1 /* remove.c -- core functions for removing files and directories
2 Copyright (C) 88, 90, 91, 1994-2008 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>. */
17 /* Extracted from rm.c and librarified, then rewritten by Jim Meyering. */
21 #include <sys/types.h>
26 #include "cycle-check.h"
29 #include "euidaccess.h"
30 #include "euidaccess-stat.h"
31 #include "file-type.h"
38 #include "root-dev-ino.h"
39 #include "unlinkdir.h"
40 #include "write-any-file.h"
43 /* Avoid shadowing warnings because these are functions declared
44 in dirname.h as well as locals used below. */
45 #define dir_name rm_dir_name
46 #define dir_len rm_dir_len
48 #define obstack_chunk_alloc malloc
49 #define obstack_chunk_free free
51 /* This is the maximum number of consecutive readdir/unlink calls that
52 can be made (with no intervening rewinddir or closedir/opendir) before
53 triggering a bug that makes readdir return NULL even though some
54 directory entries have not been processed. The bug afflicts SunOS's
55 readdir when applied to ufs file systems and Darwin 6.5's (and OSX
56 v.10.3.8's) HFS+. This maximum is conservative in that demonstrating
57 the problem requires a directory containing at least 16 deletable
58 entries (which doesn't count . and ..).
59 This problem also affects Darwin 7.9.0 (aka MacOS X 10.3.9) on HFS+
60 and NFS-mounted file systems, but not vfat ones. */
63 CONSECUTIVE_READDIR_UNLINK_THRESHOLD = 10
66 /* FIXME: in 2009, or whenever Darwin 7.9.0 (aka MacOS X 10.3.9) is no
67 longer relevant, remove this work-around code. Then, there will be
68 no need to perform the extra rewinddir call, ever. */
69 #define NEED_REWIND(readdir_unlink_count) \
70 (CONSECUTIVE_READDIR_UNLINK_THRESHOLD <= (readdir_unlink_count))
78 typedef enum Ternary Ternary;
80 /* The prompt function may be called twice for a given directory.
81 The first time, we ask whether to descend into it, and the
82 second time, we ask whether to remove it. */
85 PA_DESCEND_INTO_DIR = 2,
89 /* Initial capacity of per-directory hash table of entries that have
90 been processed but not been deleted. */
91 enum { HT_UNREMOVABLE_INITIAL_CAPACITY = 13 };
93 /* An entry in the active directory stack.
94 Each entry corresponds to an `active' directory. */
97 /* For a given active directory, this is the set of names of
98 entries in that directory that could/should not be removed.
99 For example, `.' and `..', as well as files/dirs for which
100 unlink/rmdir failed e.g., due to access restrictions. */
101 Hash_table *unremovable;
103 /* Record the status for a given active directory; we need to know
104 whether an entry was not removed, either because of an error or
105 because the user declined. */
106 enum RM_status status;
108 /* The directory's dev/ino. Used to ensure that a malicious user does
109 not replace a directory we're about to process with a symlink to
110 some other directory. */
111 struct dev_ino dev_ino;
114 /* D_TYPE(D) is the type of directory entry D if known, DT_UNKNOWN
116 #if HAVE_STRUCT_DIRENT_D_TYPE
117 # define D_TYPE(d) ((d)->d_type)
119 # define D_TYPE(d) DT_UNKNOWN
121 /* Any int values will do here, so long as they're distinct.
122 Undef any existing macros out of the way. */
126 # define DT_UNKNOWN 0
131 struct dirstack_state
133 /* The name of the directory (starting with and relative to a command
134 line argument) being processed. When a subdirectory is entered, a new
135 component is appended (pushed). Remove (pop) the top component
136 upon chdir'ing out of a directory. This is used to form the full
137 name of the current directory or a file therein, when necessary. */
138 struct obstack dir_stack;
140 /* Stack of lengths of directory names (including trailing slash)
141 appended to dir_stack. We have to have a separate stack of lengths
142 (rather than just popping back to previous slash) because the first
143 element pushed onto the dir stack may contain slashes. */
144 struct obstack len_stack;
146 /* Stack of active directory entries.
147 The first `active' directory is the initial working directory.
148 Additional active dirs are pushed onto the stack as we `chdir'
149 into each directory to be processed. When finished with the
150 hierarchy under a directory, pop the active dir stack. */
151 struct obstack Active_dir;
153 /* Used to detect cycles. */
154 struct cycle_check_state cycle_check_state;
156 /* Target of a longjmp in case rm has to stop processing the current
157 command-line argument. This happens 1) when rm detects a directory
158 cycle or 2) when it has processed one or more directories, but then
159 is unable to return to the initial working directory to process
160 additional `.'-relative command-line arguments. */
161 jmp_buf current_arg_jumpbuf;
163 typedef struct dirstack_state Dirstack_state;
165 /* A static buffer and its allocated size, these variables are used by
166 xfull_filename and full_filename to form full, relative file names. */
168 static size_t g_n_allocated;
170 /* Like fstatat, but cache the result. If ST->st_size is -1, the
171 status has not been gotten yet. If less than -1, fstatat failed
172 with errno == ST->st_ino. Otherwise, the status has already
173 been gotten, so return 0. */
175 cache_fstatat (int fd, char const *file, struct stat *st, int flag)
177 if (st->st_size == -1 && fstatat (fd, file, st, flag) != 0)
182 if (0 <= st->st_size)
184 errno = (int) st->st_ino;
188 /* Initialize a fstatat cache *ST. Return ST for convenience. */
189 static inline struct stat *
190 cache_stat_init (struct stat *st)
196 /* Return true if *ST has been statted. */
198 cache_statted (struct stat *st)
200 return (st->st_size != -1);
203 /* Return true if *ST has been statted successfully. */
205 cache_stat_ok (struct stat *st)
207 return (0 <= st->st_size);
218 hash_compare_strings (void const *x, void const *y)
220 return STREQ (x, y) ? true : false;
224 push_dir (Dirstack_state *ds, const char *dir_name)
226 size_t len = strlen (dir_name);
228 /* Don't copy trailing slashes. */
229 while (1 < len && dir_name[len - 1] == '/')
232 /* Append the string onto the stack. */
233 obstack_grow (&ds->dir_stack, dir_name, len);
235 /* Append a trailing slash. */
236 obstack_1grow (&ds->dir_stack, '/');
238 /* Add one for the slash. */
241 /* Push the length (including slash) onto its stack. */
242 obstack_grow (&ds->len_stack, &len, sizeof (len));
245 /* Return the entry name of the directory on the top of the stack
246 in malloc'd storage. */
248 top_dir (Dirstack_state const *ds)
250 size_t n_lengths = obstack_object_size (&ds->len_stack) / sizeof (size_t);
251 size_t *length = obstack_base (&ds->len_stack);
252 size_t top_len = length[n_lengths - 1];
253 char const *p = obstack_next_free (&ds->dir_stack) - top_len;
254 char *q = xmalloc (top_len);
255 memcpy (q, p, top_len - 1);
261 pop_dir (Dirstack_state *ds)
263 size_t n_lengths = obstack_object_size (&ds->len_stack) / sizeof (size_t);
264 size_t *length = obstack_base (&ds->len_stack);
266 assert (n_lengths > 0);
267 size_t top_len = length[n_lengths - 1];
268 assert (top_len >= 2);
270 /* Pop the specified length of file name. */
271 assert (obstack_object_size (&ds->dir_stack) >= top_len);
272 obstack_blank (&ds->dir_stack, -top_len);
274 /* Pop the length stack, too. */
275 assert (obstack_object_size (&ds->len_stack) >= sizeof (size_t));
276 obstack_blank (&ds->len_stack, -(int) sizeof (size_t));
279 /* Copy the SRC_LEN bytes of data beginning at SRC into the DST_LEN-byte
280 buffer, DST, so that the last source byte is at the end of the destination
281 buffer. If SRC_LEN is longer than DST_LEN, then set *TRUNCATED.
282 Set *RESULT to point to the beginning of (the portion of) the source data
283 in DST. Return the number of bytes remaining in the destination buffer. */
286 right_justify (char *dst, size_t dst_len, const char *src, size_t src_len,
287 char **result, bool *truncated)
292 if (src_len <= dst_len)
295 dp = dst + (dst_len - src_len);
300 sp = src + (src_len - dst_len);
306 *result = memcpy (dp, sp, src_len);
307 return dst_len - src_len;
310 /* Using the global directory name obstack, create the full name of FILENAME.
311 Return it in sometimes-realloc'd space that should not be freed by the
312 caller. Realloc as necessary. If realloc fails, return NULL. */
315 full_filename0 (Dirstack_state const *ds, const char *filename)
317 size_t dir_len = obstack_object_size (&ds->dir_stack);
318 char *dir_name = obstack_base (&ds->dir_stack);
319 size_t filename_len = strlen (filename);
320 size_t n_bytes_needed = dir_len + filename_len + 1;
322 if (g_n_allocated < n_bytes_needed)
324 char *new_buf = realloc (g_buf, n_bytes_needed);
329 g_n_allocated = n_bytes_needed;
332 if (STREQ (filename, ".") && dir_len)
334 /* FILENAME is just `.' and dir_len is nonzero.
335 Copy the directory part, omitting the trailing slash,
336 and append a trailing zero byte. */
337 char *p = mempcpy (g_buf, dir_name, dir_len - 1);
342 /* Copy the directory part, including trailing slash, and then
343 append the filename part, including a trailing zero byte. */
344 memcpy (mempcpy (g_buf, dir_name, dir_len), filename, filename_len + 1);
345 assert (strlen (g_buf) + 1 == n_bytes_needed);
351 /* Using the global directory name obstack, create the full name of FILENAME.
352 Return it in sometimes-realloc'd space that should not be freed by the
353 caller. Realloc as necessary. If realloc fails, die. */
356 xfull_filename (Dirstack_state const *ds, const char *filename)
358 char *buf = full_filename0 (ds, filename);
364 /* Using the global directory name obstack, create the full name FILENAME.
365 Return it in sometimes-realloc'd space that should not be freed by the
366 caller. Realloc as necessary. If realloc fails, use a static buffer
367 and put as long a suffix in that buffer as possible. Be careful not
370 #define full_filename(Filename) full_filename_ (ds, Filename)
372 full_filename_ (Dirstack_state const *ds, const char *filename)
374 int saved_errno = errno;
375 char *full_name = full_filename0 (ds, filename);
383 #define SBUF_SIZE 512
384 #define ELLIPSES_PREFIX "[...]"
385 static char static_buf[SBUF_SIZE];
388 size_t n_bytes_remaining;
390 char *dir_name = obstack_base (&ds->dir_stack);
391 size_t dir_len = obstack_object_size (&ds->dir_stack);
394 n_bytes_remaining = right_justify (static_buf, SBUF_SIZE, filename,
395 strlen (filename) + 1, &p,
397 right_justify (static_buf, n_bytes_remaining, dir_name, dir_len,
399 if (file_truncated || dir_truncated)
401 memcpy (static_buf, ELLIPSES_PREFIX,
402 sizeof (ELLIPSES_PREFIX) - 1);
410 AD_stack_height (Dirstack_state const *ds)
412 return obstack_object_size (&ds->Active_dir) / sizeof (struct AD_ent);
415 static inline struct AD_ent *
416 AD_stack_top (Dirstack_state const *ds)
418 return (struct AD_ent *)
419 ((char *) obstack_next_free (&ds->Active_dir) - sizeof (struct AD_ent));
423 AD_stack_pop (Dirstack_state *ds)
425 assert (0 < AD_stack_height (ds));
427 /* operate on Active_dir. pop and free top entry */
428 struct AD_ent *top = AD_stack_top (ds);
429 if (top->unremovable)
430 hash_free (top->unremovable);
431 obstack_blank (&ds->Active_dir, -(int) sizeof (struct AD_ent));
435 AD_stack_clear (Dirstack_state *ds)
437 while (0 < AD_stack_height (ds))
443 static Dirstack_state *
446 Dirstack_state *ds = xmalloc (sizeof *ds);
447 obstack_init (&ds->dir_stack);
448 obstack_init (&ds->len_stack);
449 obstack_init (&ds->Active_dir);
454 ds_clear (Dirstack_state *ds)
456 obstack_free (&ds->dir_stack, obstack_finish (&ds->dir_stack));
457 obstack_free (&ds->len_stack, obstack_finish (&ds->len_stack));
458 while (0 < AD_stack_height (ds))
460 obstack_free (&ds->Active_dir, obstack_finish (&ds->Active_dir));
464 ds_free (Dirstack_state *ds)
466 obstack_free (&ds->dir_stack, NULL);
467 obstack_free (&ds->len_stack, NULL);
468 obstack_free (&ds->Active_dir, NULL);
472 /* Pop the active directory (AD) stack and prepare to move `up' one level,
473 safely. Moving `up' usually means opening `..', but when we've just
474 finished recursively processing a command-line directory argument,
475 there's nothing left on the stack, so set *FDP to AT_FDCWD in that case.
476 The idea is to return with *FDP opened on the parent directory,
477 assuming there are entries in that directory that we need to remove.
479 Note that we must not call opendir (or fdopendir) just yet, since
480 the caller must first remove the directory we're coming from.
481 That is because some file system implementations cache readdir
482 results at opendir time; so calling opendir, rmdir, readdir would
483 return an entry for the just-removed directory.
485 Whenever using chdir '..' (virtually, now, via openat), verify
486 that the post-chdir dev/ino numbers for `.' match the saved ones.
487 If any system call fails or if dev/ino don't match, then give a
488 diagnostic and longjump out.
489 Return the name (in malloc'd storage) of the
490 directory (usually now empty) from which we're coming, and which
491 corresponds to the input value of DIRP.
493 Finally, note that while this function's name is no longer as
494 accurate as it once was (it no longer calls chdir), it does open
495 the destination directory. */
497 AD_pop_and_chdir (DIR *dirp, int *fdp, Dirstack_state *ds)
499 struct AD_ent *leaf_dir_ent = AD_stack_top(ds);
500 struct dev_ino leaf_dev_ino = leaf_dir_ent->dev_ino;
501 enum RM_status old_status = leaf_dir_ent->status;
504 /* Get the name of the current (but soon to be `previous') directory
505 from the top of the stack. */
506 char *prev_dir = top_dir (ds);
510 top = AD_stack_top (ds);
512 /* If the directory we're about to leave (and try to rmdir)
513 is the one whose dev_ino is being used to detect a cycle,
514 reset cycle_check_state.dev_ino to that of the parent.
515 Otherwise, once that directory is removed, its dev_ino
516 could be reused in the creation (by some other process)
517 of a directory that this rm process would encounter,
518 which would result in a false-positive cycle indication. */
519 CYCLE_CHECK_REFLECT_CHDIR_UP (&ds->cycle_check_state,
520 top->dev_ino, leaf_dev_ino);
522 /* Propagate any failure to parent. */
523 UPDATE_STATUS (top->status, old_status);
525 assert (AD_stack_height (ds));
527 if (1 < AD_stack_height (ds))
530 int fd = openat (dirfd (dirp), "..", O_RDONLY);
531 if (closedir (dirp) != 0)
533 error (0, errno, _("FATAL: failed to close directory %s"),
534 quote (full_filename (prev_dir)));
535 goto next_cmdline_arg;
538 /* The above fails with EACCES when DIRP is readable but not
539 searchable, when using Solaris' openat. Without this openat
540 call, tests/rm2 would fail to remove directories a/2 and a/3. */
542 fd = openat (AT_FDCWD, xfull_filename (ds, "."), O_RDONLY);
546 error (0, errno, _("FATAL: cannot open .. from %s"),
547 quote (full_filename (prev_dir)));
548 goto next_cmdline_arg;
554 _("FATAL: cannot ensure %s (returned to via ..) is safe"),
555 quote (full_filename (".")));
559 /* Ensure that post-chdir dev/ino match the stored ones. */
560 if ( ! SAME_INODE (sb, top->dev_ino))
562 error (0, 0, _("FATAL: directory %s changed dev/ino"),
563 quote (full_filename (".")));
569 longjmp (ds->current_arg_jumpbuf, 1);
575 if (closedir (dirp) != 0)
577 error (0, errno, _("FATAL: failed to close directory %s"),
578 quote (full_filename (prev_dir)));
579 goto next_cmdline_arg;
587 /* Initialize *HT if it is NULL. Return *HT. */
589 AD_ensure_initialized (Hash_table **ht)
593 *ht = hash_initialize (HT_UNREMOVABLE_INITIAL_CAPACITY, NULL, hash_pjw,
594 hash_compare_strings, hash_freer);
602 /* Initialize *HT if it is NULL.
603 Insert FILENAME into HT. */
605 AD_mark_helper (Hash_table **ht, char *filename)
607 void *ent = hash_insert (AD_ensure_initialized (ht), filename);
617 /* Mark FILENAME (in current directory) as unremovable. */
619 AD_mark_as_unremovable (Dirstack_state *ds, char const *filename)
621 AD_mark_helper (&AD_stack_top(ds)->unremovable, xstrdup (filename));
624 /* Mark the current directory as unremovable. I.e., mark the entry
625 in the parent directory corresponding to `.'.
626 This happens e.g., when an opendir fails and the only name
627 the caller has conveniently at hand is `.'. */
629 AD_mark_current_as_unremovable (Dirstack_state *ds)
631 struct AD_ent *top = AD_stack_top (ds);
632 char *curr = top_dir (ds);
634 assert (1 < AD_stack_height (ds));
637 AD_mark_helper (&top->unremovable, curr);
640 /* Push an initial dummy entry onto the stack.
641 This will always be the bottommost entry on the stack. */
643 AD_push_initial (Dirstack_state *ds)
647 /* Extend the stack. */
648 obstack_blank (&ds->Active_dir, sizeof (struct AD_ent));
650 /* Fill in the new values. */
651 top = AD_stack_top (ds);
652 top->unremovable = NULL;
654 /* These should never be used.
655 Give them values that might look suspicious
656 in a debugger or in a diagnostic. */
657 top->dev_ino.st_dev = TYPE_MAXIMUM (dev_t);
658 top->dev_ino.st_ino = TYPE_MAXIMUM (ino_t);
661 /* Push info about the current working directory (".") onto the
662 active directory stack. DIR is the ./-relative name through
663 which we've just `chdir'd to this directory. DIR_SB_FROM_PARENT
664 is the result of calling lstat on DIR from the parent of DIR.
665 Longjump out (skipping the entire command line argument we're
666 dealing with) if `fstat (FD_CWD, ...' fails or if someone has
667 replaced DIR with e.g., a symlink to some other directory. */
669 AD_push (int fd_cwd, Dirstack_state *ds, char const *dir,
670 struct stat const *dir_sb_from_parent)
676 /* If our uses of openat are guaranteed not to
677 follow a symlink, then we can skip this check. */
678 if (! HAVE_WORKING_O_NOFOLLOW)
681 if (fstat (fd_cwd, &sb) != 0)
683 error (0, errno, _("FATAL: cannot enter directory %s"),
684 quote (full_filename (".")));
685 longjmp (ds->current_arg_jumpbuf, 1);
688 if ( ! SAME_INODE (sb, *dir_sb_from_parent))
691 _("FATAL: just-changed-to directory %s changed dev/ino"),
692 quote (full_filename (".")));
693 longjmp (ds->current_arg_jumpbuf, 1);
697 if (cycle_check (&ds->cycle_check_state, dir_sb_from_parent))
700 WARNING: Circular directory structure.\n\
701 This almost certainly means that you have a corrupted file system.\n\
702 NOTIFY YOUR SYSTEM MANAGER.\n\
703 The following directory is part of the cycle:\n %s\n"),
704 quote (full_filename (".")));
705 longjmp (ds->current_arg_jumpbuf, 1);
708 /* Extend the stack. */
709 obstack_blank (&ds->Active_dir, sizeof (struct AD_ent));
711 /* The active directory stack must be one larger than the length stack. */
712 assert (AD_stack_height (ds) ==
713 1 + obstack_object_size (&ds->len_stack) / sizeof (size_t));
715 /* Fill in the new values. */
716 top = AD_stack_top (ds);
717 top->dev_ino.st_dev = dir_sb_from_parent->st_dev;
718 top->dev_ino.st_ino = dir_sb_from_parent->st_ino;
719 top->unremovable = NULL;
723 AD_is_removable (Dirstack_state const *ds, char const *file)
725 struct AD_ent *top = AD_stack_top (ds);
726 return ! (top->unremovable && hash_lookup (top->unremovable, file));
729 /* Return 1 if FILE is an unwritable non-symlink,
730 0 if it is writable or some other type of file,
731 -1 and set errno if there is some problem in determining the answer.
732 Set *BUF to the file status.
733 This is to avoid calling euidaccess when FILE is a symlink. */
735 write_protected_non_symlink (int fd_cwd,
737 Dirstack_state const *ds,
740 if (can_write_any_file ())
742 if (cache_fstatat (fd_cwd, file, buf, AT_SYMLINK_NOFOLLOW) != 0)
744 if (S_ISLNK (buf->st_mode))
746 /* Here, we know FILE is not a symbolic link. */
748 /* In order to be reentrant -- i.e., to avoid changing the working
749 directory, and at the same time to be able to deal with alternate
750 access control mechanisms (ACLs, xattr-style attributes) and
751 arbitrarily deep trees -- we need a function like eaccessat, i.e.,
752 like Solaris' eaccess, but fd-relative, in the spirit of openat. */
754 /* In the absence of a native eaccessat function, here are some of
755 the implementation choices [#4 and #5 were suggested by Paul Eggert]:
756 1) call openat with O_WRONLY|O_NOCTTY
757 Disadvantage: may create the file and doesn't work for directory,
758 may mistakenly report `unwritable' for EROFS or ACLs even though
759 perm bits say the file is writable.
761 2) fake eaccessat (save_cwd, fchdir, call euidaccess, restore_cwd)
762 Disadvantage: changes working directory (not reentrant) and can't
763 work if save_cwd fails.
765 3) if (euidaccess (xfull_filename (file), W_OK) == 0)
766 Disadvantage: doesn't work if xfull_filename is too long.
767 Inefficient for very deep trees (O(Depth^2)).
769 4) If the full pathname is sufficiently short (say, less than
770 PATH_MAX or 8192 bytes, whichever is shorter):
771 use method (3) (i.e., euidaccess (xfull_filename (file), W_OK));
772 Otherwise: vfork, fchdir in the child, run euidaccess in the
773 child, then the child exits with a status that tells the parent
774 whether euidaccess succeeded.
776 This avoids the O(N**2) algorithm of method (3), and it also avoids
777 the failure-due-to-too-long-file-names of method (3), but it's fast
778 in the normal shallow case. It also avoids the lack-of-reentrancy
779 and the save_cwd problems.
780 Disadvantage; it uses a process slot for very-long file names,
781 and would be very slow for hierarchies with many such files.
783 5) If the full file name is sufficiently short (say, less than
784 PATH_MAX or 8192 bytes, whichever is shorter):
785 use method (3) (i.e., euidaccess (xfull_filename (file), W_OK));
786 Otherwise: look just at the file bits. Perhaps issue a warning
787 the first time this occurs.
789 This is like (4), except for the "Otherwise" case where it isn't as
790 "perfect" as (4) but is considerably faster. It conforms to current
791 POSIX, and is uniformly better than what Solaris and FreeBSD do (they
792 mess up with long file names). */
795 /* This implements #5: */
797 = obstack_object_size (&ds->dir_stack) + strlen (file);
799 if (MIN (PATH_MAX, 8192) <= file_name_len)
800 return ! euidaccess_stat (buf, W_OK);
801 if (euidaccess (xfull_filename (ds, file), W_OK) == 0)
809 /* Perhaps some other process has removed the file, or perhaps this
810 is a buggy NFS client. */
815 /* Prompt whether to remove FILENAME, if required via a combination of
816 the options specified by X and/or file attributes. If the file may
817 be removed, return RM_OK. If the user declines to remove the file,
818 return RM_USER_DECLINED. If not ignoring missing files and we
819 cannot lstat FILENAME, then return RM_ERROR.
821 *PDIRENT_TYPE is the type of the directory entry; update it to DT_DIR
822 or DT_LNK as needed. *SBUF is the file's status.
824 Depending on MODE, ask whether to `descend into' or to `remove' the
825 directory FILENAME. MODE is ignored when FILENAME is not a directory.
826 Set *IS_EMPTY to T_YES if FILENAME is an empty directory, and it is
827 appropriate to try to remove it with rmdir (e.g. recursive mode).
828 Don't even try to set *IS_EMPTY when MODE == PA_REMOVE_DIR. */
829 static enum RM_status
830 prompt (int fd_cwd, Dirstack_state const *ds, char const *filename,
831 int *pdirent_type, struct stat *sbuf,
832 struct rm_options const *x, enum Prompt_action mode,
835 int write_protected = 0;
836 int dirent_type = *pdirent_type;
838 *is_empty = T_UNKNOWN;
840 if (x->interactive == RMI_NEVER)
845 if (!x->ignore_missing_files
846 && ((x->interactive == RMI_ALWAYS) || x->stdin_tty)
847 && dirent_type != DT_LNK)
849 write_protected = write_protected_non_symlink (fd_cwd, filename, ds, sbuf);
853 if (write_protected || x->interactive == RMI_ALWAYS)
855 if (0 <= write_protected && dirent_type == DT_UNKNOWN)
857 if (cache_fstatat (fd_cwd, filename, sbuf, AT_SYMLINK_NOFOLLOW) == 0)
859 if (S_ISLNK (sbuf->st_mode))
860 dirent_type = DT_LNK;
861 else if (S_ISDIR (sbuf->st_mode))
862 dirent_type = DT_DIR;
863 /* Otherwise it doesn't matter, so leave it DT_UNKNOWN. */
864 *pdirent_type = dirent_type;
868 /* This happens, e.g., with `rm '''. */
869 write_protected = -1;
874 if (0 <= write_protected)
878 /* Using permissions doesn't make sense for symlinks. */
879 if (x->interactive != RMI_ALWAYS)
886 write_protected = -1;
892 char const *quoted_name = quote (full_filename (filename));
894 if (write_protected < 0)
896 error (0, wp_errno, _("cannot remove %s"), quoted_name);
900 /* Issue the prompt. */
901 /* FIXME: use a variant of error (instead of fprintf) that doesn't
902 append a newline. Then we won't have to declare program_name in
904 if (dirent_type == DT_DIR
905 && mode == PA_DESCEND_INTO_DIR
906 && ((*is_empty = (is_empty_dir (fd_cwd, filename) ? T_YES : T_NO))
910 ? _("%s: descend into write-protected directory %s? ")
911 : _("%s: descend into directory %s? ")),
912 program_name, quoted_name);
915 if (cache_fstatat (fd_cwd, filename, sbuf, AT_SYMLINK_NOFOLLOW) != 0)
917 error (0, errno, _("cannot remove %s"), quoted_name);
921 /* TRANSLATORS: You may find it more convenient to translate
922 the equivalent of _("%s: remove %s (write-protected) %s? ").
923 It should avoid grammatical problems with the output
927 ? _("%s: remove write-protected %s %s? ")
928 : _("%s: remove %s %s? ")),
929 program_name, file_type (sbuf), quoted_name);
933 return RM_USER_DECLINED;
938 /* Return true if FILENAME is a directory (and not a symlink to a directory).
939 Otherwise, including the case in which lstat fails, return false.
940 *ST is FILENAME's tstatus.
941 Do not modify errno. */
943 is_dir_lstat (int fd_cwd, char const *filename, struct stat *st)
945 int saved_errno = errno;
947 (cache_fstatat (fd_cwd, filename, st, AT_SYMLINK_NOFOLLOW) == 0
948 && S_ISDIR (st->st_mode));
953 /* Return true if FILENAME is a non-directory.
954 Otherwise, including the case in which lstat fails, return false.
955 *ST is FILENAME's tstatus.
956 Do not modify errno. */
958 is_nondir_lstat (int fd_cwd, char const *filename, struct stat *st)
960 int saved_errno = errno;
962 (cache_fstatat (fd_cwd, filename, st, AT_SYMLINK_NOFOLLOW) == 0
963 && !S_ISDIR (st->st_mode));
968 #define DO_UNLINK(Fd_cwd, Filename, X) \
971 if (unlinkat (Fd_cwd, Filename, 0) == 0) \
974 printf (_("removed %s\n"), quote (full_filename (Filename))); \
978 if (ignorable_missing (X, errno)) \
983 #define DO_RMDIR(Fd_cwd, Filename, X) \
986 if (unlinkat (Fd_cwd, Filename, AT_REMOVEDIR) == 0) /* rmdir */ \
989 printf (_("removed directory: %s\n"), \
990 quote (full_filename (Filename))); \
994 if (ignorable_missing (X, errno)) \
997 if (errno == ENOTEMPTY || errno == EEXIST) \
998 return RM_NONEMPTY_DIR; \
1002 /* When a function like unlink, rmdir, or fstatat fails with an errno
1003 value of ERRNUM, return true if the specified file system object
1004 is guaranteed not to exist; otherwise, return false. */
1006 nonexistent_file_errno (int errnum)
1008 /* Do not include ELOOP here, since the specified file may indeed
1009 exist, but be (in)accessible only via too long a symlink chain.
1010 Likewise for ENAMETOOLONG, since rm -f ./././.../foo may fail
1011 if the "..." part expands to a long enough sequence of "./"s,
1012 even though ./foo does indeed exist. */
1024 /* Encapsulate the test for whether the errno value, ERRNUM, is ignorable. */
1026 ignorable_missing (struct rm_options const *x, int errnum)
1028 return x->ignore_missing_files && nonexistent_file_errno (errnum);
1031 /* Remove the file or directory specified by FILENAME.
1032 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not.
1033 But if FILENAME specifies a non-empty directory, return RM_NONEMPTY_DIR. */
1035 static enum RM_status
1036 remove_entry (int fd_cwd, Dirstack_state const *ds, char const *filename,
1037 int dirent_type_arg, struct stat *st,
1038 struct rm_options const *x)
1040 Ternary is_empty_directory;
1041 enum RM_status s = prompt (fd_cwd, ds, filename, &dirent_type_arg, st, x,
1042 PA_DESCEND_INTO_DIR,
1043 &is_empty_directory);
1044 int dirent_type = dirent_type_arg;
1048 /* Why bother with the following if/else block? Because on systems with
1049 an unlink function that *can* unlink directories, we must determine the
1050 type of each entry before removing it. Otherwise, we'd risk unlinking
1051 an entire directory tree simply by unlinking a single directory; then
1052 all the storage associated with that hierarchy would not be freed until
1053 the next fsck. Not nice. To avoid that, on such slightly losing
1054 systems, we need to call lstat to determine the type of each entry,
1055 and that represents extra overhead that -- it turns out -- we can
1056 avoid on non-losing systems, since there, unlink will never remove
1057 a directory. Also, on systems where unlink may unlink directories,
1058 we're forced to allow a race condition: we lstat a non-directory, then
1059 go to unlink it, but in the mean time, a malicious someone could have
1060 replaced it with a directory. */
1062 if (cannot_unlink_dir ())
1064 if (dirent_type == DT_DIR && ! x->recursive)
1066 error (0, EISDIR, _("cannot remove %s"),
1067 quote (full_filename (filename)));
1071 /* is_empty_directory is set iff it's ok to use rmdir.
1072 Note that it's set only in interactive mode -- in which case it's
1073 an optimization that arranges so that the user is asked just
1074 once whether to remove the directory. */
1075 if (is_empty_directory == T_YES)
1076 DO_RMDIR (fd_cwd, filename, x);
1078 /* If we happen to know that FILENAME is a directory, return now
1079 and let the caller remove it -- this saves the overhead of a failed
1080 unlink call. If FILENAME is a command-line argument, then
1081 DIRENT_TYPE is DT_UNKNOWN so we'll first try to unlink it.
1082 Using unlink here is ok, because it cannot remove a
1084 if (dirent_type == DT_DIR)
1085 return RM_NONEMPTY_DIR;
1087 DO_UNLINK (fd_cwd, filename, x);
1089 /* Upon a failed attempt to unlink a directory, most non-Linux systems
1090 set errno to the POSIX-required value EPERM. In that case, change
1091 errno to EISDIR so that we emit a better diagnostic. */
1092 if (! x->recursive && errno == EPERM && is_dir_lstat (fd_cwd,
1097 || (cache_stat_ok (st) && !S_ISDIR (st->st_mode))
1098 || ((errno == EACCES || errno == EPERM)
1099 && is_nondir_lstat (fd_cwd, filename, st))
1102 if (ignorable_missing (x, errno))
1105 /* Either --recursive is not in effect, or the file cannot be a
1106 directory. Report the unlink problem and fail. */
1107 error (0, errno, _("cannot remove %s"),
1108 quote (full_filename (filename)));
1111 assert (!cache_stat_ok (st) || S_ISDIR (st->st_mode));
1115 /* If we don't already know whether FILENAME is a directory,
1116 find out now. Then, if it's a non-directory, we can use
1119 if (dirent_type == DT_UNKNOWN)
1121 if (fstatat (fd_cwd, filename, st, AT_SYMLINK_NOFOLLOW))
1123 if (ignorable_missing (x, errno))
1126 error (0, errno, _("cannot remove %s"),
1127 quote (full_filename (filename)));
1131 if (S_ISDIR (st->st_mode))
1132 dirent_type = DT_DIR;
1135 if (dirent_type != DT_DIR)
1137 /* At this point, barring race conditions, FILENAME is known
1138 to be a non-directory, so it's ok to try to unlink it. */
1139 DO_UNLINK (fd_cwd, filename, x);
1141 /* unlink failed with some other error code. report it. */
1142 error (0, errno, _("cannot remove %s"),
1143 quote (full_filename (filename)));
1149 error (0, EISDIR, _("cannot remove %s"),
1150 quote (full_filename (filename)));
1154 if (is_empty_directory == T_YES)
1156 DO_RMDIR (fd_cwd, filename, x);
1157 /* Don't diagnose any failure here.
1158 It'll be detected when the caller tries another way. */
1162 return RM_NONEMPTY_DIR;
1165 /* Given FD_CWD, the file descriptor for an open directory,
1166 open its subdirectory F (F is already `known' to be a directory,
1167 so if it is no longer one, someone is playing games), return a DIR*
1168 pointer for F, and put F's `stat' data in *SUBDIR_SB.
1169 Upon failure give a diagnostic and return NULL.
1170 If PREV_ERRNO is nonzero, it is the errno value from a preceding failed
1171 unlink- or rmdir-like system call -- use that value instead of ENOTDIR
1172 if an opened file turns out not to be a directory. This is important
1173 when the preceding non-dir-unlink failed due to e.g., EPERM or EACCES.
1174 The caller must use a nonnnull CWD_ERRNO the first
1175 time this function is called for each command-line-specified directory.
1176 If CWD_ERRNO is not null, set *CWD_ERRNO to the appropriate error number
1177 if this function fails to restore the initial working directory.
1178 If it is null, report an error and exit if the working directory
1181 fd_to_subdirp (int fd_cwd, char const *f,
1183 struct stat *subdir_sb,
1184 int *cwd_errno ATTRIBUTE_UNUSED)
1186 int open_flags = O_RDONLY | O_NOCTTY | O_NOFOLLOW | O_NONBLOCK;
1187 int fd_sub = openat_permissive (fd_cwd, f, open_flags, 0, cwd_errno);
1190 /* Record dev/ino of F. We may compare them against saved values
1191 to thwart any attempt to subvert the traversal. They are also used
1192 to detect directory cycles. */
1195 else if (fstat (fd_sub, subdir_sb) != 0)
1196 saved_errno = errno;
1197 else if (S_ISDIR (subdir_sb->st_mode))
1199 DIR *subdir_dirp = fdopendir (fd_sub);
1202 saved_errno = errno;
1205 saved_errno = (prev_errno ? prev_errno : ENOTDIR);
1208 errno = saved_errno;
1212 /* Remove entries in the directory open on DIRP
1213 Upon finding a directory that is both non-empty and that can be chdir'd
1214 into, return RM_OK and set *SUBDIR and fill in SUBDIR_SB, where
1215 SUBDIR is the malloc'd name of the subdirectory if the chdir succeeded,
1216 NULL otherwise (e.g., if opendir failed or if there was no subdirectory).
1217 Likewise, SUBDIR_SB is the result of calling lstat on SUBDIR.
1218 Return RM_OK if all entries are removed. Return RM_ERROR if any
1219 entry cannot be removed. Otherwise, return RM_USER_DECLINED if
1220 the user declines to remove at least one entry. Remove as much as
1221 possible, continuing even if we fail to remove some entries. */
1222 static enum RM_status
1223 remove_cwd_entries (DIR **dirp,
1224 Dirstack_state *ds, char **subdir, struct stat *subdir_sb,
1225 struct rm_options const *x)
1227 struct AD_ent *top = AD_stack_top (ds);
1228 enum RM_status status = top->status;
1229 size_t n_unlinked_since_opendir_or_last_rewind = 0;
1231 assert (VALID_STATUS (status));
1236 struct dirent const *dp;
1237 enum RM_status tmp_status;
1240 /* Set errno to zero so we can distinguish between a readdir failure
1241 and when readdir simply finds that there are no more entries. */
1243 dp = readdir_ignoring_dot_and_dotdot (*dirp);
1250 else if (NEED_REWIND (n_unlinked_since_opendir_or_last_rewind))
1252 /* Call rewinddir if we've called unlink or rmdir so many times
1253 (since the opendir or the previous rewinddir) that this
1254 NULL-return may be the symptom of a buggy readdir. */
1256 n_unlinked_since_opendir_or_last_rewind = 0;
1264 /* Skip files we've already tried/failed to remove. */
1265 if ( ! AD_is_removable (ds, f))
1268 /* Pass dp->d_type info to remove_entry so the non-glibc
1269 case can decide whether to use unlink or chdir.
1270 Systems without the d_type member will have to endure
1271 the performance hit of first calling lstat F. */
1272 cache_stat_init (subdir_sb);
1273 tmp_status = remove_entry (dirfd (*dirp), ds, f,
1274 D_TYPE (dp), subdir_sb, x);
1278 /* Count how many files we've unlinked since the initial
1279 opendir or the last rewinddir. On buggy systems, if you
1280 remove too many, readdir returns NULL even though there
1281 remain unprocessed directory entries. */
1282 ++n_unlinked_since_opendir_or_last_rewind;
1286 case RM_USER_DECLINED:
1287 AD_mark_as_unremovable (ds, f);
1288 UPDATE_STATUS (status, tmp_status);
1291 case RM_NONEMPTY_DIR:
1293 DIR *subdir_dirp = fd_to_subdirp (dirfd (*dirp), f,
1294 errno, subdir_sb, NULL);
1295 if (subdir_dirp == NULL)
1299 /* CAUTION: this test and diagnostic are identical to
1300 those following the other use of fd_to_subdirp. */
1301 if (ignorable_missing (x, errno))
1303 /* With -f, don't report "file not found". */
1307 /* Upon fd_to_subdirp failure, try to remove F directly,
1308 in case it's just an empty directory. */
1309 int saved_errno = errno;
1310 if (unlinkat (dirfd (*dirp), f, AT_REMOVEDIR) == 0)
1313 error (0, saved_errno,
1314 _("cannot remove %s"), quote (full_filename (f)));
1317 if (status == RM_ERROR)
1318 AD_mark_as_unremovable (ds, f);
1322 *subdir = xstrdup (f);
1323 if (closedir (*dirp) != 0)
1325 error (0, 0, _("failed to close directory %s"),
1326 quote (full_filename (".")));
1329 *dirp = subdir_dirp;
1335 /* Record status for this directory. */
1336 UPDATE_STATUS (top->status, status);
1342 /* Ensure that *dirp is not NULL and that its file descriptor is valid. */
1343 assert (*dirp != NULL);
1344 assert (0 <= fcntl (dirfd (*dirp), F_GETFD));
1349 /* Do this after each call to AD_push or AD_push_initial.
1350 Because the status = RM_OK bit is too remove-specific to
1351 go into the general-purpose AD_* package. */
1352 #define AD_INIT_OTHER_MEMBERS() \
1355 AD_stack_top(ds)->status = RM_OK; \
1359 /* Remove the hierarchy rooted at DIR.
1360 Do that by changing into DIR, then removing its contents, then
1361 returning to the original working directory and removing DIR itself.
1362 Don't use recursion. Be careful when using chdir ".." that we
1363 return to the same directory from which we came, if necessary.
1364 Return an RM_status value to indicate success or failure. */
1366 static enum RM_status
1367 remove_dir (int fd_cwd, Dirstack_state *ds, char const *dir,
1368 struct stat *dir_st,
1369 struct rm_options const *x, int *cwd_errno)
1371 enum RM_status status;
1372 dev_t current_dev = dir_st->st_dev;
1374 /* There is a race condition in that an attacker could replace the nonempty
1375 directory, DIR, with a symlink between the preceding call to rmdir
1376 (unlinkat, in our caller) and fd_to_subdirp's openat call. But on most
1377 systems, even those without openat, this isn't a problem, since we ensure
1378 that opening a symlink will fail, when that is possible. Otherwise,
1379 fd_to_subdirp's fstat, along with the `fstat' and the dev/ino
1380 comparison in AD_push ensure that we detect it and fail. */
1382 DIR *dirp = fd_to_subdirp (fd_cwd, dir, 0, dir_st, cwd_errno);
1386 /* CAUTION: this test and diagnostic are identical to
1387 those following the other use of fd_to_subdirp. */
1388 if (ignorable_missing (x, errno))
1390 /* With -f, don't report "file not found". */
1394 /* Upon fd_to_subdirp failure, try to remove DIR directly,
1395 in case it's just an empty directory. */
1396 int saved_errno = errno;
1397 if (unlinkat (fd_cwd, dir, AT_REMOVEDIR) == 0)
1400 error (0, saved_errno,
1401 _("cannot remove %s"), quote (full_filename (dir)));
1407 if (ROOT_DEV_INO_CHECK (x->root_dev_ino, dir_st))
1409 ROOT_DEV_INO_WARN (full_filename (dir));
1411 goto closedir_and_return;
1414 AD_push (dirfd (dirp), ds, dir, dir_st);
1415 AD_INIT_OTHER_MEMBERS ();
1421 char *subdir = NULL;
1422 struct stat subdir_sb;
1423 enum RM_status tmp_status;
1425 tmp_status = remove_cwd_entries (&dirp, ds, &subdir, &subdir_sb, x);
1427 if (tmp_status != RM_OK)
1429 UPDATE_STATUS (status, tmp_status);
1430 AD_mark_current_as_unremovable (ds);
1434 if ( ! x->one_file_system
1435 || subdir_sb.st_dev == current_dev)
1437 AD_push (dirfd (dirp), ds, subdir, &subdir_sb);
1438 AD_INIT_OTHER_MEMBERS ();
1443 /* Here, --one-file-system is in effect, and with remove_cwd_entries'
1444 traversal into the current directory, (known as SUBDIR, from ..),
1445 DIRP's device number is different from CURRENT_DEV. Arrange not
1446 to do anything more with this hierarchy. */
1447 error (0, 0, _("skipping %s, since it's on a different device"),
1448 quote (full_filename (subdir)));
1450 AD_mark_current_as_unremovable (ds);
1451 tmp_status = RM_ERROR;
1452 UPDATE_STATUS (status, tmp_status);
1455 /* Execution reaches this point when we've removed the last
1456 removable entry from the current directory -- or, with
1457 --one-file-system, when the current directory is on a
1458 different file system. */
1461 /* The name of the directory that we have just processed,
1462 nominally removing all of its contents. */
1463 char *empty_dir = AD_pop_and_chdir (dirp, &fd, ds);
1465 assert (fd != AT_FDCWD || AD_stack_height (ds) == 1);
1467 /* Try to remove EMPTY_DIR only if remove_cwd_entries succeeded. */
1468 if (tmp_status == RM_OK)
1470 struct stat empty_st;
1472 int dirent_type = DT_DIR;
1473 enum RM_status s = prompt (fd, ds, empty_dir, &dirent_type,
1474 cache_stat_init (&empty_st), x,
1475 PA_REMOVE_DIR, &is_empty);
1483 goto closedir_and_return;
1486 if (unlinkat (fd, empty_dir, AT_REMOVEDIR) == 0)
1489 printf (_("removed directory: %s\n"),
1490 quote (full_filename (empty_dir)));
1494 error (0, errno, _("cannot remove directory %s"),
1495 quote (full_filename (empty_dir)));
1496 AD_mark_as_unremovable (ds, empty_dir);
1498 UPDATE_STATUS (AD_stack_top(ds)->status, status);
1507 dirp = fdopendir (fd);
1510 error (0, errno, _("FATAL: cannot return to .. from %s"),
1511 quote (full_filename (".")));
1513 longjmp (ds->current_arg_jumpbuf, 1);
1518 /* If the first/final hash table of unremovable entries was used,
1522 closedir_and_return:;
1523 if (dirp != NULL && closedir (dirp) != 0)
1525 error (0, 0, _("failed to close directory %s"),
1526 quote (full_filename (".")));
1533 /* Remove the file or directory specified by FILENAME.
1534 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not. */
1536 static enum RM_status
1537 rm_1 (Dirstack_state *ds, char const *filename,
1538 struct rm_options const *x, int *cwd_errno)
1540 char const *base = last_component (filename);
1541 if (dot_or_dotdot (base))
1543 error (0, 0, _(base == filename
1544 ? "cannot remove directory %s"
1545 : "cannot remove %s directory %s"),
1546 quote_n (0, base), quote_n (1, filename));
1551 cache_stat_init (&st);
1552 cycle_check_init (&ds->cycle_check_state);
1553 if (x->root_dev_ino)
1555 if (cache_fstatat (AT_FDCWD, filename, &st, AT_SYMLINK_NOFOLLOW) != 0)
1557 if (ignorable_missing (x, errno))
1559 error (0, errno, _("cannot remove %s"), quote (filename));
1562 if (SAME_INODE (st, *(x->root_dev_ino)))
1564 error (0, 0, _("cannot remove root directory %s"), quote (filename));
1569 AD_push_initial (ds);
1570 AD_INIT_OTHER_MEMBERS ();
1572 enum RM_status status = remove_entry (AT_FDCWD, ds, filename,
1573 DT_UNKNOWN, &st, x);
1574 if (status == RM_NONEMPTY_DIR)
1576 /* In the event that remove_dir->remove_cwd_entries detects
1577 a directory cycle, arrange to fail, give up on this FILE, but
1578 continue on with any other arguments. */
1579 if (setjmp (ds->current_arg_jumpbuf))
1582 status = remove_dir (AT_FDCWD, ds, filename, &st, x, cwd_errno);
1584 AD_stack_clear (ds);
1591 /* Remove all files and/or directories specified by N_FILES and FILE.
1592 Apply the options in X. */
1593 extern enum RM_status
1594 rm (size_t n_files, char const *const *file, struct rm_options const *x)
1596 enum RM_status status = RM_OK;
1597 Dirstack_state *ds = ds_init ();
1601 for (i = 0; i < n_files; i++)
1603 if (cwd_errno && IS_RELATIVE_FILE_NAME (file[i]))
1605 error (0, 0, _("cannot remove relative-named %s"), quote (file[i]));
1610 enum RM_status s = rm_1 (ds, file[i], x, &cwd_errno);
1611 assert (VALID_STATUS (s));
1612 UPDATE_STATUS (status, s);
1616 if (x->require_restore_cwd && cwd_errno)
1618 error (0, cwd_errno,
1619 _("cannot restore current working directory"));