS(byte) { \
memset(buf, byte, bsize); \
for (len = sbp->st_size; len > 0; len -= wlen) { \
wlen = len < bsize ? len : bsize; \
if (write(fd, buf, wlen) != wlen) \
goto err; \
} \
}
PASS(0xff);
if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET))
goto err;
PASS(0x00);
if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET))
goto err;
PASS(0xff);
if (!fsync(fd) && !close(fd)) {
free(buf);
return (1);
}
err: eval = 1;
if (buf)
free(buf);
if (fd != -1)
close(fd);
warn("%s", file);
return (0);
}
int
check(char *path, char *name, struct stat *sp)
{
int ch, first;
char modep[15], *flagsp;
/* Check -i first. */
if (iflag)
(void)fprintf(stderr, "remove %s? ", path);
else {
/*
* If it's not a symbolic link and it's unwritable and we're
* talking to a terminal, ask. Symbolic links are excluded
* because their permissions are meaningless. Check stdin_ok
* first because we may not have stat'ed the file.
*/
if (!stdin_ok || S_ISLNK(sp->st_mode) ||
(!access(name, W_OK) &&
!(sp->st_flags & (SF_APPEND|SF_IMMUTABLE)) &&
(!(sp->st_flags & (UF_APPEND|UF_IMMUTABLE)) || !uid)))
return (1);
strmode(sp->st_mode, modep);
if ((flagsp = fflagstostr(sp->st_flags)) == NULL)
err(1, "fflagstostr");
if (Pflag)
errx(1,
"%s: -P was specified, but file is not writable",
path);
(void)fprintf(stderr, "override %s%s%s/%s %s%sfor %s? ",
modep + 1, modep[9] == ' ' ? "" : " ",
user_from_uid(sp->st_uid, 0),
group_from_gid(sp->st_gid, 0),
*flagsp ? flagsp : "", *flagsp ? " " : "",
path);
free(flagsp);
}
(void)fflush(stderr);
first = ch = getchar();
while (ch != '\n' && ch != EOF)
ch = getchar();
return (first == 'y' || first == 'Y');
}
#define ISSLASH(a) ((a)[0] == '/' && (a)[1] == '\0')
void
checkslash(char **argv)
{
char **t, **u;
int complained;
complained = 0;
for (t = argv; *t;) {
if (ISSLASH(*t)) {
if (!complained++)
warnx("\"/\" may not be removed");
eval = 1;
for (u = t; u[0] != NULL; ++u)
u[0] = u[1];
} else {
++t;
}
}
}
int
check2(char **argv)
{
struct stat st;
int first;
int ch;
int fcount = 0;
int dcount = 0;
int i;
const char *dname = NULL;
for (i = 0; argv[i]; ++i) {
if (lstat(argv[i], &st) == 0) {
if (S_ISDIR(st.st_mode)) {
++dcount;
dname = argv[i]; /* only used if 1 dir */
} else {
++fcount;
}
}
}
first = 0;
while (first != 'n' && first != 'N' && first != 'y' && first != 'Y') {
if (dcount && rflag) {
fprintf(stderr, "recursively remove");
if (dcount == 1)
fprintf(stderr, " %s", dname);
else
fprintf(stderr, " %d dirs", dcount);
if (fcount == 1)
fprintf(stderr, " and 1 file");
else if (fcount > 1)
fprintf(stderr, " and %d files", fcount);
} else if (dcount + fcount > 3) {
fprintf(stderr, "remove %d files", dcount + fcount);
} else {
return(1);
}
fprintf(stderr, "? ");
fflush(stderr);
first = ch = getchar();
while (ch != '\n' && ch != EOF)
ch = getchar();
if (ch == EOF)
break;
}
return (first == 'y' || first == 'Y');
}
#define ISDOT(a) ((a)[0] == '.' && (!(a)[1] || ((a)[1] == '.' && !(a)[2])))
void
checkdot(char **argv)
{
char *p, **save, **t;
int complained;
complained = 0;
for (t = argv; *t;) {
if ((p = strrchr(*t, '/')) != NULL)
++p;
else
p = *t;
if (ISDOT(p)) {
if (!complained++)
warnx("\".\" and \"..\" may not be removed");
eval = 1;
for (save = t; (t[0] = t[1]) != NULL; ++t)
continue;
t = save;
} else
++t;
}
}
void
usage(void)
{
(void)fprintf(stderr, "%s\n%s\n",
"usage: rm [-f | -i] [-dIPRrvW] file ...",
" unlink file");
exit(EX_USAGE);
}