1 /* remove.c -- core functions for removing files and directories
2 Copyright (C) 88, 90, 91, 1994-2005 Free Software Foundation, Inc.
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2, or (at your option)
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software Foundation,
16 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
18 /* Extracted from rm.c and librarified, then rewritten by Jim Meyering. */
22 #include <sys/types.h>
28 #include "cycle-check.h"
31 #include "euidaccess.h"
32 #include "file-type.h"
38 #include "root-dev-ino.h"
39 #include "unlinkdir.h"
42 /* Avoid shadowing warnings because these are functions declared
43 in dirname.h as well as locals used below. */
44 #define dir_name rm_dir_name
45 #define dir_len rm_dir_len
47 #define obstack_chunk_alloc malloc
48 #define obstack_chunk_free free
50 /* This is the maximum number of consecutive readdir/unlink calls that
51 can be made (with no intervening rewinddir or closedir/opendir)
52 before triggering a bug that makes readdir return NULL even though
53 some directory entries have not been processed. The bug afflicts
54 SunOS's readdir when applied to ufs file systems and Darwin 6.5's
55 (and OSX v.10.3.8's) HFS+. This maximum is conservative in that
56 demonstrating the problem seems to require a directory containing
57 at least 254 deletable entries (which doesn't count . and ..), so
58 we could conceivably increase the maximum value to 254. */
61 CONSECUTIVE_READDIR_UNLINK_THRESHOLD = 200
70 typedef enum Ternary Ternary;
72 /* The prompt function may be called twice for a given directory.
73 The first time, we ask whether to descend into it, and the
74 second time, we ask whether to remove it. */
77 PA_DESCEND_INTO_DIR = 2,
81 /* On systems with an lstat function that accepts the empty string,
82 arrange to make lstat calls go through the wrapper function. */
83 #if HAVE_LSTAT_EMPTY_STRING_BUG
84 int rpl_lstat (const char *, struct stat *);
85 # define lstat(Name, Stat_buf) rpl_lstat(Name, Stat_buf)
88 /* Initial capacity of per-directory hash table of entries that have
89 been processed but not been deleted. */
90 #define HT_UNREMOVABLE_INITIAL_CAPACITY 13
92 /* An entry in the active directory stack.
93 Each entry corresponds to an `active' directory. */
96 /* For a given active directory, this is the set of names of
97 entries in that directory that could/should not be removed.
98 For example, `.' and `..', as well as files/dirs for which
99 unlink/rmdir failed e.g., due to access restrictions. */
100 Hash_table *unremovable;
102 /* Record the status for a given active directory; we need to know
103 whether an entry was not removed, either because of an error or
104 because the user declined. */
105 enum RM_status status;
107 /* The directory's dev/ino. Used to ensure that `chdir some-subdir', then
108 `chdir ..' takes us back to the same directory from which we started).
109 (valid for all but the bottommost entry on the stack. */
110 struct dev_ino dev_ino;
113 extern char *program_name;
115 struct dirstack_state
117 /* The name of the directory (starting with and relative to a command
118 line argument) being processed. When a subdirectory is entered, a new
119 component is appended (pushed). Remove (pop) the top component
120 upon chdir'ing out of a directory. This is used to form the full
121 name of the current directory or a file therein, when necessary. */
122 struct obstack dir_stack;
124 /* Stack of lengths of directory names (including trailing slash)
125 appended to dir_stack. We have to have a separate stack of lengths
126 (rather than just popping back to previous slash) because the first
127 element pushed onto the dir stack may contain slashes. */
128 struct obstack len_stack;
130 /* Stack of active directory entries.
131 The first `active' directory is the initial working directory.
132 Additional active dirs are pushed onto the stack as we `chdir'
133 into each directory to be processed. When finished with the
134 hierarchy under a directory, pop the active dir stack. */
135 struct obstack Active_dir;
137 /* Used to detect cycles. */
138 struct cycle_check_state cycle_check_state;
140 /* Target of a longjmp in case rm has to stop processing the current
141 command-line argument. This happens 1) when rm detects a directory
142 cycle or 2) when it has processed one or more directories, but then
143 is unable to return to the initial working directory to process
144 additional `.'-relative command-line arguments. */
145 jmp_buf current_arg_jumpbuf;
147 typedef struct dirstack_state Dirstack_state;
151 /* The value of errno after a failed save_cwd or restore_cwd. */
154 /* Information (open file descriptor or absolute directory name)
155 required in order to restore the initial working directory. */
156 struct saved_cwd saved_cwd;
159 static Dirstack_state *
162 Dirstack_state *ds = xmalloc (sizeof *ds);
163 obstack_init (&ds->dir_stack);
164 obstack_init (&ds->len_stack);
165 obstack_init (&ds->Active_dir);
170 ds_free (Dirstack_state *ds)
172 obstack_free (&ds->dir_stack, NULL);
173 obstack_free (&ds->len_stack, NULL);
174 obstack_free (&ds->Active_dir, NULL);
185 hash_compare_strings (void const *x, void const *y)
187 return STREQ (x, y) ? true : false;
191 push_dir (Dirstack_state *ds, const char *dir_name)
193 size_t len = strlen (dir_name);
195 /* Append the string onto the stack. */
196 obstack_grow (&ds->dir_stack, dir_name, len);
198 /* Append a trailing slash. */
199 obstack_1grow (&ds->dir_stack, '/');
201 /* Add one for the slash. */
204 /* Push the length (including slash) onto its stack. */
205 obstack_grow (&ds->len_stack, &len, sizeof (len));
208 /* Return the entry name of the directory on the top of the stack
209 in malloc'd storage. */
211 top_dir (Dirstack_state const *ds)
213 size_t n_lengths = obstack_object_size (&ds->len_stack) / sizeof (size_t);
214 size_t *length = obstack_base (&ds->len_stack);
215 size_t top_len = length[n_lengths - 1];
216 char const *p = obstack_next_free (&ds->dir_stack) - top_len;
217 char *q = xmalloc (top_len);
218 memcpy (q, p, top_len - 1);
224 pop_dir (Dirstack_state *ds)
226 size_t n_lengths = obstack_object_size (&ds->len_stack) / sizeof (size_t);
227 size_t *length = obstack_base (&ds->len_stack);
230 assert (n_lengths > 0);
231 top_len = length[n_lengths - 1];
232 assert (top_len >= 2);
234 /* Pop off the specified length of pathname. */
235 assert (obstack_object_size (&ds->dir_stack) >= top_len);
236 obstack_blank (&ds->dir_stack, -top_len);
238 /* Pop the length stack, too. */
239 assert (obstack_object_size (&ds->len_stack) >= sizeof (size_t));
240 obstack_blank (&ds->len_stack, -(int) sizeof (size_t));
243 /* Copy the SRC_LEN bytes of data beginning at SRC into the DST_LEN-byte
244 buffer, DST, so that the last source byte is at the end of the destination
245 buffer. If SRC_LEN is longer than DST_LEN, then set *TRUNCATED.
246 Set *RESULT to point to the beginning of (the portion of) the source data
247 in DST. Return the number of bytes remaining in the destination buffer. */
250 right_justify (char *dst, size_t dst_len, const char *src, size_t src_len,
251 char **result, bool *truncated)
256 if (src_len <= dst_len)
259 dp = dst + (dst_len - src_len);
264 sp = src + (src_len - dst_len);
270 *result = memcpy (dp, sp, src_len);
271 return dst_len - src_len;
274 /* Using the global directory name obstack, create the full path to FILENAME.
275 Return it in sometimes-realloc'd space that should not be freed by the
276 caller. Realloc as necessary. If realloc fails, use a static buffer
277 and put as long a suffix in that buffer as possible. */
279 #define full_filename(Filename) full_filename_ (ds, Filename)
281 full_filename_ (Dirstack_state const *ds, const char *filename)
283 static char *buf = NULL;
284 static size_t n_allocated = 0;
286 size_t dir_len = obstack_object_size (&ds->dir_stack);
287 char *dir_name = obstack_base (&ds->dir_stack);
288 size_t n_bytes_needed;
291 filename_len = strlen (filename);
292 n_bytes_needed = dir_len + filename_len + 1;
294 if (n_allocated < n_bytes_needed)
296 /* This code requires that realloc accept NULL as the first arg.
297 This function must not use xrealloc. Otherwise, an out-of-memory
298 error involving a file name to be expanded here wouldn't ever
299 be issued. Use realloc and fall back on using a static buffer
300 if memory allocation fails. */
301 char *new_buf = realloc (buf, n_bytes_needed);
302 n_allocated = n_bytes_needed;
306 #define SBUF_SIZE 512
307 #define ELLIPSES_PREFIX "[...]"
308 static char static_buf[SBUF_SIZE];
314 len = right_justify (static_buf, SBUF_SIZE, filename,
315 filename_len + 1, &p, &truncated);
316 right_justify (static_buf, len, dir_name, dir_len, &p, &truncated);
319 memcpy (static_buf, ELLIPSES_PREFIX,
320 sizeof (ELLIPSES_PREFIX) - 1);
328 if (filename_len == 1 && *filename == '.' && dir_len)
330 /* FILENAME is just `.' and dir_len is nonzero.
331 Copy the directory part, omitting the trailing slash,
332 and append a trailing zero byte. */
333 char *p = mempcpy (buf, dir_name, dir_len - 1);
338 /* Copy the directory part, including trailing slash, and then
339 append the filename part, including a trailing zero byte. */
340 memcpy (mempcpy (buf, dir_name, dir_len), filename, filename_len + 1);
341 assert (strlen (buf) + 1 == n_bytes_needed);
348 AD_stack_height (Dirstack_state const *ds)
350 return obstack_object_size (&ds->Active_dir) / sizeof (struct AD_ent);
353 static struct AD_ent *
354 AD_stack_top (Dirstack_state const *ds)
356 return (struct AD_ent *)
357 ((char *) obstack_next_free (&ds->Active_dir) - sizeof (struct AD_ent));
361 AD_stack_pop (Dirstack_state *ds)
363 /* operate on Active_dir. pop and free top entry */
364 struct AD_ent *top = AD_stack_top (ds);
365 if (top->unremovable)
366 hash_free (top->unremovable);
367 obstack_blank (&ds->Active_dir, -(int) sizeof (struct AD_ent));
371 /* chdir `up' one level.
372 Whenever using chdir '..', verify that the post-chdir
373 dev/ino numbers for `.' match the saved ones.
374 If they don't match, exit nonzero.
375 Set *PREV_DIR to the name (in malloc'd storage) of the
376 directory (usually now empty) from which we're coming.
377 If we're at the bottom of the AD stack (about to return
378 to the initial working directory), then use CWD.
379 If that restore_cwd fails, set CWD_STATE->saved_errno. */
381 AD_pop_and_chdir (Dirstack_state *ds, char **prev_dir,
382 struct cwd_state *cwd_state)
384 enum RM_status old_status = AD_stack_top(ds)->status;
387 /* Get the name of the current (but soon to be `previous') directory
388 from the top of the stack. */
389 *prev_dir = top_dir (ds);
392 top = AD_stack_top (ds);
394 /* Propagate any failure to parent. */
395 UPDATE_STATUS (top->status, old_status);
397 assert (AD_stack_height (ds));
399 if (1 < AD_stack_height (ds))
403 /* We can give a better diagnostic here, since the target is relative. */
404 if (chdir ("..") != 0)
406 error (EXIT_FAILURE, errno,
407 _("cannot chdir from %s to .."),
408 quote (full_filename (".")));
411 if (lstat (".", &sb))
412 error (EXIT_FAILURE, errno,
413 _("cannot lstat `.' in %s"), quote (full_filename (".")));
415 /* Ensure that post-chdir dev/ino match the stored ones. */
416 if ( ! SAME_INODE (sb, top->dev_ino))
417 error (EXIT_FAILURE, 0,
418 _("%s changed dev/ino"), quote (full_filename (".")));
422 if (restore_cwd (&cwd_state->saved_cwd) != 0)
424 /* We've failed to return to the initial working directory.
425 That failure may be harmless if x->require_restore_cwd is false,
426 but we do have to remember that fact, including the errno value,
427 so we can give an accurate diagnostic when reporting the failure
428 to remove a subsequent relative-named command-line argument. */
429 cwd_state->saved_errno = errno;
434 /* Initialize *HT if it is NULL.
435 Insert FILENAME into HT. */
437 AD_mark_helper (Hash_table **ht, char const *filename)
441 *ht = hash_initialize (HT_UNREMOVABLE_INITIAL_CAPACITY, NULL, hash_pjw,
442 hash_compare_strings, hash_freer);
446 if (! hash_insert (*ht, filename))
450 /* Mark FILENAME (in current directory) as unremovable. */
452 AD_mark_as_unremovable (Dirstack_state *ds, char const *filename)
454 AD_mark_helper (&AD_stack_top(ds)->unremovable, xstrdup (filename));
457 /* Mark the current directory as unremovable. I.e., mark the entry
458 in the parent directory corresponding to `.'.
459 This happens e.g., when an opendir fails and the only name
460 the caller has conveniently at hand is `.'. */
462 AD_mark_current_as_unremovable (Dirstack_state *ds)
464 struct AD_ent *top = AD_stack_top (ds);
465 const char *curr = top_dir (ds);
467 assert (1 < AD_stack_height (ds));
470 AD_mark_helper (&top->unremovable, curr);
473 /* Push an initial dummy entry onto the stack.
474 This will always be the bottommost entry on the stack. */
476 AD_push_initial (Dirstack_state *ds)
480 /* Extend the stack. */
481 obstack_blank (&ds->Active_dir, sizeof (struct AD_ent));
483 /* Fill in the new values. */
484 top = AD_stack_top (ds);
485 top->unremovable = NULL;
487 /* These should never be used.
488 Give them values that might look suspicious
489 in a debugger or in a diagnostic. */
490 top->dev_ino.st_dev = TYPE_MAXIMUM (dev_t);
491 top->dev_ino.st_ino = TYPE_MAXIMUM (ino_t);
494 /* Push info about the current working directory (".") onto the
495 active directory stack. DIR is the ./-relative name through
496 which we've just `chdir'd to this directory. DIR_SB_FROM_PARENT
497 is the result of calling lstat on DIR from the parent of DIR. */
499 AD_push (Dirstack_state *ds, char const *dir,
500 struct stat const *dir_sb_from_parent)
507 if (lstat (".", &sb))
508 error (EXIT_FAILURE, errno,
509 _("cannot lstat `.' in %s"), quote (full_filename (".")));
511 if ( ! SAME_INODE (sb, *dir_sb_from_parent))
512 error (EXIT_FAILURE, 0,
513 _("%s changed dev/ino"), quote (full_filename (".")));
515 /* Extend the stack. */
516 obstack_blank (&ds->Active_dir, sizeof (struct AD_ent));
518 /* Fill in the new values. */
519 top = AD_stack_top (ds);
520 top->dev_ino.st_dev = sb.st_dev;
521 top->dev_ino.st_ino = sb.st_ino;
522 top->unremovable = NULL;
526 AD_is_removable (Dirstack_state const *ds, char const *file)
528 struct AD_ent *top = AD_stack_top (ds);
529 return ! (top->unremovable && hash_lookup (top->unremovable, file));
532 /* Return true if DIR is determined to be an empty directory
533 or if opendir or readdir fails. */
535 is_empty_dir (char const *dir)
537 DIR *dirp = opendir (dir);
538 struct dirent const *dp;
545 dp = readdir_ignoring_dot_and_dotdot (dirp);
550 return saved_errno == 0 ? true : false;
553 /* Return true if FILE is not a symbolic link and it is not writable.
554 Also return true if FILE cannot be lstat'ed. Otherwise, return false.
555 If lstat succeeds, set *BUF_P to BUF.
556 This is to avoid calling euidaccess when FILE is a symlink. */
558 write_protected_non_symlink (char const *file,
562 if (lstat (file, buf) != 0)
565 if (S_ISLNK (buf->st_mode))
567 return euidaccess (file, W_OK) == -1 && errno == EACCES;
570 /* Prompt whether to remove FILENAME, if required via a combination of
571 the options specified by X and/or file attributes. If the file may
572 be removed, return RM_OK. If the user declines to remove the file,
573 return RM_USER_DECLINED. If not ignoring missing files and we
574 cannot lstat FILENAME, then return RM_ERROR.
576 Depending on MODE, ask whether to `descend into' or to `remove' the
577 directory FILENAME. MODE is ignored when FILENAME is not a directory.
578 Set *IS_EMPTY to T_YES if FILENAME is an empty directory, and it is
579 appropriate to try to remove it with rmdir (e.g. recursive mode).
580 Don't even try to set *IS_EMPTY when MODE == PA_REMOVE_DIR.
581 Set *IS_DIR to T_YES or T_NO if we happen to determine whether
582 FILENAME is a directory. */
583 static enum RM_status
584 prompt (Dirstack_state const *ds, char const *filename,
585 struct rm_options const *x, enum Prompt_action mode,
586 Ternary *is_dir, Ternary *is_empty)
588 bool write_protected = false;
589 struct stat *sbuf = NULL;
592 *is_empty = T_UNKNOWN;
595 if (((!x->ignore_missing_files & (x->interactive | x->stdin_tty))
596 && (write_protected = write_protected_non_symlink (filename,
603 if (lstat (filename, sbuf))
605 /* lstat failed. This happens e.g., with `rm '''. */
606 error (0, errno, _("cannot lstat %s"),
607 quote (full_filename (filename)));
612 if (S_ISDIR (sbuf->st_mode) && !x->recursive)
614 error (0, EISDIR, _("cannot remove directory %s"),
615 quote (full_filename (filename)));
619 /* Using permissions doesn't make sense for symlinks. */
620 if (S_ISLNK (sbuf->st_mode))
622 if ( ! x->interactive)
624 write_protected = false;
627 /* Issue the prompt. */
629 char const *quoted_name = quote (full_filename (filename));
631 *is_dir = (S_ISDIR (sbuf->st_mode) ? T_YES : T_NO);
633 /* FIXME: use a variant of error (instead of fprintf) that doesn't
634 append a newline. Then we won't have to declare program_name in
636 if (S_ISDIR (sbuf->st_mode)
638 && mode == PA_DESCEND_INTO_DIR
639 && ((*is_empty = (is_empty_dir (filename) ? T_YES : T_NO))
643 ? _("%s: descend into write-protected directory %s? ")
644 : _("%s: descend into directory %s? ")),
645 program_name, quoted_name);
648 /* TRANSLATORS: You may find it more convenient to translate
649 the equivalent of _("%s: remove %s (write-protected) %s? ").
650 It should avoid grammatical problems with the output
654 ? _("%s: remove write-protected %s %s? ")
655 : _("%s: remove %s %s? ")),
656 program_name, file_type (sbuf), quoted_name);
660 return RM_USER_DECLINED;
666 #if HAVE_STRUCT_DIRENT_D_TYPE
668 /* True if the type of the directory entry D is known. */
669 # define DT_IS_KNOWN(d) ((d)->d_type != DT_UNKNOWN)
671 /* True if the type of the directory entry D must be T. */
672 # define DT_MUST_BE(d, t) ((d)->d_type == (t))
675 # define DT_IS_KNOWN(d) false
676 # define DT_MUST_BE(d, t) false
679 #define DO_UNLINK(Filename, X) \
682 if (unlink (Filename) == 0) \
685 printf (_("removed %s\n"), quote (full_filename (Filename))); \
689 if (errno == ENOENT && (X)->ignore_missing_files) \
694 #define DO_RMDIR(Filename, X) \
697 if (rmdir (Filename) == 0) \
700 printf (_("removed directory: %s\n"), \
701 quote (full_filename (Filename))); \
705 if (errno == ENOENT && (X)->ignore_missing_files) \
708 if (errno == ENOTEMPTY || errno == EEXIST) \
709 return RM_NONEMPTY_DIR; \
713 /* Remove the file or directory specified by FILENAME.
714 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not.
715 But if FILENAME specifies a non-empty directory, return RM_NONEMPTY_DIR. */
717 static enum RM_status
718 remove_entry (Dirstack_state const *ds, char const *filename,
719 struct rm_options const *x, struct dirent const *dp)
722 Ternary is_empty_directory;
723 enum RM_status s = prompt (ds, filename, x, PA_DESCEND_INTO_DIR,
724 &is_dir, &is_empty_directory);
729 /* Why bother with the following if/else block? Because on systems with
730 an unlink function that *can* unlink directories, we must determine the
731 type of each entry before removing it. Otherwise, we'd risk unlinking
732 an entire directory tree simply by unlinking a single directory; then
733 all the storage associated with that hierarchy would not be freed until
734 the next fsck. Not nice. To avoid that, on such slightly losing
735 systems, we need to call lstat to determine the type of each entry,
736 and that represents extra overhead that -- it turns out -- we can
737 avoid on non-losing systems, since there, unlink will never remove
738 a directory. Also, on systems where unlink may unlink directories,
739 we're forced to allow a race condition: we lstat a non-directory, then
740 go to unlink it, but in the mean time, a malicious someone has replaced
741 it with a directory. */
743 if (cannot_unlink_dir ())
745 if (is_dir == T_YES && ! x->recursive)
747 error (0, EISDIR, _("cannot remove directory %s"),
748 quote (full_filename (filename)));
752 /* is_empty_directory is set iff it's ok to use rmdir.
753 Note that it's set only in interactive mode -- in which case it's
754 an optimization that arranges so that the user is asked just
755 once whether to remove the directory. */
756 if (is_empty_directory == T_YES)
757 DO_RMDIR (filename, x);
759 /* If we happen to know that FILENAME is a directory, return now
760 and let the caller remove it -- this saves the overhead of a failed
761 unlink call. If FILENAME is a command-line argument, then dp is NULL,
762 so we'll first try to unlink it. Using unlink here is ok, because it
763 cannot remove a directory. */
764 if ((dp && DT_MUST_BE (dp, DT_DIR)) || is_dir == T_YES)
765 return RM_NONEMPTY_DIR;
767 DO_UNLINK (filename, x);
770 || errno == ENOENT || errno == ENOTDIR
771 || errno == ELOOP || errno == ENAMETOOLONG)
773 /* Either --recursive is not in effect, or the file cannot be a
774 directory. Report the unlink problem and fail. */
775 error (0, errno, _("cannot remove %s"),
776 quote (full_filename (filename)));
782 /* If we don't already know whether FILENAME is a directory, find out now.
783 Then, if it's a non-directory, we can use unlink on it. */
784 if (is_dir == T_UNKNOWN)
786 if (dp && DT_IS_KNOWN (dp))
787 is_dir = DT_MUST_BE (dp, DT_DIR) ? T_YES : T_NO;
791 if (lstat (filename, &sbuf))
793 if (errno == ENOENT && x->ignore_missing_files)
796 error (0, errno, _("cannot lstat %s"),
797 quote (full_filename (filename)));
801 is_dir = S_ISDIR (sbuf.st_mode) ? T_YES : T_NO;
807 /* At this point, barring race conditions, FILENAME is known
808 to be a non-directory, so it's ok to try to unlink it. */
809 DO_UNLINK (filename, x);
811 /* unlink failed with some other error code. report it. */
812 error (0, errno, _("cannot remove %s"),
813 quote (full_filename (filename)));
819 error (0, EISDIR, _("cannot remove directory %s"),
820 quote (full_filename (filename)));
824 if (is_empty_directory == T_YES)
826 DO_RMDIR (filename, x);
827 /* Don't diagnose any failure here.
828 It'll be detected when the caller tries another way. */
832 return RM_NONEMPTY_DIR;
835 /* Remove entries in `.', the current working directory (cwd).
836 Upon finding a directory that is both non-empty and that can be chdir'd
837 into, return RM_OK and set *SUBDIR and fill in SUBDIR_SB, where
838 SUBDIR is the malloc'd name of the subdirectory if the chdir succeeded,
839 NULL otherwise (e.g., if opendir failed or if there was no subdirectory).
840 Likewise, SUBDIR_SB is the result of calling lstat on SUBDIR.
841 Return RM_OK if all entries are removed. Return RM_ERROR if any
842 entry cannot be removed. Otherwise, return RM_USER_DECLINED if
843 the user declines to remove at least one entry. Remove as much as
844 possible, continuing even if we fail to remove some entries. */
845 static enum RM_status
846 remove_cwd_entries (Dirstack_state *ds, char **subdir, struct stat *subdir_sb,
847 struct rm_options const *x)
849 DIR *dirp = opendir (".");
850 struct AD_ent *top = AD_stack_top (ds);
851 enum RM_status status = top->status;
852 size_t n_unlinked_since_opendir_or_last_rewind = 0;
854 assert (VALID_STATUS (status));
859 if (errno != ENOENT || !x->ignore_missing_files)
861 error (0, errno, _("cannot open directory %s"),
862 quote (full_filename (".")));
869 struct dirent const *dp;
870 enum RM_status tmp_status;
873 /* Set errno to zero so we can distinguish between a readdir failure
874 and when readdir simply finds that there are no more entries. */
876 if ((dp = readdir_ignoring_dot_and_dotdot (dirp)) == NULL)
880 /* Save/restore errno across closedir call. */
885 /* Arrange to give a diagnostic after exiting this loop. */
888 else if (CONSECUTIVE_READDIR_UNLINK_THRESHOLD
889 < n_unlinked_since_opendir_or_last_rewind)
891 /* Call rewinddir if we've called unlink or rmdir so many times
892 (since the opendir or the previous rewinddir) that this
893 NULL-return may be the symptom of a buggy readdir. */
895 n_unlinked_since_opendir_or_last_rewind = 0;
903 /* Skip files we've already tried/failed to remove. */
904 if ( ! AD_is_removable (ds, f))
907 /* Pass dp->d_type info to remove_entry so the non-glibc
908 case can decide whether to use unlink or chdir.
909 Systems without the d_type member will have to endure
910 the performance hit of first calling lstat F. */
911 tmp_status = remove_entry (ds, f, x, dp);
915 /* Count how many files we've unlinked since the initial
916 opendir or the last rewinddir. On buggy systems, if you
917 remove too many, readdir returns NULL even though there
918 remain unprocessed directory entries. */
919 ++n_unlinked_since_opendir_or_last_rewind;
923 case RM_USER_DECLINED:
924 AD_mark_as_unremovable (ds, f);
925 UPDATE_STATUS (status, tmp_status);
928 case RM_NONEMPTY_DIR:
930 /* Save a copy of errno, in case the preceding unlink (from
931 remove_entry's DO_UNLINK) of a non-directory failed. */
932 int saved_errno = errno;
934 /* Record dev/ino of F so that we can compare
935 that with dev/ino of `.' after the chdir.
936 This dev/ino pair is also used in cycle detection. */
937 if (lstat (f, subdir_sb))
938 error (EXIT_FAILURE, errno, _("cannot lstat %s"),
939 quote (full_filename (f)));
942 if (! S_ISDIR (subdir_sb->st_mode) || chdir (f) != 0)
944 /* It is much more common that we reach this point for an
945 inaccessible directory. Hence the second diagnostic, below.
946 However it is also possible that F is a non-directory.
947 That can happen when we use the `! UNLINK_CAN_UNLINK_DIRS'
948 block of code and when DO_UNLINK fails due to EPERM.
949 In that case, give a better diagnostic. */
950 if (errno == ENOTDIR)
951 error (0, saved_errno, _("cannot remove %s"),
952 quote (full_filename (f)));
954 error (0, errno, _("cannot chdir from %s to %s"),
955 quote_n (0, full_filename (".")), quote_n (1, f));
956 AD_mark_as_unremovable (ds, f);
960 if (cycle_check (&ds->cycle_check_state, subdir_sb))
963 WARNING: Circular directory structure.\n\
964 This almost certainly means that you have a corrupted file system.\n\
965 NOTIFY YOUR SYSTEM MANAGER.\n\
966 The following directory is part of the cycle:\n %s\n"),
967 quote (full_filename (".")));
968 longjmp (ds->current_arg_jumpbuf, 1);
971 *subdir = xstrdup (f);
976 /* Record status for this directory. */
977 UPDATE_STATUS (top->status, status);
983 if (dirp == NULL || CLOSEDIR (dirp) != 0)
985 /* Note that this diagnostic serves for both readdir
986 and closedir failures. */
987 error (0, errno, _("reading directory %s"), quote (full_filename (".")));
994 /* Do this after each call to AD_push or AD_push_initial.
995 Because the status = RM_OK bit is too remove-specific to
996 go into the general-purpose AD_* package. */
997 #define AD_INIT_OTHER_MEMBERS() \
1000 AD_stack_top(ds)->status = RM_OK; \
1004 /* Remove the hierarchy rooted at DIR.
1005 Do that by changing into DIR, then removing its contents, then
1006 returning to the original working directory and removing DIR itself.
1007 Don't use recursion. Be careful when using chdir ".." that we
1008 return to the same directory from which we came, if necessary.
1009 Return 1 for success, 0 if some file cannot be removed or if
1011 If the initial working directory cannot be saved or restored,
1012 record the offending errno value in (*CWD_STATE)->saved_errno. */
1014 static enum RM_status
1015 remove_dir (Dirstack_state *ds, char const *dir, struct cwd_state **cwd_state,
1016 struct rm_options const *x)
1018 enum RM_status status;
1021 /* Save any errno (from caller's failed remove_entry call), in case DIR
1022 is not a directory, so that we can give a reasonable diagnostic. */
1023 int saved_errno = errno;
1025 if (*cwd_state == NULL)
1027 *cwd_state = xmalloc (sizeof **cwd_state);
1029 if (save_cwd (&(*cwd_state)->saved_cwd) != 0)
1031 (*cwd_state)->saved_errno = errno;
1032 assert (errno != 0);
1034 /* Pretend we started from "/". That is fine as long as there
1035 is no requirement to return to the original working directory.
1036 Use "/", not ".", so that we chdir out of a non-root target
1037 directory before attempting to remove it: some hosts don't let
1038 you remove a working directory. */
1039 (*cwd_state)->saved_cwd.name = xstrdup ("/");
1042 (*cwd_state)->saved_errno = 0;
1044 AD_push_initial (ds);
1045 AD_INIT_OTHER_MEMBERS ();
1048 /* If we've failed to record and/or restore the initial working directory,
1049 and we're now trying to access a `.'-relative file name, then give a
1050 diagnostic, record the failure, and proceed with any subsequent
1051 command-line arguments. */
1052 if ((*cwd_state)->saved_errno && IS_RELATIVE_FILE_NAME (dir))
1054 error (0, (*cwd_state)->saved_errno, _("cannot remove directory %s"),
1055 quote (full_filename (dir)));
1056 longjmp (ds->current_arg_jumpbuf, 1);
1059 /* There is a race condition in that an attacker could replace the nonempty
1060 directory, DIR, with a symlink between the preceding call to rmdir
1061 (in our caller) and the chdir below. However, the following lstat,
1062 along with the `stat (".",...' and dev/ino comparison in AD_push
1063 ensure that we detect it and fail. */
1065 if (lstat (dir, &dir_sb))
1068 _("cannot lstat %s"), quote (full_filename (dir)));
1073 if (! S_ISDIR (dir_sb.st_mode) || chdir (dir) != 0)
1075 if (errno == ENOTDIR)
1077 error (0, saved_errno,
1078 _("cannot remove %s"), quote (full_filename (dir)));
1083 _("cannot chdir from %s to %s"),
1084 quote_n (0, full_filename (".")), quote_n (1, dir));
1089 if (ROOT_DEV_INO_CHECK (x->root_dev_ino, &dir_sb))
1091 ROOT_DEV_INO_WARN (full_filename (dir));
1095 AD_push (ds, dir, &dir_sb);
1096 AD_INIT_OTHER_MEMBERS ();
1102 char *subdir = NULL;
1103 struct stat subdir_sb;
1104 enum RM_status tmp_status = remove_cwd_entries (ds,
1105 &subdir, &subdir_sb, x);
1106 if (tmp_status != RM_OK)
1108 UPDATE_STATUS (status, tmp_status);
1109 AD_mark_current_as_unremovable (ds);
1113 AD_push (ds, subdir, &subdir_sb);
1114 AD_INIT_OTHER_MEMBERS ();
1120 /* Execution reaches this point when we've removed the last
1121 removable entry from the current directory. */
1123 /* This is the name of the directory that we have just
1124 returned from, after nominally removing all of its contents. */
1127 AD_pop_and_chdir (ds, &empty_dir, *cwd_state);
1129 /* Try to remove D only if remove_cwd_entries succeeded. */
1130 if (tmp_status == RM_OK)
1132 /* This does a little more work than necessary when it actually
1133 prompts the user. E.g., we already know that D is a directory
1134 and that it's almost certainly empty, yet we lstat it.
1135 But that's no big deal since we're interactive. */
1138 enum RM_status s = prompt (ds, empty_dir, x, PA_REMOVE_DIR,
1139 &is_dir, &is_empty);
1147 if (rmdir (empty_dir) == 0)
1150 printf (_("removed directory: %s\n"),
1151 quote (full_filename (empty_dir)));
1155 error (0, errno, _("cannot remove directory %s"),
1156 quote (full_filename (empty_dir)));
1157 AD_mark_as_unremovable (ds, empty_dir);
1159 UPDATE_STATUS (AD_stack_top(ds)->status, status);
1165 if (AD_stack_height (ds) == 1)
1173 /* Remove the file or directory specified by FILENAME.
1174 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not.
1175 On input, the first time this function is called, CWD_STATE should be
1176 the address of a NULL pointer. Do not modify it for any subsequent calls.
1177 On output, it is either that same NULL pointer or the address of
1178 a malloc'd `struct saved_cwd' that may be freed. */
1180 static enum RM_status
1181 rm_1 (Dirstack_state *ds, char const *filename,
1182 struct rm_options const *x, struct cwd_state **cwd_state)
1184 char *base = base_name (filename);
1185 enum RM_status status;
1187 if (DOT_OR_DOTDOT (base))
1189 error (0, 0, _("cannot remove `.' or `..'"));
1193 if (*cwd_state && (*cwd_state)->saved_errno
1194 && IS_RELATIVE_FILE_NAME (filename))
1196 error (0, (*cwd_state)->saved_errno,
1197 _("cannot remove %s"), quote (filename));
1201 status = remove_entry (ds, filename, x, NULL);
1202 if (status != RM_NONEMPTY_DIR)
1205 return remove_dir (ds, filename, cwd_state, x);
1208 /* Remove all files and/or directories specified by N_FILES and FILE.
1209 Apply the options in X. If X->require_restore_cwd is false, then
1210 this function may return RM_OK even though it is unable to restore
1211 the initial working directory. */
1212 extern enum RM_status
1213 rm (size_t n_files, char const *const *file, struct rm_options const *x)
1215 struct cwd_state *cwd_state = NULL;
1218 /* Put the following two variables in static storage, so they can't
1219 be clobbered by the potential longjmp into this function. */
1220 static enum RM_status status = RM_OK;
1225 for (i = 0; i < n_files; i++)
1228 cycle_check_init (&ds->cycle_check_state);
1229 /* In the event that rm_1->remove_dir->remove_cwd_entries detects
1230 a directory cycle, arrange to fail, give up on this FILE, but
1231 continue on with any other arguments. */
1232 if (setjmp (ds->current_arg_jumpbuf))
1235 s = rm_1 (ds, file[i], x, &cwd_state);
1236 assert (VALID_STATUS (s));
1237 UPDATE_STATUS (status, s);
1240 if (x->require_restore_cwd && cwd_state && cwd_state->saved_errno != 0)
1242 error (0, cwd_state->saved_errno,
1243 _("cannot restore current working directory"));
1249 if (cwd_state && cwd_state->saved_errno == 0)
1250 free_cwd (&cwd_state->saved_cwd);