1 /* remove.c -- core functions for removing files and directories
2 Copyright (C) 88, 90, 91, 1994-2006 Free Software Foundation, Inc.
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2, or (at your option)
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software Foundation,
16 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
18 /* Extracted from rm.c and librarified, then rewritten by Jim Meyering. */
22 #include <sys/types.h>
27 #include "cycle-check.h"
30 #include "euidaccess.h"
31 #include "euidaccess-stat.h"
32 #include "file-type.h"
40 #include "root-dev-ino.h"
41 #include "unlinkdir.h"
44 /* Avoid shadowing warnings because these are functions declared
45 in dirname.h as well as locals used below. */
46 #define dir_name rm_dir_name
47 #define dir_len rm_dir_len
49 #define obstack_chunk_alloc malloc
50 #define obstack_chunk_free free
52 /* This is the maximum number of consecutive readdir/unlink calls that
53 can be made (with no intervening rewinddir or closedir/opendir) before
54 triggering a bug that makes readdir return NULL even though some
55 directory entries have not been processed. The bug afflicts SunOS's
56 readdir when applied to ufs file systems and Darwin 6.5's (and OSX
57 v.10.3.8's) HFS+. This maximum is conservative in that demonstrating
58 the problem requires a directory containing at least 16 deletable
59 entries (which doesn't count . and ..).
60 This problem also affects Darwin 7.9.0 (aka MacOS X 10.3.9) on HFS+
61 and NFS-mounted file systems, but not vfat ones. */
64 CONSECUTIVE_READDIR_UNLINK_THRESHOLD = 10
67 /* FIXME: in 2009, or whenever Darwin 7.9.0 (aka MacOS X 10.3.9) is no
68 longer relevant, remove this work-around code. Then, there will be
69 no need to perform the extra rewinddir call, ever. */
70 #define NEED_REWIND(readdir_unlink_count) \
71 (CONSECUTIVE_READDIR_UNLINK_THRESHOLD <= (readdir_unlink_count))
79 typedef enum Ternary Ternary;
81 /* The prompt function may be called twice for a given directory.
82 The first time, we ask whether to descend into it, and the
83 second time, we ask whether to remove it. */
86 PA_DESCEND_INTO_DIR = 2,
90 /* Initial capacity of per-directory hash table of entries that have
91 been processed but not been deleted. */
92 enum { HT_UNREMOVABLE_INITIAL_CAPACITY = 13 };
94 /* An entry in the active directory stack.
95 Each entry corresponds to an `active' directory. */
98 /* For a given active directory, this is the set of names of
99 entries in that directory that could/should not be removed.
100 For example, `.' and `..', as well as files/dirs for which
101 unlink/rmdir failed e.g., due to access restrictions. */
102 Hash_table *unremovable;
104 /* Record the status for a given active directory; we need to know
105 whether an entry was not removed, either because of an error or
106 because the user declined. */
107 enum RM_status status;
109 /* The directory's dev/ino. Used to ensure that a malicious user does
110 not replace a directory we're about to process with a symlink to
111 some other directory. */
112 struct dev_ino dev_ino;
115 extern char *program_name;
117 struct dirstack_state
119 /* The name of the directory (starting with and relative to a command
120 line argument) being processed. When a subdirectory is entered, a new
121 component is appended (pushed). Remove (pop) the top component
122 upon chdir'ing out of a directory. This is used to form the full
123 name of the current directory or a file therein, when necessary. */
124 struct obstack dir_stack;
126 /* Stack of lengths of directory names (including trailing slash)
127 appended to dir_stack. We have to have a separate stack of lengths
128 (rather than just popping back to previous slash) because the first
129 element pushed onto the dir stack may contain slashes. */
130 struct obstack len_stack;
132 /* Stack of active directory entries.
133 The first `active' directory is the initial working directory.
134 Additional active dirs are pushed onto the stack as we `chdir'
135 into each directory to be processed. When finished with the
136 hierarchy under a directory, pop the active dir stack. */
137 struct obstack Active_dir;
139 /* Used to detect cycles. */
140 struct cycle_check_state cycle_check_state;
142 /* Target of a longjmp in case rm has to stop processing the current
143 command-line argument. This happens 1) when rm detects a directory
144 cycle or 2) when it has processed one or more directories, but then
145 is unable to return to the initial working directory to process
146 additional `.'-relative command-line arguments. */
147 jmp_buf current_arg_jumpbuf;
149 typedef struct dirstack_state Dirstack_state;
151 /* Just like close(fd), but don't modify errno. */
153 close_preserve_errno (int fd)
155 int saved_errno = errno;
156 int result = close (fd);
161 /* Like fstatat, but cache the result. If ST->st_size is -1, the
162 status has not been gotten yet. If less than -1, fstatat failed
163 with errno == -1 - ST->st_size. Otherwise, the status has already
164 been gotten, so return 0. */
166 cache_fstatat (int fd, char const *file, struct stat *st, int flag)
168 if (st->st_size == -1 && fstatat (fd, file, st, flag) != 0)
169 st->st_size = -1 - errno;
170 if (0 <= st->st_size)
172 errno = -1 - st->st_size;
176 /* Initialize a fstatat cache *ST. Return ST for convenience. */
177 static inline struct stat *
178 cache_stat_init (struct stat *st)
184 /* Return true if *ST has been statted. */
186 cache_statted (struct stat *st)
188 return (st->st_size != -1);
191 /* Return true if *ST has been statted successfully. */
193 cache_stat_ok (struct stat *st)
195 return (0 <= st->st_size);
206 hash_compare_strings (void const *x, void const *y)
208 return STREQ (x, y) ? true : false;
212 push_dir (Dirstack_state *ds, const char *dir_name)
214 size_t len = strlen (dir_name);
216 /* Append the string onto the stack. */
217 obstack_grow (&ds->dir_stack, dir_name, len);
219 /* Append a trailing slash. */
220 obstack_1grow (&ds->dir_stack, '/');
222 /* Add one for the slash. */
225 /* Push the length (including slash) onto its stack. */
226 obstack_grow (&ds->len_stack, &len, sizeof (len));
229 /* Return the entry name of the directory on the top of the stack
230 in malloc'd storage. */
232 top_dir (Dirstack_state const *ds)
234 size_t n_lengths = obstack_object_size (&ds->len_stack) / sizeof (size_t);
235 size_t *length = obstack_base (&ds->len_stack);
236 size_t top_len = length[n_lengths - 1];
237 char const *p = obstack_next_free (&ds->dir_stack) - top_len;
238 char *q = xmalloc (top_len);
239 memcpy (q, p, top_len - 1);
245 pop_dir (Dirstack_state *ds)
247 size_t n_lengths = obstack_object_size (&ds->len_stack) / sizeof (size_t);
248 size_t *length = obstack_base (&ds->len_stack);
250 assert (n_lengths > 0);
251 size_t top_len = length[n_lengths - 1];
252 assert (top_len >= 2);
254 /* Pop the specified length of file name. */
255 assert (obstack_object_size (&ds->dir_stack) >= top_len);
256 obstack_blank (&ds->dir_stack, -top_len);
258 /* Pop the length stack, too. */
259 assert (obstack_object_size (&ds->len_stack) >= sizeof (size_t));
260 obstack_blank (&ds->len_stack, -(int) sizeof (size_t));
263 /* Copy the SRC_LEN bytes of data beginning at SRC into the DST_LEN-byte
264 buffer, DST, so that the last source byte is at the end of the destination
265 buffer. If SRC_LEN is longer than DST_LEN, then set *TRUNCATED.
266 Set *RESULT to point to the beginning of (the portion of) the source data
267 in DST. Return the number of bytes remaining in the destination buffer. */
270 right_justify (char *dst, size_t dst_len, const char *src, size_t src_len,
271 char **result, bool *truncated)
276 if (src_len <= dst_len)
279 dp = dst + (dst_len - src_len);
284 sp = src + (src_len - dst_len);
290 *result = memcpy (dp, sp, src_len);
291 return dst_len - src_len;
294 /* Using the global directory name obstack, create the full name FILENAME.
295 Return it in sometimes-realloc'd space that should not be freed by the
296 caller. Realloc as necessary. If realloc fails, use a static buffer
297 and put as long a suffix in that buffer as possible. */
299 #define full_filename(Filename) full_filename_ (ds, Filename)
301 full_filename_ (Dirstack_state const *ds, const char *filename)
303 static char *buf = NULL;
304 static size_t n_allocated = 0;
306 size_t dir_len = obstack_object_size (&ds->dir_stack);
307 char *dir_name = obstack_base (&ds->dir_stack);
308 size_t n_bytes_needed;
311 filename_len = strlen (filename);
312 n_bytes_needed = dir_len + filename_len + 1;
314 if (n_allocated < n_bytes_needed)
316 /* This code requires that realloc accept NULL as the first arg.
317 This function must not use xrealloc. Otherwise, an out-of-memory
318 error involving a file name to be expanded here wouldn't ever
319 be issued. Use realloc and fall back on using a static buffer
320 if memory allocation fails. */
321 char *new_buf = realloc (buf, n_bytes_needed);
322 n_allocated = n_bytes_needed;
326 #define SBUF_SIZE 512
327 #define ELLIPSES_PREFIX "[...]"
328 static char static_buf[SBUF_SIZE];
334 len = right_justify (static_buf, SBUF_SIZE, filename,
335 filename_len + 1, &p, &truncated);
336 right_justify (static_buf, len, dir_name, dir_len, &p, &truncated);
339 memcpy (static_buf, ELLIPSES_PREFIX,
340 sizeof (ELLIPSES_PREFIX) - 1);
348 if (filename_len == 1 && *filename == '.' && dir_len)
350 /* FILENAME is just `.' and dir_len is nonzero.
351 Copy the directory part, omitting the trailing slash,
352 and append a trailing zero byte. */
353 char *p = mempcpy (buf, dir_name, dir_len - 1);
358 /* Copy the directory part, including trailing slash, and then
359 append the filename part, including a trailing zero byte. */
360 memcpy (mempcpy (buf, dir_name, dir_len), filename, filename_len + 1);
361 assert (strlen (buf) + 1 == n_bytes_needed);
368 AD_stack_height (Dirstack_state const *ds)
370 return obstack_object_size (&ds->Active_dir) / sizeof (struct AD_ent);
373 static inline struct AD_ent *
374 AD_stack_top (Dirstack_state const *ds)
376 return (struct AD_ent *)
377 ((char *) obstack_next_free (&ds->Active_dir) - sizeof (struct AD_ent));
381 AD_stack_pop (Dirstack_state *ds)
383 assert (0 < AD_stack_height (ds));
385 /* operate on Active_dir. pop and free top entry */
386 struct AD_ent *top = AD_stack_top (ds);
387 if (top->unremovable)
388 hash_free (top->unremovable);
389 obstack_blank (&ds->Active_dir, -(int) sizeof (struct AD_ent));
393 AD_stack_clear (Dirstack_state *ds)
395 while (0 < AD_stack_height (ds))
401 static Dirstack_state *
404 Dirstack_state *ds = xmalloc (sizeof *ds);
405 obstack_init (&ds->dir_stack);
406 obstack_init (&ds->len_stack);
407 obstack_init (&ds->Active_dir);
412 ds_clear (Dirstack_state *ds)
414 obstack_free (&ds->dir_stack, obstack_finish (&ds->dir_stack));
415 obstack_free (&ds->len_stack, obstack_finish (&ds->len_stack));
416 while (0 < AD_stack_height (ds))
418 obstack_free (&ds->Active_dir, obstack_finish (&ds->Active_dir));
422 ds_free (Dirstack_state *ds)
424 obstack_free (&ds->dir_stack, NULL);
425 obstack_free (&ds->len_stack, NULL);
426 obstack_free (&ds->Active_dir, NULL);
430 /* Pop the active directory (AD) stack and move *DIRP `up' one level,
431 safely. Moving `up' usually means opening `..', but when we've just
432 finished recursively processing a command-line directory argument,
433 there's nothing left on the stack, so set *DIRP to NULL in that case.
434 The idea is to return with *DIRP opened on the parent directory,
435 assuming there are entries in that directory that we need to remove.
437 Whenever using chdir '..' (virtually, now, via openat), verify
438 that the post-chdir dev/ino numbers for `.' match the saved ones.
439 If any system call fails or if dev/ino don't match then give a
440 diagnostic and longjump out.
441 Set *PREV_DIR to the name (in malloc'd storage) of the
442 directory (usually now empty) from which we're coming, and which
443 corresponds to the input value of *DIRP. */
445 AD_pop_and_chdir (DIR **dirp, Dirstack_state *ds, char **prev_dir)
447 struct AD_ent *leaf_dir_ent = AD_stack_top(ds);
448 struct dev_ino leaf_dev_ino = leaf_dir_ent->dev_ino;
449 enum RM_status old_status = leaf_dir_ent->status;
452 /* Get the name of the current (but soon to be `previous') directory
453 from the top of the stack. */
454 *prev_dir = top_dir (ds);
458 top = AD_stack_top (ds);
460 /* If the directory we're about to leave (and try to rmdir)
461 is the one whose dev_ino is being used to detect a cycle,
462 reset cycle_check_state.dev_ino to that of the parent.
463 Otherwise, once that directory is removed, its dev_ino
464 could be reused in the creation (by some other process)
465 of a directory that this rm process would encounter,
466 which would result in a false-positive cycle indication. */
467 CYCLE_CHECK_REFLECT_CHDIR_UP (&ds->cycle_check_state,
468 top->dev_ino, leaf_dev_ino);
470 /* Propagate any failure to parent. */
471 UPDATE_STATUS (top->status, old_status);
473 assert (AD_stack_height (ds));
475 if (1 < AD_stack_height (ds))
478 int fd = openat (dirfd (*dirp), "..", O_RDONLY);
479 if (closedir (*dirp) != 0)
481 error (0, errno, _("FATAL: failed to close directory %s"),
482 quote (full_filename (*prev_dir)));
483 goto next_cmdline_arg;
486 /* The above fails with EACCES when *DIRP is readable but not
487 searchable, when using Solaris' openat. Without this openat
488 call, tests/rm2 would fail to remove directories a/2 and a/3. */
490 fd = openat (AT_FDCWD, full_filename ("."), O_RDONLY);
494 error (0, errno, _("FATAL: cannot open .. from %s"),
495 quote (full_filename (*prev_dir)));
496 goto next_cmdline_arg;
502 _("FATAL: cannot ensure %s (returned to via ..) is safe"),
503 quote (full_filename (".")));
507 /* Ensure that post-chdir dev/ino match the stored ones. */
508 if ( ! SAME_INODE (sb, top->dev_ino))
510 error (0, 0, _("FATAL: directory %s changed dev/ino"),
511 quote (full_filename (".")));
515 *dirp = fdopendir (fd);
518 error (0, errno, _("FATAL: cannot return to .. from %s"),
519 quote (full_filename (".")));
526 longjmp (ds->current_arg_jumpbuf, 1);
531 if (closedir (*dirp) != 0)
533 error (0, errno, _("FATAL: failed to close directory %s"),
534 quote (full_filename (*prev_dir)));
535 goto next_cmdline_arg;
541 /* Initialize *HT if it is NULL.
542 Insert FILENAME into HT. */
544 AD_mark_helper (Hash_table **ht, char *filename)
548 *ht = hash_initialize (HT_UNREMOVABLE_INITIAL_CAPACITY, NULL, hash_pjw,
549 hash_compare_strings, hash_freer);
553 void *ent = hash_insert (*ht, filename);
564 /* Mark FILENAME (in current directory) as unremovable. */
566 AD_mark_as_unremovable (Dirstack_state *ds, char const *filename)
568 AD_mark_helper (&AD_stack_top(ds)->unremovable, xstrdup (filename));
571 /* Mark the current directory as unremovable. I.e., mark the entry
572 in the parent directory corresponding to `.'.
573 This happens e.g., when an opendir fails and the only name
574 the caller has conveniently at hand is `.'. */
576 AD_mark_current_as_unremovable (Dirstack_state *ds)
578 struct AD_ent *top = AD_stack_top (ds);
579 char *curr = top_dir (ds);
581 assert (1 < AD_stack_height (ds));
584 AD_mark_helper (&top->unremovable, curr);
587 /* Push an initial dummy entry onto the stack.
588 This will always be the bottommost entry on the stack. */
590 AD_push_initial (Dirstack_state *ds)
594 /* Extend the stack. */
595 obstack_blank (&ds->Active_dir, sizeof (struct AD_ent));
597 /* Fill in the new values. */
598 top = AD_stack_top (ds);
599 top->unremovable = NULL;
601 /* These should never be used.
602 Give them values that might look suspicious
603 in a debugger or in a diagnostic. */
604 top->dev_ino.st_dev = TYPE_MAXIMUM (dev_t);
605 top->dev_ino.st_ino = TYPE_MAXIMUM (ino_t);
608 /* Push info about the current working directory (".") onto the
609 active directory stack. DIR is the ./-relative name through
610 which we've just `chdir'd to this directory. DIR_SB_FROM_PARENT
611 is the result of calling lstat on DIR from the parent of DIR.
612 Longjump out (skipping the entire command line argument we're
613 dealing with) if `fstat (FD_CWD, ...' fails or if someone has
614 replaced DIR with e.g., a symlink to some other directory. */
616 AD_push (int fd_cwd, Dirstack_state *ds, char const *dir,
617 struct stat const *dir_sb_from_parent)
623 /* If our uses of openat are guaranteed not to
624 follow a symlink, then we can skip this check. */
625 if (! HAVE_WORKING_O_NOFOLLOW)
628 if (fstat (fd_cwd, &sb) != 0)
630 error (0, errno, _("FATAL: cannot enter directory %s"),
631 quote (full_filename (".")));
632 longjmp (ds->current_arg_jumpbuf, 1);
635 if ( ! SAME_INODE (sb, *dir_sb_from_parent))
638 _("FATAL: just-changed-to directory %s changed dev/ino"),
639 quote (full_filename (".")));
640 longjmp (ds->current_arg_jumpbuf, 1);
644 if (cycle_check (&ds->cycle_check_state, dir_sb_from_parent))
647 WARNING: Circular directory structure.\n\
648 This almost certainly means that you have a corrupted file system.\n\
649 NOTIFY YOUR SYSTEM MANAGER.\n\
650 The following directory is part of the cycle:\n %s\n"),
651 quote (full_filename (".")));
652 longjmp (ds->current_arg_jumpbuf, 1);
655 /* Extend the stack. */
656 obstack_blank (&ds->Active_dir, sizeof (struct AD_ent));
658 /* The active directory stack must be one larger than the length stack. */
659 assert (AD_stack_height (ds) ==
660 1 + obstack_object_size (&ds->len_stack) / sizeof (size_t));
662 /* Fill in the new values. */
663 top = AD_stack_top (ds);
664 top->dev_ino.st_dev = dir_sb_from_parent->st_dev;
665 top->dev_ino.st_ino = dir_sb_from_parent->st_ino;
666 top->unremovable = NULL;
670 AD_is_removable (Dirstack_state const *ds, char const *file)
672 struct AD_ent *top = AD_stack_top (ds);
673 return ! (top->unremovable && hash_lookup (top->unremovable, file));
676 /* Return true if DIR is determined to be an empty directory. */
678 is_empty_dir (int fd_cwd, char const *dir)
681 struct dirent const *dp;
683 int fd = openat (fd_cwd, dir,
684 (O_RDONLY | O_DIRECTORY
685 | O_NOCTTY | O_NOFOLLOW | O_NONBLOCK));
690 dirp = fdopendir (fd);
698 dp = readdir_ignoring_dot_and_dotdot (dirp);
703 return saved_errno == 0 ? true : false;
706 /* Return true if FILE is determined to be an unwritable non-symlink.
707 Otherwise, return false (including when lstat'ing it fails).
708 Set *BUF to the file status.
709 This is to avoid calling euidaccess when FILE is a symlink. */
711 write_protected_non_symlink (int fd_cwd,
713 Dirstack_state const *ds,
716 if (cache_fstatat (fd_cwd, file, buf, AT_SYMLINK_NOFOLLOW) != 0)
718 if (S_ISLNK (buf->st_mode))
720 /* Here, we know FILE is not a symbolic link. */
722 /* In order to be reentrant -- i.e., to avoid changing the working
723 directory, and at the same time to be able to deal with alternate
724 access control mechanisms (ACLs, xattr-style attributes) and
725 arbitrarily deep trees -- we need a function like eaccessat, i.e.,
726 like Solaris' eaccess, but fd-relative, in the spirit of openat. */
728 /* In the absence of a native eaccessat function, here are some of
729 the implementation choices [#4 and #5 were suggested by Paul Eggert]:
730 1) call openat with O_WRONLY|O_NOCTTY
731 Disadvantage: may create the file and doesn't work for directory,
732 may mistakenly report `unwritable' for EROFS or ACLs even though
733 perm bits say the file is writable.
735 2) fake eaccessat (save_cwd, fchdir, call euidaccess, restore_cwd)
736 Disadvantage: changes working directory (not reentrant) and can't
737 work if save_cwd fails.
739 3) if (euidaccess (full_filename (file), W_OK) == 0)
740 Disadvantage: doesn't work if full_filename is too long.
741 Inefficient for very deep trees (O(Depth^2)).
743 4) If the full pathname is sufficiently short (say, less than
744 PATH_MAX or 8192 bytes, whichever is shorter):
745 use method (3) (i.e., euidaccess (full_filename (file), W_OK));
746 Otherwise: vfork, fchdir in the child, run euidaccess in the
747 child, then the child exits with a status that tells the parent
748 whether euidaccess succeeded.
750 This avoids the O(N**2) algorithm of method (3), and it also avoids
751 the failure-due-to-too-long-file-names of method (3), but it's fast
752 in the normal shallow case. It also avoids the lack-of-reentrancy
753 and the save_cwd problems.
754 Disadvantage; it uses a process slot for very-long file names,
755 and would be very slow for hierarchies with many such files.
757 5) If the full file name is sufficiently short (say, less than
758 PATH_MAX or 8192 bytes, whichever is shorter):
759 use method (3) (i.e., euidaccess (full_filename (file), W_OK));
760 Otherwise: look just at the file bits. Perhaps issue a warning
761 the first time this occurs.
763 This is like (4), except for the "Otherwise" case where it isn't as
764 "perfect" as (4) but is considerably faster. It conforms to current
765 POSIX, and is uniformly better than what Solaris and FreeBSD do (they
766 mess up with long file names). */
769 /* This implements #5: */
771 = obstack_object_size (&ds->dir_stack) + strlen (file);
773 return (file_name_len < MIN (PATH_MAX, 8192)
774 ? euidaccess (full_filename (file), W_OK) != 0 && errno == EACCES
775 : euidaccess_stat (buf, W_OK) != 0);
779 /* Prompt whether to remove FILENAME, if required via a combination of
780 the options specified by X and/or file attributes. If the file may
781 be removed, return RM_OK. If the user declines to remove the file,
782 return RM_USER_DECLINED. If not ignoring missing files and we
783 cannot lstat FILENAME, then return RM_ERROR.
785 Depending on MODE, ask whether to `descend into' or to `remove' the
786 directory FILENAME. MODE is ignored when FILENAME is not a directory.
787 Set *IS_EMPTY to T_YES if FILENAME is an empty directory, and it is
788 appropriate to try to remove it with rmdir (e.g. recursive mode).
789 Don't even try to set *IS_EMPTY when MODE == PA_REMOVE_DIR. */
790 static enum RM_status
791 prompt (int fd_cwd, Dirstack_state const *ds, char const *filename,
793 struct rm_options const *x, enum Prompt_action mode,
796 bool write_protected = false;
798 *is_empty = T_UNKNOWN;
800 if (((!x->ignore_missing_files & (x->interactive | x->stdin_tty))
801 && (write_protected = write_protected_non_symlink (fd_cwd, filename,
805 if (cache_fstatat (fd_cwd, filename, sbuf, AT_SYMLINK_NOFOLLOW) != 0)
807 /* This happens, e.g., with `rm '''. */
808 error (0, errno, _("cannot remove %s"),
809 quote (full_filename (filename)));
813 if (S_ISDIR (sbuf->st_mode) && !x->recursive)
815 error (0, EISDIR, _("cannot remove %s"),
816 quote (full_filename (filename)));
820 /* Using permissions doesn't make sense for symlinks. */
821 if (S_ISLNK (sbuf->st_mode))
823 if ( ! x->interactive)
825 write_protected = false;
828 /* Issue the prompt. */
830 char const *quoted_name = quote (full_filename (filename));
832 /* FIXME: use a variant of error (instead of fprintf) that doesn't
833 append a newline. Then we won't have to declare program_name in
835 if (S_ISDIR (sbuf->st_mode)
837 && mode == PA_DESCEND_INTO_DIR
838 && ((*is_empty = (is_empty_dir (fd_cwd, filename) ? T_YES : T_NO))
842 ? _("%s: descend into write-protected directory %s? ")
843 : _("%s: descend into directory %s? ")),
844 program_name, quoted_name);
847 /* TRANSLATORS: You may find it more convenient to translate
848 the equivalent of _("%s: remove %s (write-protected) %s? ").
849 It should avoid grammatical problems with the output
853 ? _("%s: remove write-protected %s %s? ")
854 : _("%s: remove %s %s? ")),
855 program_name, file_type (sbuf), quoted_name);
859 return RM_USER_DECLINED;
865 /* Return true if FILENAME is a directory (and not a symlink to a directory).
866 Otherwise, including the case in which lstat fails, return false.
867 *ST is FILENAME's tstatus.
868 Do not modify errno. */
870 is_dir_lstat (char const *filename, struct stat *st)
872 int saved_errno = errno;
874 (cache_fstatat (AT_FDCWD, filename, st, AT_SYMLINK_NOFOLLOW) == 0
875 && S_ISDIR (st->st_mode));
880 #if HAVE_STRUCT_DIRENT_D_TYPE
882 /* True if the type of the directory entry D is known. */
883 # define DT_IS_KNOWN(d) ((d)->d_type != DT_UNKNOWN)
885 /* True if the type of the directory entry D must be T. */
886 # define DT_MUST_BE(d, t) ((d)->d_type == (t))
889 # define DT_IS_KNOWN(d) false
890 # define DT_MUST_BE(d, t) false
893 #define DO_UNLINK(Fd_cwd, Filename, X) \
896 if (unlinkat (Fd_cwd, Filename, 0) == 0) \
899 printf (_("removed %s\n"), quote (full_filename (Filename))); \
903 if (ignorable_missing (X, errno)) \
908 #define DO_RMDIR(Fd_cwd, Filename, X) \
911 if (unlinkat (Fd_cwd, Filename, AT_REMOVEDIR) == 0) /* rmdir */ \
914 printf (_("removed directory: %s\n"), \
915 quote (full_filename (Filename))); \
919 if (ignorable_missing (X, errno)) \
922 if (errno == ENOTEMPTY || errno == EEXIST) \
923 return RM_NONEMPTY_DIR; \
927 /* When a function like unlink, rmdir, or fstatat fails with an errno
928 value of ERRNUM, return true if the specified file system object
929 is guaranteed not to exist; otherwise, return false. */
931 nonexistent_file_errno (int errnum)
933 /* Do not include ELOOP here, since the specified file may indeed
934 exist, but be (in)accessible only via too long a symlink chain.
935 Likewise for ENAMETOOLONG, since rm -f ./././.../foo may fail
936 if the "..." part expands to a long enough sequence of "./"s,
937 even though ./foo does indeed exist. */
949 /* Encapsulate the test for whether the errno value, ERRNUM, is ignorable. */
951 ignorable_missing (struct rm_options const *x, int errnum)
953 return x->ignore_missing_files && nonexistent_file_errno (errnum);
956 /* Remove the file or directory specified by FILENAME.
957 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not.
958 But if FILENAME specifies a non-empty directory, return RM_NONEMPTY_DIR. */
960 static enum RM_status
961 remove_entry (int fd_cwd, Dirstack_state const *ds, char const *filename,
963 struct rm_options const *x, struct dirent const *dp)
965 Ternary is_empty_directory;
966 enum RM_status s = prompt (fd_cwd, ds, filename, st, x, PA_DESCEND_INTO_DIR,
967 &is_empty_directory);
968 bool known_to_be_dir = (cache_stat_ok (st) && S_ISDIR (st->st_mode));
973 /* Why bother with the following if/else block? Because on systems with
974 an unlink function that *can* unlink directories, we must determine the
975 type of each entry before removing it. Otherwise, we'd risk unlinking
976 an entire directory tree simply by unlinking a single directory; then
977 all the storage associated with that hierarchy would not be freed until
978 the next fsck. Not nice. To avoid that, on such slightly losing
979 systems, we need to call lstat to determine the type of each entry,
980 and that represents extra overhead that -- it turns out -- we can
981 avoid on non-losing systems, since there, unlink will never remove
982 a directory. Also, on systems where unlink may unlink directories,
983 we're forced to allow a race condition: we lstat a non-directory, then
984 go to unlink it, but in the mean time, a malicious someone could have
985 replaced it with a directory. */
987 if (cannot_unlink_dir ())
989 if (known_to_be_dir && ! x->recursive)
991 error (0, EISDIR, _("cannot remove %s"),
992 quote (full_filename (filename)));
996 /* is_empty_directory is set iff it's ok to use rmdir.
997 Note that it's set only in interactive mode -- in which case it's
998 an optimization that arranges so that the user is asked just
999 once whether to remove the directory. */
1000 if (is_empty_directory == T_YES)
1001 DO_RMDIR (fd_cwd, filename, x);
1003 /* If we happen to know that FILENAME is a directory, return now
1004 and let the caller remove it -- this saves the overhead of a failed
1005 unlink call. If FILENAME is a command-line argument, then dp is NULL,
1006 so we'll first try to unlink it. Using unlink here is ok, because it
1007 cannot remove a directory. */
1008 if ((dp && DT_MUST_BE (dp, DT_DIR)) || known_to_be_dir)
1009 return RM_NONEMPTY_DIR;
1011 DO_UNLINK (fd_cwd, filename, x);
1013 /* Upon a failed attempt to unlink a directory, most non-Linux systems
1014 set errno to the POSIX-required value EPERM. In that case, change
1015 errno to EISDIR so that we emit a better diagnostic. */
1016 if (! x->recursive && errno == EPERM && is_dir_lstat (filename, st))
1020 || errno == ENOENT || errno == ENOTDIR
1021 || errno == ELOOP || errno == ENAMETOOLONG)
1023 if (ignorable_missing (x, errno))
1026 /* Either --recursive is not in effect, or the file cannot be a
1027 directory. Report the unlink problem and fail. */
1028 error (0, errno, _("cannot remove %s"),
1029 quote (full_filename (filename)));
1035 /* If we don't already know whether FILENAME is a directory,
1036 find out now. Then, if it's a non-directory, we can use
1040 if (cache_statted (st))
1041 is_dir = known_to_be_dir;
1044 if (dp && DT_IS_KNOWN (dp))
1045 is_dir = DT_MUST_BE (dp, DT_DIR);
1048 if (fstatat (fd_cwd, filename, st, AT_SYMLINK_NOFOLLOW))
1050 if (ignorable_missing (x, errno))
1053 error (0, errno, _("cannot remove %s"),
1054 quote (full_filename (filename)));
1058 is_dir = !! S_ISDIR (st->st_mode);
1064 /* At this point, barring race conditions, FILENAME is known
1065 to be a non-directory, so it's ok to try to unlink it. */
1066 DO_UNLINK (fd_cwd, filename, x);
1068 /* unlink failed with some other error code. report it. */
1069 error (0, errno, _("cannot remove %s"),
1070 quote (full_filename (filename)));
1076 error (0, EISDIR, _("cannot remove %s"),
1077 quote (full_filename (filename)));
1081 if (is_empty_directory == T_YES)
1083 DO_RMDIR (fd_cwd, filename, x);
1084 /* Don't diagnose any failure here.
1085 It'll be detected when the caller tries another way. */
1089 return RM_NONEMPTY_DIR;
1092 /* Given FD_CWD, the file descriptor for an open directory,
1093 open its subdirectory F (F is already `known' to be a directory,
1094 so if it is no longer one, someone is playing games), return a DIR*
1095 pointer for F, and put F's `stat' data in *SUBDIR_SB.
1096 Upon failure give a diagnostic and return NULL.
1097 If PREV_ERRNO is nonzero, it is the errno value from a preceding failed
1098 unlink- or rmdir-like system call -- use that value instead of ENOTDIR
1099 if an opened file turns out not to be a directory. This is important
1100 when the preceding non-dir-unlink failed due to e.g., EPERM or EACCES.
1101 The caller must use a nonnnull CWD_ERRNO the first
1102 time this function is called for each command-line-specified directory.
1103 If CWD_ERRNO is not null, set *CWD_ERRNO to the appropriate error number
1104 if this function fails to restore the initial working directory.
1105 If it is null, report an error and exit if the working directory
1108 fd_to_subdirp (int fd_cwd, char const *f,
1109 struct rm_options const *x, int prev_errno,
1110 struct stat *subdir_sb, Dirstack_state *ds,
1111 int *cwd_errno ATTRIBUTE_UNUSED)
1113 int open_flags = O_RDONLY | O_NOCTTY | O_NOFOLLOW | O_NONBLOCK;
1114 int fd_sub = openat_permissive (fd_cwd, f, open_flags, 0, cwd_errno);
1116 /* Record dev/ino of F. We may compare them against saved values
1117 to thwart any attempt to subvert the traversal. They are also used
1118 to detect directory cycles. */
1119 if (fd_sub < 0 || fstat (fd_sub, subdir_sb) != 0)
1122 close_preserve_errno (fd_sub);
1126 if (! S_ISDIR (subdir_sb->st_mode))
1128 errno = prev_errno ? prev_errno : ENOTDIR;
1129 close_preserve_errno (fd_sub);
1133 DIR *subdir_dirp = fdopendir (fd_sub);
1134 if (subdir_dirp == NULL)
1136 close_preserve_errno (fd_sub);
1143 /* Remove entries in the directory open on DIRP
1144 Upon finding a directory that is both non-empty and that can be chdir'd
1145 into, return RM_OK and set *SUBDIR and fill in SUBDIR_SB, where
1146 SUBDIR is the malloc'd name of the subdirectory if the chdir succeeded,
1147 NULL otherwise (e.g., if opendir failed or if there was no subdirectory).
1148 Likewise, SUBDIR_SB is the result of calling lstat on SUBDIR.
1149 Return RM_OK if all entries are removed. Return RM_ERROR if any
1150 entry cannot be removed. Otherwise, return RM_USER_DECLINED if
1151 the user declines to remove at least one entry. Remove as much as
1152 possible, continuing even if we fail to remove some entries. */
1153 static enum RM_status
1154 remove_cwd_entries (DIR **dirp,
1155 Dirstack_state *ds, char **subdir, struct stat *subdir_sb,
1156 struct rm_options const *x)
1158 struct AD_ent *top = AD_stack_top (ds);
1159 enum RM_status status = top->status;
1160 size_t n_unlinked_since_opendir_or_last_rewind = 0;
1162 assert (VALID_STATUS (status));
1167 struct dirent const *dp;
1168 enum RM_status tmp_status;
1171 /* Set errno to zero so we can distinguish between a readdir failure
1172 and when readdir simply finds that there are no more entries. */
1174 dp = readdir_ignoring_dot_and_dotdot (*dirp);
1181 else if (NEED_REWIND (n_unlinked_since_opendir_or_last_rewind))
1183 /* Call rewinddir if we've called unlink or rmdir so many times
1184 (since the opendir or the previous rewinddir) that this
1185 NULL-return may be the symptom of a buggy readdir. */
1187 n_unlinked_since_opendir_or_last_rewind = 0;
1195 /* Skip files we've already tried/failed to remove. */
1196 if ( ! AD_is_removable (ds, f))
1199 /* Pass dp->d_type info to remove_entry so the non-glibc
1200 case can decide whether to use unlink or chdir.
1201 Systems without the d_type member will have to endure
1202 the performance hit of first calling lstat F. */
1203 cache_stat_init (subdir_sb);
1204 tmp_status = remove_entry (dirfd (*dirp), ds, f, subdir_sb, x, dp);
1208 /* Count how many files we've unlinked since the initial
1209 opendir or the last rewinddir. On buggy systems, if you
1210 remove too many, readdir returns NULL even though there
1211 remain unprocessed directory entries. */
1212 ++n_unlinked_since_opendir_or_last_rewind;
1216 case RM_USER_DECLINED:
1217 AD_mark_as_unremovable (ds, f);
1218 UPDATE_STATUS (status, tmp_status);
1221 case RM_NONEMPTY_DIR:
1223 DIR *subdir_dirp = fd_to_subdirp (dirfd (*dirp), f,
1224 x, errno, subdir_sb, ds, NULL);
1225 if (subdir_dirp == NULL)
1229 /* CAUTION: this test and diagnostic are identical to
1230 those following the other use of fd_to_subdirp. */
1231 if (ignorable_missing (x, errno))
1233 /* With -f, don't report "file not found". */
1237 /* Upon fd_to_subdirp failure, try to remove F directly,
1238 in case it's just an empty directory. */
1239 int saved_errno = errno;
1240 if (unlinkat (dirfd (*dirp), f, AT_REMOVEDIR) == 0)
1243 error (0, saved_errno,
1244 _("cannot remove %s"), quote (full_filename (f)));
1247 if (status == RM_ERROR)
1248 AD_mark_as_unremovable (ds, f);
1252 *subdir = xstrdup (f);
1253 if (closedir (*dirp) != 0)
1255 error (0, 0, _("failed to close directory %s"),
1256 quote (full_filename (".")));
1259 *dirp = subdir_dirp;
1265 /* Record status for this directory. */
1266 UPDATE_STATUS (top->status, status);
1272 /* Ensure that *dirp is not NULL and that its file descriptor is valid. */
1273 assert (*dirp != NULL);
1274 assert (0 <= fcntl (dirfd (*dirp), F_GETFD));
1279 /* Do this after each call to AD_push or AD_push_initial.
1280 Because the status = RM_OK bit is too remove-specific to
1281 go into the general-purpose AD_* package. */
1282 #define AD_INIT_OTHER_MEMBERS() \
1285 AD_stack_top(ds)->status = RM_OK; \
1289 /* Remove the hierarchy rooted at DIR.
1290 Do that by changing into DIR, then removing its contents, then
1291 returning to the original working directory and removing DIR itself.
1292 Don't use recursion. Be careful when using chdir ".." that we
1293 return to the same directory from which we came, if necessary.
1294 Return an RM_status value to indicate success or failure. */
1296 static enum RM_status
1297 remove_dir (int fd_cwd, Dirstack_state *ds, char const *dir,
1298 struct stat *dir_st,
1299 struct rm_options const *x, int *cwd_errno)
1301 enum RM_status status;
1302 dev_t current_dev = dir_st->st_dev;
1304 /* There is a race condition in that an attacker could replace the nonempty
1305 directory, DIR, with a symlink between the preceding call to rmdir
1306 (unlinkat, in our caller) and fd_to_subdirp's openat call. But on most
1307 systems, even those without openat, this isn't a problem, since we ensure
1308 that opening a symlink will fail, when that is possible. Otherwise,
1309 fd_to_subdirp's fstat, along with the `fstat' and the dev/ino
1310 comparison in AD_push ensure that we detect it and fail. */
1312 DIR *dirp = fd_to_subdirp (fd_cwd, dir, x, 0, dir_st, ds, cwd_errno);
1316 /* CAUTION: this test and diagnostic are identical to
1317 those following the other use of fd_to_subdirp. */
1318 if (ignorable_missing (x, errno))
1320 /* With -f, don't report "file not found". */
1324 /* Upon fd_to_subdirp failure, try to remove DIR directly,
1325 in case it's just an empty directory. */
1326 int saved_errno = errno;
1327 if (unlinkat (fd_cwd, dir, AT_REMOVEDIR) == 0)
1330 error (0, saved_errno,
1331 _("cannot remove %s"), quote (full_filename (dir)));
1337 if (ROOT_DEV_INO_CHECK (x->root_dev_ino, dir_st))
1339 ROOT_DEV_INO_WARN (full_filename (dir));
1341 goto closedir_and_return;
1344 AD_push (dirfd (dirp), ds, dir, dir_st);
1345 AD_INIT_OTHER_MEMBERS ();
1351 char *subdir = NULL;
1352 struct stat subdir_sb;
1353 enum RM_status tmp_status;
1355 tmp_status = remove_cwd_entries (&dirp, ds, &subdir, &subdir_sb, x);
1357 if (tmp_status != RM_OK)
1359 UPDATE_STATUS (status, tmp_status);
1360 AD_mark_current_as_unremovable (ds);
1364 if ( ! x->one_file_system
1365 || subdir_sb.st_dev == current_dev)
1367 AD_push (dirfd (dirp), ds, subdir, &subdir_sb);
1368 AD_INIT_OTHER_MEMBERS ();
1373 /* Here, --one-file-system is in effect, and with remove_cwd_entries'
1374 traversal into the current directory, (known as SUBDIR, from ..),
1375 DIRP's device number is different from CURRENT_DEV. Arrange not
1376 to do anything more with this hierarchy. */
1377 error (0, errno, _("skipping %s, since it's on a different device"),
1378 quote (full_filename (subdir)));
1380 AD_mark_current_as_unremovable (ds);
1381 tmp_status = RM_ERROR;
1382 UPDATE_STATUS (status, tmp_status);
1385 /* Execution reaches this point when we've removed the last
1386 removable entry from the current directory -- or, with
1387 --one-file-system, when the current directory is on a
1388 different file system. */
1390 /* The name of the directory that we have just processed,
1391 nominally removing all of its contents. */
1394 AD_pop_and_chdir (&dirp, ds, &empty_dir);
1395 int fd = (dirp != NULL ? dirfd (dirp) : AT_FDCWD);
1396 assert (dirp != NULL || AD_stack_height (ds) == 1);
1398 /* Try to remove EMPTY_DIR only if remove_cwd_entries succeeded. */
1399 if (tmp_status == RM_OK)
1401 /* This does a little more work than necessary when it actually
1402 prompts the user. E.g., we already know that D is a directory
1403 and that it's almost certainly empty, yet we lstat it.
1404 But that's no big deal since we're interactive. */
1405 struct stat empty_st;
1407 enum RM_status s = prompt (fd, ds, empty_dir,
1408 cache_stat_init (&empty_st), x,
1409 PA_REMOVE_DIR, &is_empty);
1415 goto closedir_and_return;
1418 if (unlinkat (fd, empty_dir, AT_REMOVEDIR) == 0)
1421 printf (_("removed directory: %s\n"),
1422 quote (full_filename (empty_dir)));
1426 error (0, errno, _("cannot remove directory %s"),
1427 quote (full_filename (empty_dir)));
1428 AD_mark_as_unremovable (ds, empty_dir);
1430 UPDATE_STATUS (AD_stack_top(ds)->status, status);
1436 if (AD_stack_height (ds) == 1)
1441 /* If the first/final hash table of unremovable entries was used,
1445 closedir_and_return:;
1446 if (dirp != NULL && closedir (dirp) != 0)
1448 error (0, 0, _("failed to close directory %s"),
1449 quote (full_filename (".")));
1456 /* Remove the file or directory specified by FILENAME.
1457 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not. */
1459 static enum RM_status
1460 rm_1 (Dirstack_state *ds, char const *filename,
1461 struct rm_options const *x, int *cwd_errno)
1463 char const *base = last_component (filename);
1464 if (dot_or_dotdot (base))
1466 error (0, 0, _(base == filename
1467 ? "cannot remove directory %s"
1468 : "cannot remove %s directory %s"),
1469 quote_n (0, base), quote_n (1, filename));
1474 cache_stat_init (&st);
1475 if (x->root_dev_ino)
1477 if (cache_fstatat (AT_FDCWD, filename, &st, AT_SYMLINK_NOFOLLOW) != 0)
1479 if (ignorable_missing (x, errno))
1481 error (0, errno, _("cannot remove %s"), quote (filename));
1484 if (SAME_INODE (st, *(x->root_dev_ino)))
1486 error (0, 0, _("cannot remove root directory %s"), quote (filename));
1491 AD_push_initial (ds);
1492 AD_INIT_OTHER_MEMBERS ();
1494 enum RM_status status = remove_entry (AT_FDCWD, ds, filename, &st, x, NULL);
1495 if (status == RM_NONEMPTY_DIR)
1497 /* In the event that remove_dir->remove_cwd_entries detects
1498 a directory cycle, arrange to fail, give up on this FILE, but
1499 continue on with any other arguments. */
1500 if (setjmp (ds->current_arg_jumpbuf))
1503 status = remove_dir (AT_FDCWD, ds, filename, &st, x, cwd_errno);
1505 AD_stack_clear (ds);
1512 /* Remove all files and/or directories specified by N_FILES and FILE.
1513 Apply the options in X. */
1514 extern enum RM_status
1515 rm (size_t n_files, char const *const *file, struct rm_options const *x)
1517 enum RM_status status = RM_OK;
1518 Dirstack_state *ds = ds_init ();
1522 for (i = 0; i < n_files; i++)
1524 if (cwd_errno && IS_RELATIVE_FILE_NAME (file[i]))
1526 error (0, 0, _("cannot remove relative-named %s"), quote (file[i]));
1531 cycle_check_init (&ds->cycle_check_state);
1532 enum RM_status s = rm_1 (ds, file[i], x, &cwd_errno);
1533 assert (VALID_STATUS (s));
1534 UPDATE_STATUS (status, s);
1537 if (x->require_restore_cwd && cwd_errno)
1539 error (0, cwd_errno,
1540 _("cannot restore current working directory"));