we opened is the one we expected to get. Also use O_NOFOLLOW to help
avoid even opening devices, which sometimes produce side effects.
Reported by Radoslaw A. Zarzynski.
overwritten. Old code would remove the file regardless of
whether the overwrite was successful or not.
New behaviour:
carpy: {12} touch moo ; chmod 444 moo
carpy: {13} ls
moo
carpy: {14} rm -P moo
rm: moo: -P was specified but file could not be overwritten
carpy: {15} ls
moo
carpy: {16}
ok: christos@, joerg@ & tech-userlevel@
standard. This change inspired by Apple's "Secure Empty Trash" functionality
in MacOS 10.3. However, it is important to understand that this change
does not -- and can not -- actually achieve conformance to the current
revision of the standard. To quote the manual page:
The -P option attempts to conform to U.S. DoD 5220-22.M, "National Indus-
trial Security Program Operating Manual" ("NISPOM") as updated by Change
2 and the July 23, 2003 "Clearing & Sanitization Matrix". However,
unlike earlier revisions of NISPOM, the 2003 matrix imposes requirements
which make it clear that the standard does not and can not apply to the
erasure of individual files, in particular requirements relating to spare
sector management for an entire magnetic disk. Because these
requirements are not met, the -P option does not conform to the standard.
This also makes the -P option a *lot* more expensive than it used to be.
It used to overwrite with 0xff, overwrite with 0x00, overwrite with 0xff,
with an fsync after each write. Now it overwrites with a random character,
overwrites with 0xff, overwrites with 0x00, reads to validate the 0x00
overwrite, then overwrites with random data -- calling sync() after every
operation in an attempt to force seeks that will clear the data from the
cache of disks that lie about whether data has been committed to the
platters. Also, the file's opened with O_SYNC|O_RSYNC to cause metadata
updates on every read/write, which should cause still more seeks.
This is better than it used to be, but it's by no means adequate if you
have data you really don't want read by an adversary who can pull the
disk apart.
If stdout is a tty, use vis(3) to print any filenames to prevent garbage
from being printed if the filename contains control- or other non-printable
characters.
While here, sprinkle some EXIT_FAILURE and NOTREACHED where appropriate.
Accidentally left eval = 1 when I was adding the extension which caused the rm command to return a 1 when it successfully removed a directory. Thanks to tron for catching it.
- Put a space after the C language keyword ``switch''.
- Put an empty line if a function doesn't have local variable.
- Use do { } while (/*CONSTCOND*/ 0) instead of { } to protect a multi
statement macro
files in case the `-f' option has been specified:
Extend the definition of `non-existent' to include ENAMETOOLONG and ENOTDIR
cases, since file names failing with these errors can safely assumed to be
non-existent. Fixes PR bin/2993.
rillig