From owner-svn-src-all@freebsd.org Sat Nov 10 20:26:57 2018 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27427110956D; Sat, 10 Nov 2018 20:26:57 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5E9747A786; Sat, 10 Nov 2018 20:26:56 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 407C727CF5; Sat, 10 Nov 2018 20:26:56 +0000 (UTC) (envelope-from cem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wAAKQuWT053797; Sat, 10 Nov 2018 20:26:56 GMT (envelope-from cem@FreeBSD.org) Received: (from cem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id wAAKQts3053795; Sat, 10 Nov 2018 20:26:55 GMT (envelope-from cem@FreeBSD.org) Message-Id: <201811102026.wAAKQts3053795@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cem set sender to cem@FreeBSD.org using -f From: Conrad Meyer Date: Sat, 10 Nov 2018 20:26:55 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r340330 - head/bin/rm X-SVN-Group: head X-SVN-Commit-Author: cem X-SVN-Commit-Paths: head/bin/rm X-SVN-Commit-Revision: 340330 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 5E9747A786 X-Spamd-Result: default: False [-106.87 / 200.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; ALLOW_DOMAIN_WHITELIST(-100.00)[FreeBSD.org]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; HAS_XAW(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; DMARC_NA(0.00)[FreeBSD.org]; RCVD_COUNT_THREE(0.00)[4]; MX_GOOD(-0.01)[cached: mx1.FreeBSD.org]; NEURAL_HAM_SHORT(-1.00)[-1.000,0]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; IP_SCORE(-3.77)[ip: (-9.91), ipnet: 2610:1c1:1::/48(-4.93), asn: 11403(-3.89), country: US(-0.09)] X-Rspamd-Server: mx1.freebsd.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Nov 2018 20:26:57 -0000 Author: cem Date: Sat Nov 10 20:26:55 2018 New Revision: 340330 URL: https://svnweb.freebsd.org/changeset/base/340330 Log: rm(1): Formalize non-functional status of -P flag -P was introduced in 4.4BSD-Lite2 around 1994. It overwrote file contents with a pass of 0xff, 0x00, then 0xff, in a low effort attempt to "really delete" files. It has no user-visible effect; at the end of the day, the file is unlinked via the filesystem. Furthermore, the utility of overwriting files with patterned data is extremely limited due to caveats at every layer of the stack[0] and therefore mostly futile. At the least, three passes is likely wasteful on modern hardware[1]. It could also be seen as a violation of the "Unix Philosophy" to do one thing per tiny, composable program. Since 1994, FreeBSD has left it alone; OpenBSD replaced it with a single pass of arc4random(3) output in 2012[2]; and NetBSD implemented partial, but explicitly incomplete support for U.S. DoD 5220.22-M, "National Industrial Security Program Operating Manual" in 2004[3]. NetBSD's enhanced comment above rm_overwrite makes a strong case for removing the flag entirely: > This is an expensive way to keep people from recovering files from your > non-snapshotted FFS filesystems using fsdb(8). Really. No more. > > It is impossible to actually conform to the exact procedure given in > [NISPOM] if one is overwriting a file, not an entire disk, because the > procedure requires examination and comparison of the disk's defect lists. > Any program that claims to securely erase *files* while conforming to the > standard, then, is not correct. > > Furthermore, the presence of track caches, disk and controller write > caches, and so forth make it extremely difficult to ensure that data have > actually been written to the disk, particularly when one tries to repeatedly > overwrite the same sectors in quick succession. We call fsync(), but > controllers with nonvolatile cache, as well as IDE disks that just plain lie > about the stable storage of data, will defeat this. > > [NISPOM] requires physical media destruction, rather than any technique of > the sort attempted here, for secret data. As a first step towards evental removal, make it a placebo. It's not like it was serving any security function. It is not defined in or mentioned by POSIX. If you are security conscious and need to erase your files, use a woodchipper. At a minimum, the entire disk needs to be overwritten, not just one file. [0]: https://www.ru.nl/publish/pages/909282/draft-paper.pdf [1]: https://commons.erau.edu/cgi/viewcontent.cgi?article=1131&context=jdfsl [2]: https://github.com/openbsd/src/commit/7c5c57ba81b5fe8ff2d4899ff643af18c [3]: https://github.com/NetBSD/src/commit/fdf0a7a25e59af958fca1e2159921562cd Reviewed by: markj, Daniel O'Connor (previous version) Differential Revision: https://reviews.freebsd.org/D17906 Modified: head/bin/rm/rm.1 head/bin/rm/rm.c Modified: head/bin/rm/rm.1 ============================================================================== --- head/bin/rm/rm.1 Sat Nov 10 20:26:19 2018 (r340329) +++ head/bin/rm/rm.1 Sat Nov 10 20:26:55 2018 (r340330) @@ -32,7 +32,7 @@ .\" @(#)rm.1 8.5 (Berkeley) 12/5/94 .\" $FreeBSD$ .\" -.Dd September 12, 2018 +.Dd November 10, 2018 .Dt RM 1 .Os .Sh NAME @@ -42,7 +42,7 @@ .Sh SYNOPSIS .Nm .Op Fl f | i -.Op Fl dIPRrvWx +.Op Fl dIRrvWx .Ar .Nm unlink .Op Fl - @@ -86,26 +86,9 @@ This is a far less intrusive option than .Fl i yet provides almost the same level of protection against mistakes. .It Fl P -Overwrite regular files before deleting them. -Files are overwritten three times, first with the byte pattern 0xff, -then 0x00, and then 0xff again, before they are deleted. -Files with multiple links will not be overwritten nor deleted -and a warning will be issued. -If the -.Fl f -option is specified, files with multiple links will also be overwritten -and deleted. -No warning will be issued. -.Pp -Specifying this flag for a read only file will cause -.Nm -to generate an error message and exit. -The file will not be removed or overwritten. -.Pp -N.B.: The -.Fl P -flag is not considered a security feature -.Pq see Sx BUGS . +This flag has no effect. +It is kept only for backwards compatibility with +.Bx 4.4 Lite2 . .It Fl R Attempt to remove the file hierarchy rooted in each .Ar file @@ -192,12 +175,6 @@ For example: .Pp .Dl "rm /home/user/-filename" .Dl "rm ./-filename" -.Pp -When -.Fl P -is specified with -.Fl f -the file will be overwritten and removed even if it has hard links. .Sh EXAMPLES Recursively remove all files contained within the .Pa foobar @@ -227,6 +204,12 @@ Also, historical .Bx implementations prompted on the standard output, not the standard error output. +.Pp +The +.Fl P +option does not have any effect as of +.Fx 13 +and may be removed in the future. .Sh SEE ALSO .Xr chflags 1 , .Xr rmdir 1 , @@ -250,15 +233,3 @@ A .Nm command appeared in .At v1 . -.Sh BUGS -The -.Fl P -option assumes that the underlying storage overwrites file blocks -when data is written to an existing offset. -Several factors including the file system and its backing store could defeat -this assumption. -This includes, but is not limited to file systems that use a -Copy-On-Write strategy (e.g. ZFS or UFS when snapshots are being used), Flash -media that are using a wear leveling algorithm, or when the backing datastore -does journaling, etc. -In addition, only regular files are overwritten, other types of files are not. Modified: head/bin/rm/rm.c ============================================================================== --- head/bin/rm/rm.c Sat Nov 10 20:26:19 2018 (r340329) +++ head/bin/rm/rm.c Sat Nov 10 20:26:55 2018 (r340330) @@ -61,7 +61,7 @@ __FBSDID("$FreeBSD$"); #include #include -static int dflag, eval, fflag, iflag, Pflag, vflag, Wflag, stdin_ok; +static int dflag, eval, fflag, iflag, vflag, Wflag, stdin_ok; static int rflag, Iflag, xflag; static uid_t uid; static volatile sig_atomic_t info; @@ -71,7 +71,6 @@ static int check2(char **); static void checkdot(char **); static void checkslash(char **); static void rm_file(char **); -static int rm_overwrite(const char *, struct stat *); static void rm_tree(char **); static void siginfo(int __unused); static void usage(void); @@ -110,7 +109,7 @@ main(int argc, char *argv[]) exit(eval); } - Pflag = rflag = xflag = 0; + rflag = xflag = 0; while ((ch = getopt(argc, argv, "dfiIPRrvWx")) != -1) switch(ch) { case 'd': @@ -128,7 +127,7 @@ main(int argc, char *argv[]) Iflag = 1; break; case 'P': - Pflag = 1; + /* Compatibility no-op. */ break; case 'R': case 'r': /* Compatibility. */ @@ -313,12 +312,6 @@ rm_tree(char **argv) case FTS_F: case FTS_NSOK: - if (Pflag) - if (!rm_overwrite(p->fts_accpath, p->fts_info == - FTS_NSOK ? NULL : p->fts_statp)) - continue; - /* FALLTHROUGH */ - default: rval = unlink(p->fts_accpath); if (rval == 0 || (fflag && errno == ENOENT)) { @@ -389,12 +382,8 @@ rm_file(char **argv) rval = undelete(f); else if (S_ISDIR(sb.st_mode)) rval = rmdir(f); - else { - if (Pflag) - if (!rm_overwrite(f, &sb)) - continue; + else rval = unlink(f); - } } if (rval && (!fflag || errno != ENOENT)) { warn("%s", f); @@ -409,85 +398,7 @@ rm_file(char **argv) } } -/* - * rm_overwrite -- - * Overwrite the file 3 times with varying bit patterns. - * - * XXX - * This is a cheap way to *really* delete files. Note that only regular - * files are deleted, directories (and therefore names) will remain. - * Also, this assumes a fixed-block file system (like FFS, or a V7 or a - * System V file system). In a logging or COW file system, you'll have to - * have kernel support. - */ static int -rm_overwrite(const char *file, struct stat *sbp) -{ - struct stat sb, sb2; - struct statfs fsb; - off_t len; - int bsize, fd, wlen; - char *buf = NULL; - - fd = -1; - if (sbp == NULL) { - if (lstat(file, &sb)) - goto err; - sbp = &sb; - } - if (!S_ISREG(sbp->st_mode)) - return (1); - if (sbp->st_nlink > 1 && !fflag) { - warnx("%s (inode %ju): not overwritten due to multiple links", - file, (uintmax_t)sbp->st_ino); - return (0); - } - if ((fd = open(file, O_WRONLY|O_NONBLOCK|O_NOFOLLOW, 0)) == -1) - goto err; - if (fstat(fd, &sb2)) - goto err; - if (sb2.st_dev != sbp->st_dev || sb2.st_ino != sbp->st_ino || - !S_ISREG(sb2.st_mode)) { - errno = EPERM; - goto err; - } - if (fstatfs(fd, &fsb) == -1) - goto err; - bsize = MAX(fsb.f_iosize, 1024); - if ((buf = malloc(bsize)) == NULL) - err(1, "%s: malloc", file); - -#define PASS(byte) { \ - memset(buf, byte, bsize); \ - for (len = sbp->st_size; len > 0; len -= wlen) { \ - wlen = len < bsize ? len : bsize; \ - if (write(fd, buf, wlen) != wlen) \ - goto err; \ - } \ -} - PASS(0xff); - if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) - goto err; - PASS(0x00); - if (fsync(fd) || lseek(fd, (off_t)0, SEEK_SET)) - goto err; - PASS(0xff); - if (!fsync(fd) && !close(fd)) { - free(buf); - return (1); - } - -err: eval = 1; - if (buf) - free(buf); - if (fd != -1) - close(fd); - warn("%s", file); - return (0); -} - - -static int check(const char *path, const char *name, struct stat *sp) { int ch, first; @@ -511,10 +422,6 @@ check(const char *path, const char *name, struct stat strmode(sp->st_mode, modep); if ((flagsp = fflagstostr(sp->st_flags)) == NULL) err(1, "fflagstostr"); - if (Pflag) - errx(1, - "%s: -P was specified, but file is not writable", - path); (void)fprintf(stderr, "override %s%s%s/%s %s%sfor %s? ", modep + 1, modep[10] == ' ' ? "" : " ", user_from_uid(sp->st_uid, 0),