1 /* remove.c -- core functions for removing files and directories
2 Copyright (C) 88, 90, 91, 1994-2006 Free Software Foundation, Inc.
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2, or (at your option)
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software Foundation,
16 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */
18 /* Extracted from rm.c and librarified, then rewritten by Jim Meyering. */
22 #include <sys/types.h>
27 #include "cycle-check.h"
31 #include "euidaccess.h"
32 #include "euidaccess-stat.h"
33 #include "file-type.h"
41 #include "root-dev-ino.h"
42 #include "unlinkdir.h"
45 /* Avoid shadowing warnings because these are functions declared
46 in dirname.h as well as locals used below. */
47 #define dir_name rm_dir_name
48 #define dir_len rm_dir_len
50 #define obstack_chunk_alloc malloc
51 #define obstack_chunk_free free
53 /* This is the maximum number of consecutive readdir/unlink calls that
54 can be made (with no intervening rewinddir or closedir/opendir)
55 before triggering a bug that makes readdir return NULL even though
56 some directory entries have not been processed. The bug afflicts
57 SunOS's readdir when applied to ufs file systems and Darwin 6.5's
58 (and OSX v.10.3.8's) HFS+. This maximum is conservative in that
59 demonstrating the problem seems to require a directory containing
60 at least 254 deletable entries (which doesn't count . and ..), so
61 we could conceivably increase the maximum value to 254. */
64 CONSECUTIVE_READDIR_UNLINK_THRESHOLD = 200
73 typedef enum Ternary Ternary;
75 /* The prompt function may be called twice for a given directory.
76 The first time, we ask whether to descend into it, and the
77 second time, we ask whether to remove it. */
80 PA_DESCEND_INTO_DIR = 2,
84 /* Initial capacity of per-directory hash table of entries that have
85 been processed but not been deleted. */
86 enum { HT_UNREMOVABLE_INITIAL_CAPACITY = 13 };
88 /* An entry in the active directory stack.
89 Each entry corresponds to an `active' directory. */
92 /* For a given active directory, this is the set of names of
93 entries in that directory that could/should not be removed.
94 For example, `.' and `..', as well as files/dirs for which
95 unlink/rmdir failed e.g., due to access restrictions. */
96 Hash_table *unremovable;
98 /* Record the status for a given active directory; we need to know
99 whether an entry was not removed, either because of an error or
100 because the user declined. */
101 enum RM_status status;
103 /* The directory's dev/ino. Used to ensure that a malicious user does
104 not replace a directory we're about to process with a symlink to
105 some other directory. */
106 struct dev_ino dev_ino;
109 extern char *program_name;
111 struct dirstack_state
113 /* The name of the directory (starting with and relative to a command
114 line argument) being processed. When a subdirectory is entered, a new
115 component is appended (pushed). Remove (pop) the top component
116 upon chdir'ing out of a directory. This is used to form the full
117 name of the current directory or a file therein, when necessary. */
118 struct obstack dir_stack;
120 /* Stack of lengths of directory names (including trailing slash)
121 appended to dir_stack. We have to have a separate stack of lengths
122 (rather than just popping back to previous slash) because the first
123 element pushed onto the dir stack may contain slashes. */
124 struct obstack len_stack;
126 /* Stack of active directory entries.
127 The first `active' directory is the initial working directory.
128 Additional active dirs are pushed onto the stack as we `chdir'
129 into each directory to be processed. When finished with the
130 hierarchy under a directory, pop the active dir stack. */
131 struct obstack Active_dir;
133 /* Used to detect cycles. */
134 struct cycle_check_state cycle_check_state;
136 /* Target of a longjmp in case rm has to stop processing the current
137 command-line argument. This happens 1) when rm detects a directory
138 cycle or 2) when it has processed one or more directories, but then
139 is unable to return to the initial working directory to process
140 additional `.'-relative command-line arguments. */
141 jmp_buf current_arg_jumpbuf;
143 typedef struct dirstack_state Dirstack_state;
145 /* Just like close(fd), but don't modify errno. */
147 close_preserve_errno (int fd)
149 int saved_errno = errno;
150 int result = close (fd);
162 hash_compare_strings (void const *x, void const *y)
164 return STREQ (x, y) ? true : false;
168 push_dir (Dirstack_state *ds, const char *dir_name)
170 size_t len = strlen (dir_name);
172 /* Append the string onto the stack. */
173 obstack_grow (&ds->dir_stack, dir_name, len);
175 /* Append a trailing slash. */
176 obstack_1grow (&ds->dir_stack, '/');
178 /* Add one for the slash. */
181 /* Push the length (including slash) onto its stack. */
182 obstack_grow (&ds->len_stack, &len, sizeof (len));
185 /* Return the entry name of the directory on the top of the stack
186 in malloc'd storage. */
188 top_dir (Dirstack_state const *ds)
190 size_t n_lengths = obstack_object_size (&ds->len_stack) / sizeof (size_t);
191 size_t *length = obstack_base (&ds->len_stack);
192 size_t top_len = length[n_lengths - 1];
193 char const *p = obstack_next_free (&ds->dir_stack) - top_len;
194 char *q = xmalloc (top_len);
195 memcpy (q, p, top_len - 1);
201 pop_dir (Dirstack_state *ds)
203 size_t n_lengths = obstack_object_size (&ds->len_stack) / sizeof (size_t);
204 size_t *length = obstack_base (&ds->len_stack);
206 assert (n_lengths > 0);
207 size_t top_len = length[n_lengths - 1];
208 assert (top_len >= 2);
210 /* Pop the specified length of file name. */
211 assert (obstack_object_size (&ds->dir_stack) >= top_len);
212 obstack_blank (&ds->dir_stack, -top_len);
214 /* Pop the length stack, too. */
215 assert (obstack_object_size (&ds->len_stack) >= sizeof (size_t));
216 obstack_blank (&ds->len_stack, -(int) sizeof (size_t));
219 /* Copy the SRC_LEN bytes of data beginning at SRC into the DST_LEN-byte
220 buffer, DST, so that the last source byte is at the end of the destination
221 buffer. If SRC_LEN is longer than DST_LEN, then set *TRUNCATED.
222 Set *RESULT to point to the beginning of (the portion of) the source data
223 in DST. Return the number of bytes remaining in the destination buffer. */
226 right_justify (char *dst, size_t dst_len, const char *src, size_t src_len,
227 char **result, bool *truncated)
232 if (src_len <= dst_len)
235 dp = dst + (dst_len - src_len);
240 sp = src + (src_len - dst_len);
246 *result = memcpy (dp, sp, src_len);
247 return dst_len - src_len;
250 /* Using the global directory name obstack, create the full name FILENAME.
251 Return it in sometimes-realloc'd space that should not be freed by the
252 caller. Realloc as necessary. If realloc fails, use a static buffer
253 and put as long a suffix in that buffer as possible. */
255 #define full_filename(Filename) full_filename_ (ds, Filename)
257 full_filename_ (Dirstack_state const *ds, const char *filename)
259 static char *buf = NULL;
260 static size_t n_allocated = 0;
262 size_t dir_len = obstack_object_size (&ds->dir_stack);
263 char *dir_name = obstack_base (&ds->dir_stack);
264 size_t n_bytes_needed;
267 filename_len = strlen (filename);
268 n_bytes_needed = dir_len + filename_len + 1;
270 if (n_allocated < n_bytes_needed)
272 /* This code requires that realloc accept NULL as the first arg.
273 This function must not use xrealloc. Otherwise, an out-of-memory
274 error involving a file name to be expanded here wouldn't ever
275 be issued. Use realloc and fall back on using a static buffer
276 if memory allocation fails. */
277 char *new_buf = realloc (buf, n_bytes_needed);
278 n_allocated = n_bytes_needed;
282 #define SBUF_SIZE 512
283 #define ELLIPSES_PREFIX "[...]"
284 static char static_buf[SBUF_SIZE];
290 len = right_justify (static_buf, SBUF_SIZE, filename,
291 filename_len + 1, &p, &truncated);
292 right_justify (static_buf, len, dir_name, dir_len, &p, &truncated);
295 memcpy (static_buf, ELLIPSES_PREFIX,
296 sizeof (ELLIPSES_PREFIX) - 1);
304 if (filename_len == 1 && *filename == '.' && dir_len)
306 /* FILENAME is just `.' and dir_len is nonzero.
307 Copy the directory part, omitting the trailing slash,
308 and append a trailing zero byte. */
309 char *p = mempcpy (buf, dir_name, dir_len - 1);
314 /* Copy the directory part, including trailing slash, and then
315 append the filename part, including a trailing zero byte. */
316 memcpy (mempcpy (buf, dir_name, dir_len), filename, filename_len + 1);
317 assert (strlen (buf) + 1 == n_bytes_needed);
324 AD_stack_height (Dirstack_state const *ds)
326 return obstack_object_size (&ds->Active_dir) / sizeof (struct AD_ent);
329 static inline struct AD_ent *
330 AD_stack_top (Dirstack_state const *ds)
332 return (struct AD_ent *)
333 ((char *) obstack_next_free (&ds->Active_dir) - sizeof (struct AD_ent));
337 AD_stack_pop (Dirstack_state *ds)
339 assert (0 < AD_stack_height (ds));
341 /* operate on Active_dir. pop and free top entry */
342 struct AD_ent *top = AD_stack_top (ds);
343 if (top->unremovable)
344 hash_free (top->unremovable);
345 obstack_blank (&ds->Active_dir, -(int) sizeof (struct AD_ent));
349 AD_stack_clear (Dirstack_state *ds)
351 while (0 < AD_stack_height (ds))
357 static Dirstack_state *
360 Dirstack_state *ds = xmalloc (sizeof *ds);
361 obstack_init (&ds->dir_stack);
362 obstack_init (&ds->len_stack);
363 obstack_init (&ds->Active_dir);
368 ds_clear (Dirstack_state *ds)
370 obstack_free (&ds->dir_stack, obstack_finish (&ds->dir_stack));
371 obstack_free (&ds->len_stack, obstack_finish (&ds->len_stack));
372 while (0 < AD_stack_height (ds))
374 obstack_free (&ds->Active_dir, obstack_finish (&ds->Active_dir));
378 ds_free (Dirstack_state *ds)
380 obstack_free (&ds->dir_stack, NULL);
381 obstack_free (&ds->len_stack, NULL);
382 obstack_free (&ds->Active_dir, NULL);
386 /* Pop the active directory (AD) stack and move *DIRP `up' one level,
387 safely. Moving `up' usually means opening `..', but when we've just
388 finished recursively processing a command-line directory argument,
389 there's nothing left on the stack, so set *DIRP to NULL in that case.
390 The idea is to return with *DIRP opened on the parent directory,
391 assuming there are entries in that directory that we need to remove.
393 Whenever using chdir '..' (virtually, now, via openat), verify
394 that the post-chdir dev/ino numbers for `.' match the saved ones.
395 If any system call fails or if dev/ino don't match then give a
396 diagnostic and longjump out.
397 Set *PREV_DIR to the name (in malloc'd storage) of the
398 directory (usually now empty) from which we're coming, and which
399 corresponds to the input value of *DIRP. */
401 AD_pop_and_chdir (DIR **dirp, Dirstack_state *ds, char **prev_dir)
403 struct AD_ent *leaf_dir_ent = AD_stack_top(ds);
404 struct dev_ino leaf_dev_ino = leaf_dir_ent->dev_ino;
405 enum RM_status old_status = leaf_dir_ent->status;
408 /* Get the name of the current (but soon to be `previous') directory
409 from the top of the stack. */
410 *prev_dir = top_dir (ds);
414 top = AD_stack_top (ds);
416 /* If the directory we're about to leave (and try to rmdir)
417 is the one whose dev_ino is being used to detect a cycle,
418 reset cycle_check_state.dev_ino to that of the parent.
419 Otherwise, once that directory is removed, its dev_ino
420 could be reused in the creation (by some other process)
421 of a directory that this rm process would encounter,
422 which would result in a false-positive cycle indication. */
423 CYCLE_CHECK_REFLECT_CHDIR_UP (&ds->cycle_check_state,
424 top->dev_ino, leaf_dev_ino);
426 /* Propagate any failure to parent. */
427 UPDATE_STATUS (top->status, old_status);
429 assert (AD_stack_height (ds));
431 if (1 < AD_stack_height (ds))
434 int fd = openat (dirfd (*dirp), "..", O_RDONLY);
435 if (closedir (*dirp) != 0)
437 error (0, errno, _("FATAL: failed to close directory %s"),
438 quote (full_filename (*prev_dir)));
439 goto next_cmdline_arg;
442 /* The above fails with EACCES when *DIRP is readable but not
443 searchable, when using Solaris' openat. Without this openat
444 call, tests/rm2 would fail to remove directories a/2 and a/3. */
446 fd = openat (AT_FDCWD, full_filename ("."), O_RDONLY);
450 error (0, errno, _("FATAL: cannot open .. from %s"),
451 quote (full_filename (*prev_dir)));
452 goto next_cmdline_arg;
458 _("FATAL: cannot ensure %s (returned to via ..) is safe"),
459 quote (full_filename (".")));
463 /* Ensure that post-chdir dev/ino match the stored ones. */
464 if ( ! SAME_INODE (sb, top->dev_ino))
466 error (0, 0, _("FATAL: directory %s changed dev/ino"),
467 quote (full_filename (".")));
471 *dirp = fdopendir (fd);
474 error (0, errno, _("FATAL: cannot return to .. from %s"),
475 quote (full_filename (".")));
482 longjmp (ds->current_arg_jumpbuf, 1);
487 if (closedir (*dirp) != 0)
489 error (0, errno, _("FATAL: failed to close directory %s"),
490 quote (full_filename (*prev_dir)));
491 goto next_cmdline_arg;
497 /* Initialize *HT if it is NULL.
498 Insert FILENAME into HT. */
500 AD_mark_helper (Hash_table **ht, char const *filename)
504 *ht = hash_initialize (HT_UNREMOVABLE_INITIAL_CAPACITY, NULL, hash_pjw,
505 hash_compare_strings, hash_freer);
509 if (! hash_insert (*ht, filename))
513 /* Mark FILENAME (in current directory) as unremovable. */
515 AD_mark_as_unremovable (Dirstack_state *ds, char const *filename)
517 AD_mark_helper (&AD_stack_top(ds)->unremovable, xstrdup (filename));
520 /* Mark the current directory as unremovable. I.e., mark the entry
521 in the parent directory corresponding to `.'.
522 This happens e.g., when an opendir fails and the only name
523 the caller has conveniently at hand is `.'. */
525 AD_mark_current_as_unremovable (Dirstack_state *ds)
527 struct AD_ent *top = AD_stack_top (ds);
528 char const *curr = top_dir (ds);
530 assert (1 < AD_stack_height (ds));
533 AD_mark_helper (&top->unremovable, curr);
536 /* Push an initial dummy entry onto the stack.
537 This will always be the bottommost entry on the stack. */
539 AD_push_initial (Dirstack_state *ds)
543 /* Extend the stack. */
544 obstack_blank (&ds->Active_dir, sizeof (struct AD_ent));
546 /* Fill in the new values. */
547 top = AD_stack_top (ds);
548 top->unremovable = NULL;
550 /* These should never be used.
551 Give them values that might look suspicious
552 in a debugger or in a diagnostic. */
553 top->dev_ino.st_dev = TYPE_MAXIMUM (dev_t);
554 top->dev_ino.st_ino = TYPE_MAXIMUM (ino_t);
557 /* Push info about the current working directory (".") onto the
558 active directory stack. DIR is the ./-relative name through
559 which we've just `chdir'd to this directory. DIR_SB_FROM_PARENT
560 is the result of calling lstat on DIR from the parent of DIR.
561 Longjump out (skipping the entire command line argument we're
562 dealing with) if `fstat (FD_CWD, ...' fails or if someone has
563 replaced DIR with e.g., a symlink to some other directory. */
565 AD_push (int fd_cwd, Dirstack_state *ds, char const *dir,
566 struct stat const *dir_sb_from_parent)
572 /* If our uses of openat are guaranteed not to
573 follow a symlink, then we can skip this check. */
577 if (fstat (fd_cwd, &sb) != 0)
579 error (0, errno, _("FATAL: cannot enter directory %s"),
580 quote (full_filename (".")));
581 longjmp (ds->current_arg_jumpbuf, 1);
584 if ( ! SAME_INODE (sb, *dir_sb_from_parent))
587 _("FATAL: just-changed-to directory %s changed dev/ino"),
588 quote (full_filename (".")));
589 longjmp (ds->current_arg_jumpbuf, 1);
593 if (cycle_check (&ds->cycle_check_state, dir_sb_from_parent))
596 WARNING: Circular directory structure.\n\
597 This almost certainly means that you have a corrupted file system.\n\
598 NOTIFY YOUR SYSTEM MANAGER.\n\
599 The following directory is part of the cycle:\n %s\n"),
600 quote (full_filename (".")));
601 longjmp (ds->current_arg_jumpbuf, 1);
604 /* Extend the stack. */
605 obstack_blank (&ds->Active_dir, sizeof (struct AD_ent));
607 /* The active directory stack must be one larger than the length stack. */
608 assert (AD_stack_height (ds) ==
609 1 + obstack_object_size (&ds->len_stack) / sizeof (size_t));
611 /* Fill in the new values. */
612 top = AD_stack_top (ds);
613 top->dev_ino.st_dev = dir_sb_from_parent->st_dev;
614 top->dev_ino.st_ino = dir_sb_from_parent->st_ino;
615 top->unremovable = NULL;
619 AD_is_removable (Dirstack_state const *ds, char const *file)
621 struct AD_ent *top = AD_stack_top (ds);
622 return ! (top->unremovable && hash_lookup (top->unremovable, file));
625 /* Return true if DIR is determined to be an empty directory. */
627 is_empty_dir (int fd_cwd, char const *dir)
630 struct dirent const *dp;
632 int fd = openat (fd_cwd, dir,
633 (O_RDONLY | O_DIRECTORY
634 | O_NOCTTY | O_NOFOLLOW | O_NONBLOCK));
639 dirp = fdopendir (fd);
647 dp = readdir_ignoring_dot_and_dotdot (dirp);
652 return saved_errno == 0 ? true : false;
655 /* Return true if FILE is determined to be an unwritable non-symlink.
656 Otherwise, return false (including when lstat'ing it fails).
657 If lstat (aka fstatat) succeeds, set *BUF_P to BUF.
658 This is to avoid calling euidaccess when FILE is a symlink. */
660 write_protected_non_symlink (int fd_cwd,
662 Dirstack_state const *ds,
666 if (fstatat (fd_cwd, file, buf, AT_SYMLINK_NOFOLLOW) != 0)
669 if (S_ISLNK (buf->st_mode))
671 /* Here, we know FILE is not a symbolic link. */
673 /* In order to be reentrant -- i.e., to avoid changing the working
674 directory, and at the same time to be able to deal with alternate
675 access control mechanisms (ACLs, xattr-style attributes) and
676 arbitrarily deep trees -- we need a function like eaccessat, i.e.,
677 like Solaris' eaccess, but fd-relative, in the spirit of openat. */
679 /* In the absence of a native eaccessat function, here are some of
680 the implementation choices [#4 and #5 were suggested by Paul Eggert]:
681 1) call openat with O_WRONLY|O_NOCTTY
682 Disadvantage: may create the file and doesn't work for directory,
683 may mistakenly report `unwritable' for EROFS or ACLs even though
684 perm bits say the file is writable.
686 2) fake eaccessat (save_cwd, fchdir, call euidaccess, restore_cwd)
687 Disadvantage: changes working directory (not reentrant) and can't
688 work if save_cwd fails.
690 3) if (euidaccess (full_filename (file), W_OK) == 0)
691 Disadvantage: doesn't work if full_filename is too long.
692 Inefficient for very deep trees (O(Depth^2)).
694 4) If the full pathname is sufficiently short (say, less than
695 PATH_MAX or 8192 bytes, whichever is shorter):
696 use method (3) (i.e., euidaccess (full_filename (file), W_OK));
697 Otherwise: vfork, fchdir in the child, run euidaccess in the
698 child, then the child exits with a status that tells the parent
699 whether euidaccess succeeded.
701 This avoids the O(N**2) algorithm of method (3), and it also avoids
702 the failure-due-to-too-long-file-names of method (3), but it's fast
703 in the normal shallow case. It also avoids the lack-of-reentrancy
704 and the save_cwd problems.
705 Disadvantage; it uses a process slot for very-long file names,
706 and would be very slow for hierarchies with many such files.
708 5) If the full file name is sufficiently short (say, less than
709 PATH_MAX or 8192 bytes, whichever is shorter):
710 use method (3) (i.e., euidaccess (full_filename (file), W_OK));
711 Otherwise: look just at the file bits. Perhaps issue a warning
712 the first time this occurs.
714 This is like (4), except for the "Otherwise" case where it isn't as
715 "perfect" as (4) but is considerably faster. It conforms to current
716 POSIX, and is uniformly better than what Solaris and FreeBSD do (they
717 mess up with long file names). */
720 /* This implements #5: */
722 = obstack_object_size (&ds->dir_stack) + strlen (file);
724 return (file_name_len < MIN (PATH_MAX, 8192)
725 ? euidaccess (full_filename (file), W_OK) != 0 && errno == EACCES
726 : euidaccess_stat (buf, W_OK) != 0);
730 /* Prompt whether to remove FILENAME, if required via a combination of
731 the options specified by X and/or file attributes. If the file may
732 be removed, return RM_OK. If the user declines to remove the file,
733 return RM_USER_DECLINED. If not ignoring missing files and we
734 cannot lstat FILENAME, then return RM_ERROR.
736 Depending on MODE, ask whether to `descend into' or to `remove' the
737 directory FILENAME. MODE is ignored when FILENAME is not a directory.
738 Set *IS_EMPTY to T_YES if FILENAME is an empty directory, and it is
739 appropriate to try to remove it with rmdir (e.g. recursive mode).
740 Don't even try to set *IS_EMPTY when MODE == PA_REMOVE_DIR.
741 Set *IS_DIR to T_YES or T_NO if we happen to determine whether
742 FILENAME is a directory. */
743 static enum RM_status
744 prompt (int fd_cwd, Dirstack_state const *ds, char const *filename,
745 struct rm_options const *x, enum Prompt_action mode,
746 Ternary *is_dir, Ternary *is_empty)
748 bool write_protected = false;
749 struct stat *sbuf = NULL;
752 *is_empty = T_UNKNOWN;
755 if (((!x->ignore_missing_files & (x->interactive | x->stdin_tty))
756 && (write_protected = write_protected_non_symlink (fd_cwd, filename,
763 if (fstatat (fd_cwd, filename, sbuf, AT_SYMLINK_NOFOLLOW))
765 /* lstat failed. This happens e.g., with `rm '''. */
766 error (0, errno, _("cannot remove %s"),
767 quote (full_filename (filename)));
772 if (S_ISDIR (sbuf->st_mode) && !x->recursive)
774 error (0, EISDIR, _("cannot remove directory %s"),
775 quote (full_filename (filename)));
779 /* Using permissions doesn't make sense for symlinks. */
780 if (S_ISLNK (sbuf->st_mode))
782 if ( ! x->interactive)
784 write_protected = false;
787 /* Issue the prompt. */
789 char const *quoted_name = quote (full_filename (filename));
791 *is_dir = (S_ISDIR (sbuf->st_mode) ? T_YES : T_NO);
793 /* FIXME: use a variant of error (instead of fprintf) that doesn't
794 append a newline. Then we won't have to declare program_name in
796 if (S_ISDIR (sbuf->st_mode)
798 && mode == PA_DESCEND_INTO_DIR
799 && ((*is_empty = (is_empty_dir (fd_cwd, filename) ? T_YES : T_NO))
803 ? _("%s: descend into write-protected directory %s? ")
804 : _("%s: descend into directory %s? ")),
805 program_name, quoted_name);
808 /* TRANSLATORS: You may find it more convenient to translate
809 the equivalent of _("%s: remove %s (write-protected) %s? ").
810 It should avoid grammatical problems with the output
814 ? _("%s: remove write-protected %s %s? ")
815 : _("%s: remove %s %s? ")),
816 program_name, file_type (sbuf), quoted_name);
820 return RM_USER_DECLINED;
826 /* Return true if FILENAME is a directory (and not a symlink to a directory).
827 Otherwise, including the case in which lstat fails, return false.
828 Do not modify errno. */
830 is_dir_lstat (char const *filename)
833 int saved_errno = errno;
834 bool is_dir = lstat (filename, &sbuf) == 0 && S_ISDIR (sbuf.st_mode);
839 #if HAVE_STRUCT_DIRENT_D_TYPE
841 /* True if the type of the directory entry D is known. */
842 # define DT_IS_KNOWN(d) ((d)->d_type != DT_UNKNOWN)
844 /* True if the type of the directory entry D must be T. */
845 # define DT_MUST_BE(d, t) ((d)->d_type == (t))
848 # define DT_IS_KNOWN(d) false
849 # define DT_MUST_BE(d, t) false
852 #define DO_UNLINK(Fd_cwd, Filename, X) \
855 if (unlinkat (Fd_cwd, Filename, 0) == 0) \
858 printf (_("removed %s\n"), quote (full_filename (Filename))); \
862 if (errno == ENOENT && (X)->ignore_missing_files) \
867 #define DO_RMDIR(Fd_cwd, Filename, X) \
870 if (unlinkat (Fd_cwd, Filename, AT_REMOVEDIR) == 0) /* rmdir */ \
873 printf (_("removed directory: %s\n"), \
874 quote (full_filename (Filename))); \
878 if (errno == ENOENT && (X)->ignore_missing_files) \
881 if (errno == ENOTEMPTY || errno == EEXIST) \
882 return RM_NONEMPTY_DIR; \
886 /* Remove the file or directory specified by FILENAME.
887 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not.
888 But if FILENAME specifies a non-empty directory, return RM_NONEMPTY_DIR. */
890 static enum RM_status
891 remove_entry (int fd_cwd, Dirstack_state const *ds, char const *filename,
892 struct rm_options const *x, struct dirent const *dp)
895 Ternary is_empty_directory;
896 enum RM_status s = prompt (fd_cwd, ds, filename, x, PA_DESCEND_INTO_DIR,
897 &is_dir, &is_empty_directory);
902 /* Why bother with the following if/else block? Because on systems with
903 an unlink function that *can* unlink directories, we must determine the
904 type of each entry before removing it. Otherwise, we'd risk unlinking
905 an entire directory tree simply by unlinking a single directory; then
906 all the storage associated with that hierarchy would not be freed until
907 the next fsck. Not nice. To avoid that, on such slightly losing
908 systems, we need to call lstat to determine the type of each entry,
909 and that represents extra overhead that -- it turns out -- we can
910 avoid on non-losing systems, since there, unlink will never remove
911 a directory. Also, on systems where unlink may unlink directories,
912 we're forced to allow a race condition: we lstat a non-directory, then
913 go to unlink it, but in the mean time, a malicious someone could have
914 replaced it with a directory. */
916 if (cannot_unlink_dir ())
918 if (is_dir == T_YES && ! x->recursive)
920 error (0, EISDIR, _("cannot remove directory %s"),
921 quote (full_filename (filename)));
925 /* is_empty_directory is set iff it's ok to use rmdir.
926 Note that it's set only in interactive mode -- in which case it's
927 an optimization that arranges so that the user is asked just
928 once whether to remove the directory. */
929 if (is_empty_directory == T_YES)
930 DO_RMDIR (fd_cwd, filename, x);
932 /* If we happen to know that FILENAME is a directory, return now
933 and let the caller remove it -- this saves the overhead of a failed
934 unlink call. If FILENAME is a command-line argument, then dp is NULL,
935 so we'll first try to unlink it. Using unlink here is ok, because it
936 cannot remove a directory. */
937 if ((dp && DT_MUST_BE (dp, DT_DIR)) || is_dir == T_YES)
938 return RM_NONEMPTY_DIR;
940 DO_UNLINK (fd_cwd, filename, x);
942 /* Upon a failed attempt to unlink a directory, most non-Linux systems
943 set errno to the POSIX-required value EPERM. In that case, change
944 errno to EISDIR so that we emit a better diagnostic. */
945 if (! x->recursive && errno == EPERM && is_dir_lstat (filename))
949 || errno == ENOENT || errno == ENOTDIR
950 || errno == ELOOP || errno == ENAMETOOLONG)
952 /* Either --recursive is not in effect, or the file cannot be a
953 directory. Report the unlink problem and fail. */
954 error (0, errno, _("cannot remove %s"),
955 quote (full_filename (filename)));
961 /* If we don't already know whether FILENAME is a directory, find out now.
962 Then, if it's a non-directory, we can use unlink on it. */
963 if (is_dir == T_UNKNOWN)
965 if (dp && DT_IS_KNOWN (dp))
966 is_dir = DT_MUST_BE (dp, DT_DIR) ? T_YES : T_NO;
970 if (fstatat (fd_cwd, filename, &sbuf, AT_SYMLINK_NOFOLLOW))
972 if (errno == ENOENT && x->ignore_missing_files)
975 error (0, errno, _("cannot remove %s"),
976 quote (full_filename (filename)));
980 is_dir = S_ISDIR (sbuf.st_mode) ? T_YES : T_NO;
986 /* At this point, barring race conditions, FILENAME is known
987 to be a non-directory, so it's ok to try to unlink it. */
988 DO_UNLINK (fd_cwd, filename, x);
990 /* unlink failed with some other error code. report it. */
991 error (0, errno, _("cannot remove %s"),
992 quote (full_filename (filename)));
998 error (0, EISDIR, _("cannot remove directory %s"),
999 quote (full_filename (filename)));
1003 if (is_empty_directory == T_YES)
1005 DO_RMDIR (fd_cwd, filename, x);
1006 /* Don't diagnose any failure here.
1007 It'll be detected when the caller tries another way. */
1011 return RM_NONEMPTY_DIR;
1014 /* Given FD_CWD, the file descriptor for an open directory,
1015 open its subdirectory F (F is already `known' to be a directory,
1016 so if it is no longer one, someone is playing games), return a DIR*
1017 pointer for F, and put F's `stat' data in *SUBDIR_SB.
1018 Upon failure give a diagnostic and return NULL.
1019 If PREV_ERRNO is nonzero, it is the errno value from a preceding failed
1020 unlink- or rmdir-like system call -- use that value instead of ENOTDIR
1021 if an opened file turns out not to be a directory. This is important
1022 when the preceding non-dir-unlink failed due to e.g., EPERM or EACCES.
1023 The caller must use a nonnnull CWD_ERRNO the first
1024 time this function is called for each command-line-specified directory.
1025 If CWD_ERRNO is not null, set *CWD_ERRNO to the appropriate error number
1026 if this function fails to restore the initial working directory.
1027 If it is null, report an error and exit if the working directory
1030 fd_to_subdirp (int fd_cwd, char const *f,
1031 struct rm_options const *x, int prev_errno,
1032 struct stat *subdir_sb, Dirstack_state *ds,
1033 int *cwd_errno ATTRIBUTE_UNUSED)
1035 int open_flags = O_RDONLY | O_NOCTTY | O_NOFOLLOW | O_NONBLOCK;
1036 int fd_sub = openat_permissive (fd_cwd, f, open_flags, 0, cwd_errno);
1038 /* Record dev/ino of F. We may compare them against saved values
1039 to thwart any attempt to subvert the traversal. They are also used
1040 to detect directory cycles. */
1041 if (fd_sub < 0 || fstat (fd_sub, subdir_sb) != 0)
1044 close_preserve_errno (fd_sub);
1048 if (! S_ISDIR (subdir_sb->st_mode))
1050 errno = prev_errno ? prev_errno : ENOTDIR;
1051 close_preserve_errno (fd_sub);
1055 DIR *subdir_dirp = fdopendir (fd_sub);
1056 if (subdir_dirp == NULL)
1058 close_preserve_errno (fd_sub);
1065 /* Remove entries in the directory open on DIRP
1066 Upon finding a directory that is both non-empty and that can be chdir'd
1067 into, return RM_OK and set *SUBDIR and fill in SUBDIR_SB, where
1068 SUBDIR is the malloc'd name of the subdirectory if the chdir succeeded,
1069 NULL otherwise (e.g., if opendir failed or if there was no subdirectory).
1070 Likewise, SUBDIR_SB is the result of calling lstat on SUBDIR.
1071 Return RM_OK if all entries are removed. Return RM_ERROR if any
1072 entry cannot be removed. Otherwise, return RM_USER_DECLINED if
1073 the user declines to remove at least one entry. Remove as much as
1074 possible, continuing even if we fail to remove some entries. */
1075 static enum RM_status
1076 remove_cwd_entries (DIR **dirp,
1077 Dirstack_state *ds, char **subdir, struct stat *subdir_sb,
1078 struct rm_options const *x)
1080 struct AD_ent *top = AD_stack_top (ds);
1081 enum RM_status status = top->status;
1082 size_t n_unlinked_since_opendir_or_last_rewind = 0;
1084 assert (VALID_STATUS (status));
1089 struct dirent const *dp;
1090 enum RM_status tmp_status;
1093 /* Set errno to zero so we can distinguish between a readdir failure
1094 and when readdir simply finds that there are no more entries. */
1096 dp = readdir_ignoring_dot_and_dotdot (*dirp);
1103 else if (CONSECUTIVE_READDIR_UNLINK_THRESHOLD
1104 < n_unlinked_since_opendir_or_last_rewind)
1106 /* Call rewinddir if we've called unlink or rmdir so many times
1107 (since the opendir or the previous rewinddir) that this
1108 NULL-return may be the symptom of a buggy readdir. */
1110 n_unlinked_since_opendir_or_last_rewind = 0;
1118 /* Skip files we've already tried/failed to remove. */
1119 if ( ! AD_is_removable (ds, f))
1122 /* Pass dp->d_type info to remove_entry so the non-glibc
1123 case can decide whether to use unlink or chdir.
1124 Systems without the d_type member will have to endure
1125 the performance hit of first calling lstat F. */
1126 tmp_status = remove_entry (dirfd (*dirp), ds, f, x, dp);
1130 /* Count how many files we've unlinked since the initial
1131 opendir or the last rewinddir. On buggy systems, if you
1132 remove too many, readdir returns NULL even though there
1133 remain unprocessed directory entries. */
1134 ++n_unlinked_since_opendir_or_last_rewind;
1138 case RM_USER_DECLINED:
1139 AD_mark_as_unremovable (ds, f);
1140 UPDATE_STATUS (status, tmp_status);
1143 case RM_NONEMPTY_DIR:
1145 DIR *subdir_dirp = fd_to_subdirp (dirfd (*dirp), f,
1146 x, errno, subdir_sb, ds, NULL);
1147 if (subdir_dirp == NULL)
1151 /* CAUTION: this test and diagnostic are identical to
1152 those following the other use of fd_to_subdirp. */
1153 if (errno == ENOENT && x->ignore_missing_files)
1155 /* With -f, don't report "file not found". */
1159 /* Upon fd_to_subdirp failure, try to remove F directly,
1160 in case it's just an empty directory. */
1161 int saved_errno = errno;
1162 if (unlinkat (dirfd (*dirp), f, AT_REMOVEDIR) == 0)
1165 error (0, saved_errno,
1166 _("cannot remove %s"), quote (full_filename (f)));
1169 if (status == RM_ERROR)
1170 AD_mark_as_unremovable (ds, f);
1174 *subdir = xstrdup (f);
1175 if (closedir (*dirp) != 0)
1177 error (0, 0, _("failed to close directory %s"),
1178 quote (full_filename (".")));
1181 *dirp = subdir_dirp;
1187 /* Record status for this directory. */
1188 UPDATE_STATUS (top->status, status);
1194 /* Ensure that *dirp is not NULL and that its file descriptor is valid. */
1195 assert (*dirp != NULL);
1196 assert (0 <= fcntl (dirfd (*dirp), F_GETFD));
1201 /* Do this after each call to AD_push or AD_push_initial.
1202 Because the status = RM_OK bit is too remove-specific to
1203 go into the general-purpose AD_* package. */
1204 #define AD_INIT_OTHER_MEMBERS() \
1207 AD_stack_top(ds)->status = RM_OK; \
1211 /* Remove the hierarchy rooted at DIR.
1212 Do that by changing into DIR, then removing its contents, then
1213 returning to the original working directory and removing DIR itself.
1214 Don't use recursion. Be careful when using chdir ".." that we
1215 return to the same directory from which we came, if necessary.
1216 Return an RM_status value to indicate success or failure. */
1218 static enum RM_status
1219 remove_dir (int fd_cwd, Dirstack_state *ds, char const *dir,
1220 struct rm_options const *x, int *cwd_errno)
1222 enum RM_status status;
1225 /* There is a race condition in that an attacker could replace the nonempty
1226 directory, DIR, with a symlink between the preceding call to rmdir
1227 (unlinkat, in our caller) and fd_to_subdirp's openat call. But on most
1228 systems, even those without openat, this isn't a problem, since we ensure
1229 that opening a symlink will fail, when that is possible. Otherwise,
1230 fd_to_subdirp's fstat, along with the `fstat' and the dev/ino
1231 comparison in AD_push ensure that we detect it and fail. */
1233 DIR *dirp = fd_to_subdirp (fd_cwd, dir, x, 0, &dir_sb, ds, cwd_errno);
1237 /* CAUTION: this test and diagnostic are identical to
1238 those following the other use of fd_to_subdirp. */
1239 if (errno == ENOENT && x->ignore_missing_files)
1241 /* With -f, don't report "file not found". */
1245 /* Upon fd_to_subdirp failure, try to remove DIR directly,
1246 in case it's just an empty directory. */
1247 int saved_errno = errno;
1248 if (unlinkat (fd_cwd, dir, AT_REMOVEDIR) == 0)
1251 error (0, saved_errno,
1252 _("cannot remove %s"), quote (full_filename (dir)));
1258 if (ROOT_DEV_INO_CHECK (x->root_dev_ino, &dir_sb))
1260 ROOT_DEV_INO_WARN (full_filename (dir));
1262 goto closedir_and_return;
1265 AD_push (dirfd (dirp), ds, dir, &dir_sb);
1266 AD_INIT_OTHER_MEMBERS ();
1272 char *subdir = NULL;
1273 struct stat subdir_sb;
1274 enum RM_status tmp_status;
1276 tmp_status = remove_cwd_entries (&dirp, ds, &subdir, &subdir_sb, x);
1278 if (tmp_status != RM_OK)
1280 UPDATE_STATUS (status, tmp_status);
1281 AD_mark_current_as_unremovable (ds);
1285 AD_push (dirfd (dirp), ds, subdir, &subdir_sb);
1286 AD_INIT_OTHER_MEMBERS ();
1292 /* Execution reaches this point when we've removed the last
1293 removable entry from the current directory. */
1295 /* The name of the directory that we have just processed,
1296 nominally removing all of its contents. */
1299 AD_pop_and_chdir (&dirp, ds, &empty_dir);
1300 int fd = (dirp != NULL ? dirfd (dirp) : AT_FDCWD);
1301 assert (dirp != NULL || AD_stack_height (ds) == 1);
1303 /* Try to remove EMPTY_DIR only if remove_cwd_entries succeeded. */
1304 if (tmp_status == RM_OK)
1306 /* This does a little more work than necessary when it actually
1307 prompts the user. E.g., we already know that D is a directory
1308 and that it's almost certainly empty, yet we lstat it.
1309 But that's no big deal since we're interactive. */
1312 enum RM_status s = prompt (fd, ds, empty_dir, x,
1313 PA_REMOVE_DIR, &is_dir, &is_empty);
1319 goto closedir_and_return;
1322 if (unlinkat (fd, empty_dir, AT_REMOVEDIR) == 0)
1325 printf (_("removed directory: %s\n"),
1326 quote (full_filename (empty_dir)));
1330 error (0, errno, _("cannot remove directory %s"),
1331 quote (full_filename (empty_dir)));
1332 AD_mark_as_unremovable (ds, empty_dir);
1334 UPDATE_STATUS (AD_stack_top(ds)->status, status);
1340 if (AD_stack_height (ds) == 1)
1345 /* If the first/final hash table of unremovable entries was used,
1349 closedir_and_return:;
1350 if (dirp != NULL && closedir (dirp) != 0)
1352 error (0, 0, _("failed to close directory %s"),
1353 quote (full_filename (".")));
1360 /* Remove the file or directory specified by FILENAME.
1361 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not. */
1363 static enum RM_status
1364 rm_1 (Dirstack_state *ds, char const *filename,
1365 struct rm_options const *x, int *cwd_errno)
1367 char const *base = last_component (filename);
1368 if (DOT_OR_DOTDOT (base))
1370 error (0, 0, _("cannot remove `.' or `..'"));
1374 AD_push_initial (ds);
1375 AD_INIT_OTHER_MEMBERS ();
1377 int fd_cwd = AT_FDCWD;
1378 enum RM_status status = remove_entry (fd_cwd, ds, filename, x, NULL);
1379 if (status == RM_NONEMPTY_DIR)
1381 /* In the event that remove_dir->remove_cwd_entries detects
1382 a directory cycle, arrange to fail, give up on this FILE, but
1383 continue on with any other arguments. */
1384 if (setjmp (ds->current_arg_jumpbuf))
1387 status = remove_dir (fd_cwd, ds, filename, x, cwd_errno);
1389 AD_stack_clear (ds);
1397 /* Remove all files and/or directories specified by N_FILES and FILE.
1398 Apply the options in X. */
1399 extern enum RM_status
1400 rm (size_t n_files, char const *const *file, struct rm_options const *x)
1402 enum RM_status status = RM_OK;
1403 Dirstack_state *ds = ds_init ();
1407 for (i = 0; i < n_files; i++)
1409 if (cwd_errno && IS_RELATIVE_FILE_NAME (file[i]))
1411 error (0, 0, _("cannot remove relative-named %s"), quote (file[i]));
1416 cycle_check_init (&ds->cycle_check_state);
1417 enum RM_status s = rm_1 (ds, file[i], x, &cwd_errno);
1418 assert (VALID_STATUS (s));
1419 UPDATE_STATUS (status, s);
1422 if (x->require_restore_cwd && cwd_errno)
1424 error (0, cwd_errno,
1425 _("cannot restore current working directory"));