/* shred.c - overwrite files and devices to make it harder to recover data
Copyright (C) 1999-2020 Free Software Foundation, Inc.
Copyright (C) 1997, 1998, 1999 Colin Plumb.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see .
Written by Colin Plumb. */
/*
* Do a more secure overwrite of given files or devices, to make it harder
* for even very expensive hardware probing to recover the data.
*
* Although this process is also known as "wiping", I prefer the longer
* name both because I think it is more evocative of what is happening and
* because a longer name conveys a more appropriate sense of deliberateness.
*
* For the theory behind this, see "Secure Deletion of Data from Magnetic
* and Solid-State Memory", on line at
* https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
*
* Just for the record, reversing one or two passes of disk overwrite
* is not terribly difficult with hardware help. Hook up a good-quality
* digitizing oscilloscope to the output of the head preamplifier and copy
* the high-res digitized data to a computer for some off-line analysis.
* Read the "current" data and average all the pulses together to get an
* "average" pulse on the disk. Subtract this average pulse from all of
* the actual pulses and you can clearly see the "echo" of the previous
* data on the disk.
*
* Real hard drives have to balance the cost of the media, the head,
* and the read circuitry. They use better-quality media than absolutely
* necessary to limit the cost of the read circuitry. By throwing that
* assumption out, and the assumption that you want the data processed
* as fast as the hard drive can spin, you can do better.
*
* If asked to wipe a file, this also unlinks it, renaming it in a
* clever way to try to leave no trace of the original filename.
*
* This was inspired by a desire to improve on some code titled:
* Wipe V1.0-- Overwrite and delete files. S. 2/3/96
* but I've rewritten everything here so completely that no trace of
* the original remains.
*
* Thanks to:
* Bob Jenkins, for his good RNG work and patience with the FSF copyright
* paperwork.
* Jim Meyering, for his work merging this into the GNU fileutils while
* still letting me feel a sense of ownership and pride. Getting me to
* tolerate the GNU brace style was quite a feat of diplomacy.
* Paul Eggert, for lots of useful discussion and code. I disagree with
* an awful lot of his suggestions, but they're disagreements worth having.
*
* Things to think about:
* - Security: Is there any risk to the race
* between overwriting and unlinking a file? Will it do anything
* drastically bad if told to attack a named pipe or socket?
*/
/* The official name of this program (e.g., no 'g' prefix). */
#define PROGRAM_NAME "shred"
#define AUTHORS proper_name ("Colin Plumb")
#include
#include
#include
#include
#include
#include
#if defined __linux__ && HAVE_SYS_MTIO_H
# include
#endif
#include "system.h"
#include "argmatch.h"
#include "xdectoint.h"
#include "die.h"
#include "error.h"
#include "fcntl--.h"
#include "human.h"
#include "randint.h"
#include "randread.h"
#include "renameatu.h"
#include "stat-size.h"
/* Default number of times to overwrite. */
enum { DEFAULT_PASSES = 3 };
/* How many seconds to wait before checking whether to output another
verbose output line. */
enum { VERBOSE_UPDATE = 5 };
/* Sector size and corresponding mask, for recovering after write failures.
The size must be a power of 2. */
enum { SECTOR_SIZE = 512 };
enum { SECTOR_MASK = SECTOR_SIZE - 1 };
verify (0 < SECTOR_SIZE && (SECTOR_SIZE & SECTOR_MASK) == 0);
enum remove_method
{
remove_none = 0, /* the default: only wipe data. */
remove_unlink, /* don't obfuscate name, just unlink. */
remove_wipe, /* obfuscate name before unlink. */
remove_wipesync /* obfuscate name, syncing each byte, before unlink. */
};
static char const *const remove_args[] =
{
"unlink", "wipe", "wipesync", NULL
};
static enum remove_method const remove_methods[] =
{
remove_unlink, remove_wipe, remove_wipesync
};
struct Options
{
bool force; /* -f flag: chmod files if necessary */
size_t n_iterations; /* -n flag: Number of iterations */
off_t size; /* -s flag: size of file */
enum remove_method remove_file; /* -u flag: remove file after shredding */
bool verbose; /* -v flag: Print progress */
bool exact; /* -x flag: Do not round up file size */
bool zero_fill; /* -z flag: Add a final zero pass */
};
/* For long options that have no equivalent short option, use a
non-character as a pseudo short option, starting with CHAR_MAX + 1. */
enum
{
RANDOM_SOURCE_OPTION = CHAR_MAX + 1
};
static struct option const long_opts[] =
{
{"exact", no_argument, NULL, 'x'},
{"force", no_argument, NULL, 'f'},
{"iterations", required_argument, NULL, 'n'},
{"size", required_argument, NULL, 's'},
{"random-source", required_argument, NULL, RANDOM_SOURCE_OPTION},
{"remove", optional_argument, NULL, 'u'},
{"verbose", no_argument, NULL, 'v'},
{"zero", no_argument, NULL, 'z'},
{GETOPT_HELP_OPTION_DECL},
{GETOPT_VERSION_OPTION_DECL},
{NULL, 0, NULL, 0}
};
void
usage (int status)
{
if (status != EXIT_SUCCESS)
emit_try_help ();
else
{
printf (_("Usage: %s [OPTION]... FILE...\n"), program_name);
fputs (_("\
Overwrite the specified FILE(s) repeatedly, in order to make it harder\n\
for even very expensive hardware probing to recover the data.\n\
"), stdout);
fputs (_("\
\n\
If FILE is -, shred standard output.\n\
"), stdout);
emit_mandatory_arg_note ();
printf (_("\
-f, --force change permissions to allow writing if necessary\n\
-n, --iterations=N overwrite N times instead of the default (%d)\n\
--random-source=FILE get random bytes from FILE\n\
-s, --size=N shred this many bytes (suffixes like K, M, G accepted)\n\
"), DEFAULT_PASSES);
fputs (_("\
-u deallocate and remove file after overwriting\n\
--remove[=HOW] like -u but give control on HOW to delete; See below\n\
-v, --verbose show progress\n\
-x, --exact do not round file sizes up to the next full block;\n\
this is the default for non-regular files\n\
-z, --zero add a final overwrite with zeros to hide shredding\n\
"), stdout);
fputs (HELP_OPTION_DESCRIPTION, stdout);
fputs (VERSION_OPTION_DESCRIPTION, stdout);
fputs (_("\
\n\
Delete FILE(s) if --remove (-u) is specified. The default is not to remove\n\
the files because it is common to operate on device files like /dev/hda,\n\
and those files usually should not be removed.\n\
The optional HOW parameter indicates how to remove a directory entry:\n\
'unlink' => use a standard unlink call.\n\
'wipe' => also first obfuscate bytes in the name.\n\
'wipesync' => also sync each obfuscated byte to disk.\n\
The default mode is 'wipesync', but note it can be expensive.\n\
\n\
"), stdout);
fputs (_("\
CAUTION: shred assumes the file system and hardware overwrite data in place.\n\
Although this is common, many platforms operate otherwise. Also, backups\n\
and mirrors may contain unremovable copies that will let a shredded file\n\
be recovered later. See the GNU coreutils manual for details.\n\
"), stdout);
emit_ancillary_info (PROGRAM_NAME);
}
exit (status);
}
/*
* Determine if pattern type is periodic or not.
*/
static bool
periodic_pattern (int type)
{
if (type <= 0)
return false;
unsigned char r[3];
unsigned int bits = type & 0xfff;
bits |= bits << 12;
r[0] = (bits >> 4) & 255;
r[1] = (bits >> 8) & 255;
r[2] = bits & 255;
return (r[0] != r[1]) || (r[0] != r[2]);
}
/*
* Fill a buffer with a fixed pattern.
*
* The buffer must be at least 3 bytes long, even if
* size is less. Larger sizes are filled exactly.
*/
static void
fillpattern (int type, unsigned char *r, size_t size)
{
size_t i;
unsigned int bits = type & 0xfff;
bits |= bits << 12;
r[0] = (bits >> 4) & 255;
r[1] = (bits >> 8) & 255;
r[2] = bits & 255;
for (i = 3; i <= size / 2; i *= 2)
memcpy (r + i, r, i);
if (i < size)
memcpy (r + i, r, size - i);
/* Invert the first bit of every sector. */
if (type & 0x1000)
for (i = 0; i < size; i += SECTOR_SIZE)
r[i] ^= 0x80;
}
/*
* Generate a 6-character (+ nul) pass name string
* FIXME: allow translation of "random".
*/
#define PASS_NAME_SIZE 7
static void
passname (unsigned char const *data, char name[PASS_NAME_SIZE])
{
if (data)
sprintf (name, "%02x%02x%02x", data[0], data[1], data[2]);
else
memcpy (name, "random", PASS_NAME_SIZE);
}
/* Return true when it's ok to ignore an fsync or fdatasync
failure that set errno to ERRNO_VAL. */
static bool
ignorable_sync_errno (int errno_val)
{
return (errno_val == EINVAL
|| errno_val == EBADF
/* HP-UX does this */
|| errno_val == EISDIR);
}
/* Request that all data for FD be transferred to the corresponding
storage device. QNAME is the file name (quoted for colons).
Report any errors found. Return 0 on success, -1
(setting errno) on failure. It is not an error if fdatasync and/or
fsync is not supported for this file, or if the file is not a
writable file descriptor. */
static int
dosync (int fd, char const *qname)
{
int err;
#if HAVE_FDATASYNC
if (fdatasync (fd) == 0)
return 0;
err = errno;
if ( ! ignorable_sync_errno (err))
{
error (0, err, _("%s: fdatasync failed"), qname);
errno = err;
return -1;
}
#endif
if (fsync (fd) == 0)
return 0;
err = errno;
if ( ! ignorable_sync_errno (err))
{
error (0, err, _("%s: fsync failed"), qname);
errno = err;
return -1;
}
sync ();
return 0;
}
/* Turn on or off direct I/O mode for file descriptor FD, if possible.
Try to turn it on if ENABLE is true. Otherwise, try to turn it off. */
static void
direct_mode (int fd, bool enable)
{
if (O_DIRECT)
{
int fd_flags = fcntl (fd, F_GETFL);
if (0 < fd_flags)
{
int new_flags = (enable
? (fd_flags | O_DIRECT)
: (fd_flags & ~O_DIRECT));
if (new_flags != fd_flags)
fcntl (fd, F_SETFL, new_flags);
}
}
#if HAVE_DIRECTIO && defined DIRECTIO_ON && defined DIRECTIO_OFF
/* This is Solaris-specific. */
directio (fd, enable ? DIRECTIO_ON : DIRECTIO_OFF);
#endif
}
/* Rewind FD; its status is ST. */
static bool
dorewind (int fd, struct stat const *st)
{
if (S_ISCHR (st->st_mode))
{
#if defined __linux__ && HAVE_SYS_MTIO_H
/* In the Linux kernel, lseek does not work on tape devices; it
returns a randomish value instead. Try the low-level tape
rewind operation first. */
struct mtop op;
op.mt_op = MTREW;
op.mt_count = 1;
if (ioctl (fd, MTIOCTOP, &op) == 0)
return true;
#endif
}
off_t offset = lseek (fd, 0, SEEK_SET);
if (0 < offset)
errno = EINVAL;
return offset == 0;
}
/* By convention, negative sizes represent unknown values. */
static bool
known (off_t size)
{
return 0 <= size;
}
/*
* Do pass number K of N, writing *SIZEP bytes of the given pattern TYPE
* to the file descriptor FD. K and N are passed in only for verbose
* progress message purposes. If N == 0, no progress messages are printed.
*
* If *SIZEP == -1, the size is unknown, and it will be filled in as soon
* as writing fails with ENOSPC.
*
* Return 1 on write error, -1 on other error, 0 on success.
*/
static int
dopass (int fd, struct stat const *st, char const *qname, off_t *sizep,
int type, struct randread_source *s,
unsigned long int k, unsigned long int n)
{
off_t size = *sizep;
off_t offset; /* Current file position */
time_t thresh IF_LINT ( = 0); /* Time to maybe print next status update */
time_t now = 0; /* Current time */
size_t lim; /* Amount of data to try writing */
size_t soff; /* Offset into buffer for next write */
ssize_t ssize; /* Return value from write */
/* Fill pattern buffer. Aligning it to a page so we can do direct I/O. */
size_t page_size = getpagesize ();
#define PERIODIC_OUTPUT_SIZE (60 * 1024)
#define NONPERIODIC_OUTPUT_SIZE (64 * 1024)
verify (PERIODIC_OUTPUT_SIZE % 3 == 0);
size_t output_size = periodic_pattern (type)
? PERIODIC_OUTPUT_SIZE : NONPERIODIC_OUTPUT_SIZE;
#define PAGE_ALIGN_SLOP (page_size - 1) /* So directio works */
#define FILLPATTERN_SIZE (((output_size + 2) / 3) * 3) /* Multiple of 3 */
#define PATTERNBUF_SIZE (PAGE_ALIGN_SLOP + FILLPATTERN_SIZE)
void *fill_pattern_mem = xmalloc (PATTERNBUF_SIZE);
unsigned char *pbuf = ptr_align (fill_pattern_mem, page_size);
char pass_string[PASS_NAME_SIZE]; /* Name of current pass */
bool write_error = false;
bool other_error = false;
/* Printable previous offset into the file */
char previous_offset_buf[LONGEST_HUMAN_READABLE + 1];
char const *previous_human_offset IF_LINT ( = 0);
/* As a performance tweak, avoid direct I/O for small sizes,
as it's just a performance rather then security consideration,
and direct I/O can often be unsupported for small non aligned sizes. */
bool try_without_directio = 0 < size && size < output_size;
if (! try_without_directio)
direct_mode (fd, true);
if (! dorewind (fd, st))
{
error (0, errno, _("%s: cannot rewind"), qname);
other_error = true;
goto free_pattern_mem;
}
/* Constant fill patterns need only be set up once. */
if (type >= 0)
{
lim = known (size) && size < FILLPATTERN_SIZE ? size : FILLPATTERN_SIZE;
fillpattern (type, pbuf, lim);
passname (pbuf, pass_string);
}
else
{
passname (0, pass_string);
}
/* Set position if first status update */
if (n)
{
error (0, 0, _("%s: pass %lu/%lu (%s)..."), qname, k, n, pass_string);
thresh = time (NULL) + VERBOSE_UPDATE;
previous_human_offset = "";
}
offset = 0;
while (true)
{
/* How much to write this time? */
lim = output_size;
if (known (size) && size - offset < output_size)
{
if (size < offset)
break;
lim = size - offset;
if (!lim)
break;
}
if (type < 0)
randread (s, pbuf, lim);
/* Loop to retry partial writes. */
for (soff = 0; soff < lim; soff += ssize)
{
ssize = write (fd, pbuf + soff, lim - soff);
if (0 < ssize)
assume (ssize <= lim - soff);
else
{
if (! known (size) && (ssize == 0 || errno == ENOSPC))
{
/* We have found the end of the file. */
if (soff <= OFF_T_MAX - offset)
*sizep = size = offset + soff;
break;
}
else
{
int errnum = errno;
char buf[INT_BUFSIZE_BOUND (uintmax_t)];
/* Retry without direct I/O since this may not be supported
at all on some (file) systems, or with the current size.
I.e., a specified --size that is not aligned, or when
dealing with slop at the end of a file with --exact. */
if (! try_without_directio && errno == EINVAL)
{
direct_mode (fd, false);
ssize = 0;
try_without_directio = true;
continue;
}
error (0, errnum, _("%s: error writing at offset %s"),
qname, umaxtostr (offset + soff, buf));
/* 'shred' is often used on bad media, before throwing it
out. Thus, it shouldn't give up on bad blocks. This
code works because lim is always a multiple of
SECTOR_SIZE, except at the end. This size constraint
also enables direct I/O on some (file) systems. */
verify (PERIODIC_OUTPUT_SIZE % SECTOR_SIZE == 0);
verify (NONPERIODIC_OUTPUT_SIZE % SECTOR_SIZE == 0);
if (errnum == EIO && known (size)
&& (soff | SECTOR_MASK) < lim)
{
size_t soff1 = (soff | SECTOR_MASK) + 1;
if (lseek (fd, offset + soff1, SEEK_SET) != -1)
{
/* Arrange to skip this block. */
ssize = soff1 - soff;
write_error = true;
continue;
}
error (0, errno, _("%s: lseek failed"), qname);
}
other_error = true;
goto free_pattern_mem;
}
}
}
/* Okay, we have written "soff" bytes. */
if (OFF_T_MAX - offset < soff)
{
error (0, 0, _("%s: file too large"), qname);
other_error = true;
goto free_pattern_mem;
}
offset += soff;
bool done = offset == size;
/* Time to print progress? */
if (n && ((done && *previous_human_offset)
|| thresh <= (now = time (NULL))))
{
char offset_buf[LONGEST_HUMAN_READABLE + 1];
char size_buf[LONGEST_HUMAN_READABLE + 1];
int human_progress_opts = (human_autoscale | human_SI
| human_base_1024 | human_B);
char const *human_offset
= human_readable (offset, offset_buf,
human_floor | human_progress_opts, 1, 1);
if (done || !STREQ (previous_human_offset, human_offset))
{
if (! known (size))
error (0, 0, _("%s: pass %lu/%lu (%s)...%s"),
qname, k, n, pass_string, human_offset);
else
{
uintmax_t off = offset;
int percent = (size == 0
? 100
: (off <= TYPE_MAXIMUM (uintmax_t) / 100
? off * 100 / size
: off / (size / 100)));
char const *human_size
= human_readable (size, size_buf,
human_ceiling | human_progress_opts,
1, 1);
if (done)
human_offset = human_size;
error (0, 0, _("%s: pass %lu/%lu (%s)...%s/%s %d%%"),
qname, k, n, pass_string, human_offset, human_size,
percent);
}
strcpy (previous_offset_buf, human_offset);
previous_human_offset = previous_offset_buf;
thresh = now + VERBOSE_UPDATE;
/*
* Force periodic syncs to keep displayed progress accurate
* FIXME: Should these be present even if -v is not enabled,
* to keep the buffer cache from filling with dirty pages?
* It's a common problem with programs that do lots of writes,
* like mkfs.
*/
if (dosync (fd, qname) != 0)
{
if (errno != EIO)
{
other_error = true;
goto free_pattern_mem;
}
write_error = true;
}
}
}
}
/* Force what we just wrote to hit the media. */
if (dosync (fd, qname) != 0)
{
if (errno != EIO)
{
other_error = true;
goto free_pattern_mem;
}
write_error = true;
}
free_pattern_mem:
free (fill_pattern_mem);
return other_error ? -1 : write_error;
}
/*
* The passes start and end with a random pass, and the passes in between
* are done in random order. The idea is to deprive someone trying to
* reverse the process of knowledge of the overwrite patterns, so they
* have the additional step of figuring out what was done to the disk
* before they can try to reverse or cancel it.
*
* First, all possible 1-bit patterns. There are two of them.
* Then, all possible 2-bit patterns. There are four, but the two
* which are also 1-bit patterns can be omitted.
* Then, all possible 3-bit patterns. Likewise, 8-2 = 6.
* Then, all possible 4-bit patterns. 16-4 = 12.
*
* The basic passes are:
* 1-bit: 0x000, 0xFFF
* 2-bit: 0x555, 0xAAA
* 3-bit: 0x249, 0x492, 0x924, 0x6DB, 0xB6D, 0xDB6 (+ 1-bit)
* 100100100100 110110110110
* 9 2 4 D B 6
* 4-bit: 0x111, 0x222, 0x333, 0x444, 0x666, 0x777,
* 0x888, 0x999, 0xBBB, 0xCCC, 0xDDD, 0xEEE (+ 1-bit, 2-bit)
* Adding three random passes at the beginning, middle and end
* produces the default 25-pass structure.
*
* The next extension would be to 5-bit and 6-bit patterns.
* There are 30 uncovered 5-bit patterns and 64-8-2 = 46 uncovered
* 6-bit patterns, so they would increase the time required
* significantly. 4-bit patterns are enough for most purposes.
*
* The main gotcha is that this would require a trickier encoding,
* since lcm(2,3,4) = 12 bits is easy to fit into an int, but
* lcm(2,3,4,5) = 60 bits is not.
*
* One extension that is included is to complement the first bit in each
* 512-byte block, to alter the phase of the encoded data in the more
* complex encodings. This doesn't apply to MFM, so the 1-bit patterns
* are considered part of the 3-bit ones and the 2-bit patterns are
* considered part of the 4-bit patterns.
*
*
* How does the generalization to variable numbers of passes work?
*
* Here's how...
* Have an ordered list of groups of passes. Each group is a set.
* Take as many groups as will fit, plus a random subset of the
* last partial group, and place them into the passes list.
* Then shuffle the passes list into random order and use that.
*
* One extra detail: if we can't include a large enough fraction of the
* last group to be interesting, then just substitute random passes.
*
* If you want more passes than the entire list of groups can
* provide, just start repeating from the beginning of the list.
*/
static int const
patterns[] =
{
-2, /* 2 random passes */
2, 0x000, 0xFFF, /* 1-bit */
2, 0x555, 0xAAA, /* 2-bit */
-1, /* 1 random pass */
6, 0x249, 0x492, 0x6DB, 0x924, 0xB6D, 0xDB6, /* 3-bit */
12, 0x111, 0x222, 0x333, 0x444, 0x666, 0x777,
0x888, 0x999, 0xBBB, 0xCCC, 0xDDD, 0xEEE, /* 4-bit */
-1, /* 1 random pass */
/* The following patterns have the first bit per block flipped */
8, 0x1000, 0x1249, 0x1492, 0x16DB, 0x1924, 0x1B6D, 0x1DB6, 0x1FFF,
14, 0x1111, 0x1222, 0x1333, 0x1444, 0x1555, 0x1666, 0x1777,
0x1888, 0x1999, 0x1AAA, 0x1BBB, 0x1CCC, 0x1DDD, 0x1EEE,
-1, /* 1 random pass */
0 /* End */
};
/*
* Generate a random wiping pass pattern with num passes.
* This is a two-stage process. First, the passes to include
* are chosen, and then they are shuffled into the desired
* order.
*/
static void
genpattern (int *dest, size_t num, struct randint_source *s)
{
size_t randpasses;
int const *p;
int *d;
size_t n;
size_t accum, top, swap;
int k;
if (!num)
return;
/* Stage 1: choose the passes to use */
p = patterns;
randpasses = 0;
d = dest; /* Destination for generated pass list */
n = num; /* Passes remaining to fill */
while (true)
{
k = *p++; /* Block descriptor word */
if (!k)
{ /* Loop back to the beginning */
p = patterns;
}
else if (k < 0)
{ /* -k random passes */
k = -k;
if ((size_t) k >= n)
{
randpasses += n;
break;
}
randpasses += k;
n -= k;
}
else if ((size_t) k <= n)
{ /* Full block of patterns */
memcpy (d, p, k * sizeof (int));
p += k;
d += k;
n -= k;
}
else if (n < 2 || 3 * n < (size_t) k)
{ /* Finish with random */
randpasses += n;
break;
}
else
{ /* Pad out with n of the k available */
do
{
if (n == (size_t) k || randint_choose (s, k) < n)
{
*d++ = *p;
n--;
}
p++;
k--;
}
while (n);
break;
}
}
top = num - randpasses; /* Top of initialized data */
/* assert (d == dest+top); */
/*
* We now have fixed patterns in the dest buffer up to
* "top", and we need to scramble them, with "randpasses"
* random passes evenly spaced among them.
*
* We want one at the beginning, one at the end, and
* evenly spaced in between. To do this, we basically
* use Bresenham's line draw (a.k.a DDA) algorithm
* to draw a line with slope (randpasses-1)/(num-1).
* (We use a positive accumulator and count down to
* do this.)
*
* So for each desired output value, we do the following:
* - If it should be a random pass, copy the pass type
* to top++, out of the way of the other passes, and
* set the current pass to -1 (random).
* - If it should be a normal pattern pass, choose an
* entry at random between here and top-1 (inclusive)
* and swap the current entry with that one.
*/
randpasses--; /* To speed up later math */
accum = randpasses; /* Bresenham DDA accumulator */
for (n = 0; n < num; n++)
{
if (accum <= randpasses)
{
accum += num - 1;
dest[top++] = dest[n];
dest[n] = -1;
}
else
{
swap = n + randint_choose (s, top - n);
k = dest[n];
dest[n] = dest[swap];
dest[swap] = k;
}
accum -= randpasses;
}
/* assert (top == num); */
}
/*
* The core routine to actually do the work. This overwrites the first
* size bytes of the given fd. Return true if successful.
*/
static bool
do_wipefd (int fd, char const *qname, struct randint_source *s,
struct Options const *flags)
{
size_t i;
struct stat st;
off_t size; /* Size to write, size to read */
off_t i_size = 0; /* For small files, initial size to overwrite inode */
unsigned long int n; /* Number of passes for printing purposes */
int *passarray;
bool ok = true;
struct randread_source *rs;
n = 0; /* dopass takes n == 0 to mean "don't print progress" */
if (flags->verbose)
n = flags->n_iterations + flags->zero_fill;
if (fstat (fd, &st))
{
error (0, errno, _("%s: fstat failed"), qname);
return false;
}
/* If we know that we can't possibly shred the file, give up now.
Otherwise, we may go into an infinite loop writing data before we
find that we can't rewind the device. */
if ((S_ISCHR (st.st_mode) && isatty (fd))
|| S_ISFIFO (st.st_mode)
|| S_ISSOCK (st.st_mode))
{
error (0, 0, _("%s: invalid file type"), qname);
return false;
}
else if (S_ISREG (st.st_mode) && st.st_size < 0)
{
error (0, 0, _("%s: file has negative size"), qname);
return false;
}
/* Allocate pass array */
passarray = xnmalloc (flags->n_iterations, sizeof *passarray);
size = flags->size;
if (size == -1)
{
if (S_ISREG (st.st_mode))
{
size = st.st_size;
if (! flags->exact)
{
/* Round up to the nearest block size to clear slack space. */
off_t remainder = size % ST_BLKSIZE (st);
if (size && size < ST_BLKSIZE (st))
i_size = size;
if (remainder != 0)
{
off_t size_incr = ST_BLKSIZE (st) - remainder;
size += MIN (size_incr, OFF_T_MAX - size);
}
}
}
else
{
/* The behavior of lseek is unspecified, but in practice if
it returns a positive number that's the size of this
device. */
size = lseek (fd, 0, SEEK_END);
if (size <= 0)
{
/* We are unable to determine the length, up front.
Let dopass do that as part of its first iteration. */
size = -1;
}
}
}
else if (S_ISREG (st.st_mode)
&& st.st_size < MIN (ST_BLKSIZE (st), size))
i_size = st.st_size;
/* Schedule the passes in random order. */
genpattern (passarray, flags->n_iterations, s);
rs = randint_get_source (s);
while (true)
{
off_t pass_size;
unsigned long int pn = n;
if (i_size)
{
pass_size = i_size;
i_size = 0;
pn = 0;
}
else if (size)
{
pass_size = size;
size = 0;
}
/* TODO: consider handling tail packing by
writing the tail padding as a separate pass,
(that would not rewind). */
else
break;
for (i = 0; i < flags->n_iterations + flags->zero_fill; i++)
{
int err = 0;
int type = i < flags->n_iterations ? passarray[i] : 0;
err = dopass (fd, &st, qname, &pass_size, type, rs, i + 1, pn);
if (err)
{
ok = false;
if (err < 0)
goto wipefd_out;
}
}
}
/* Now deallocate the data. The effect of ftruncate is specified
on regular files and shared memory objects (also directories, but
they are not possible here); don't worry about errors reported
for other file types. */
if (flags->remove_file && ftruncate (fd, 0) != 0
&& (S_ISREG (st.st_mode) || S_TYPEISSHM (&st)))
{
error (0, errno, _("%s: error truncating"), qname);
ok = false;
goto wipefd_out;
}
wipefd_out:
free (passarray);
return ok;
}
/* A wrapper with a little more checking for fds on the command line */
static bool
wipefd (int fd, char const *qname, struct randint_source *s,
struct Options const *flags)
{
int fd_flags = fcntl (fd, F_GETFL);
if (fd_flags < 0)
{
error (0, errno, _("%s: fcntl failed"), qname);
return false;
}
if (fd_flags & O_APPEND)
{
error (0, 0, _("%s: cannot shred append-only file descriptor"), qname);
return false;
}
return do_wipefd (fd, qname, s, flags);
}
/* --- Name-wiping code --- */
/* Characters allowed in a file name - a safe universal set. */
static char const nameset[] =
"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_.";
/* Increment NAME (with LEN bytes). NAME must be a big-endian base N
number with the digits taken from nameset. Return true if successful.
Otherwise, (because NAME already has the greatest possible value)
return false. */
static bool
incname (char *name, size_t len)
{
while (len--)
{
char const *p = strchr (nameset, name[len]);
/* Given that NAME is composed of bytes from NAMESET,
P will never be NULL here. */
assert (p);
/* If this character has a successor, use it. */
if (p[1])
{
name[len] = p[1];
return true;
}
/* Otherwise, set this digit to 0 and increment the prefix. */
name[len] = nameset[0];
}
return false;
}
/*
* Repeatedly rename a file with shorter and shorter names,
* to obliterate all traces of the file name (and length) on any system
* that adds a trailing delimiter to on-disk file names and reuses
* the same directory slot. Finally, unlink it.
* The passed-in filename is modified in place to the new filename.
* (Which is unlinked if this function succeeds, but is still present if
* it fails for some reason.)
*
* The main loop is written carefully to not get stuck if all possible
* names of a given length are occupied. It counts down the length from
* the original to 0. While the length is non-zero, it tries to find an
* unused file name of the given length. It continues until either the
* name is available and the rename succeeds, or it runs out of names
* to try (incname wraps and returns 1). Finally, it unlinks the file.
*
* The unlink is Unix-specific, as ANSI-standard remove has more
* portability problems with C libraries making it "safe". rename
* is ANSI-standard.
*
* To force the directory data out, we try to open the directory and
* invoke fdatasync and/or fsync on it. This is non-standard, so don't
* insist that it works: just fall back to a global sync in that case.
* This is fairly significantly Unix-specific. Of course, on any
* file system with synchronous metadata updates, this is unnecessary.
*/
static bool
wipename (char *oldname, char const *qoldname, struct Options const *flags)
{
char *newname = xstrdup (oldname);
char *base = last_component (newname);
char *dir = dir_name (newname);
char *qdir = xstrdup (quotef (dir));
bool first = true;
bool ok = true;
int dir_fd = -1;
if (flags->remove_file == remove_wipesync)
dir_fd = open (dir, O_RDONLY | O_DIRECTORY | O_NOCTTY | O_NONBLOCK);
if (flags->verbose)
error (0, 0, _("%s: removing"), qoldname);
if (flags->remove_file != remove_unlink)
for (size_t len = base_len (base); len != 0; len--)
{
memset (base, nameset[0], len);
base[len] = 0;
bool rename_ok;
while (! (rename_ok = (renameatu (AT_FDCWD, oldname, AT_FDCWD, newname,
RENAME_NOREPLACE)
== 0))
&& errno == EEXIST && incname (base, len))
continue;
if (rename_ok)
{
if (0 <= dir_fd && dosync (dir_fd, qdir) != 0)
ok = false;
if (flags->verbose)
{
/* People seem to understand this better than talking
about renaming OLDNAME. NEWNAME doesn't need
quoting because we picked it. OLDNAME needs to be
quoted only the first time. */
char const *old = first ? qoldname : oldname;
error (0, 0,
_("%s: renamed to %s"), old, newname);
first = false;
}
memcpy (oldname + (base - newname), base, len + 1);
}
}
if (unlink (oldname) != 0)
{
error (0, errno, _("%s: failed to remove"), qoldname);
ok = false;
}
else if (flags->verbose)
error (0, 0, _("%s: removed"), qoldname);
if (0 <= dir_fd)
{
if (dosync (dir_fd, qdir) != 0)
ok = false;
if (close (dir_fd) != 0)
{
error (0, errno, _("%s: failed to close"), qdir);
ok = false;
}
}
free (newname);
free (dir);
free (qdir);
return ok;
}
/*
* Finally, the function that actually takes a filename and grinds
* it into hamburger.
*
* FIXME
* Detail to note: since we do not restore errno to EACCES after
* a failed chmod, we end up printing the error code from the chmod.
* This is actually the error that stopped us from proceeding, so
* it's arguably the right one, and in practice it'll be either EACCES
* again or EPERM, which both give similar error messages.
* Does anyone disagree?
*/
static bool
wipefile (char *name, char const *qname,
struct randint_source *s, struct Options const *flags)
{
bool ok;
int fd;
fd = open (name, O_WRONLY | O_NOCTTY | O_BINARY);
if (fd < 0
&& (errno == EACCES && flags->force)
&& chmod (name, S_IWUSR) == 0)
fd = open (name, O_WRONLY | O_NOCTTY | O_BINARY);
if (fd < 0)
{
error (0, errno, _("%s: failed to open for writing"), qname);
return false;
}
ok = do_wipefd (fd, qname, s, flags);
if (close (fd) != 0)
{
error (0, errno, _("%s: failed to close"), qname);
ok = false;
}
if (ok && flags->remove_file)
ok = wipename (name, qname, flags);
return ok;
}
/* Buffers for random data. */
static struct randint_source *randint_source;
/* Just on general principles, wipe buffers containing information
that may be related to the possibly-pseudorandom values used during
shredding. */
static void
clear_random_data (void)
{
randint_all_free (randint_source);
}
int
main (int argc, char **argv)
{
bool ok = true;
struct Options flags = { 0, };
char **file;
int n_files;
int c;
int i;
char const *random_source = NULL;
initialize_main (&argc, &argv);
set_program_name (argv[0]);
setlocale (LC_ALL, "");
bindtextdomain (PACKAGE, LOCALEDIR);
textdomain (PACKAGE);
atexit (close_stdout);
flags.n_iterations = DEFAULT_PASSES;
flags.size = -1;
while ((c = getopt_long (argc, argv, "fn:s:uvxz", long_opts, NULL)) != -1)
{
switch (c)
{
case 'f':
flags.force = true;
break;
case 'n':
flags.n_iterations = xdectoumax (optarg, 0,
MIN (ULONG_MAX,
SIZE_MAX / sizeof (int)), "",
_("invalid number of passes"), 0);
break;
case RANDOM_SOURCE_OPTION:
if (random_source && !STREQ (random_source, optarg))
die (EXIT_FAILURE, 0, _("multiple random sources specified"));
random_source = optarg;
break;
case 'u':
if (optarg == NULL)
flags.remove_file = remove_wipesync;
else
flags.remove_file = XARGMATCH ("--remove", optarg,
remove_args, remove_methods);
break;
case 's':
flags.size = xnumtoumax (optarg, 0, 0, OFF_T_MAX, "cbBkKMGTPEZY0",
_("invalid file size"), 0);
break;
case 'v':
flags.verbose = true;
break;
case 'x':
flags.exact = true;
break;
case 'z':
flags.zero_fill = true;
break;
case_GETOPT_HELP_CHAR;
case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
default:
usage (EXIT_FAILURE);
}
}
file = argv + optind;
n_files = argc - optind;
if (n_files == 0)
{
error (0, 0, _("missing file operand"));
usage (EXIT_FAILURE);
}
randint_source = randint_all_new (random_source, SIZE_MAX);
if (! randint_source)
die (EXIT_FAILURE, errno, "%s", quotef (random_source));
atexit (clear_random_data);
for (i = 0; i < n_files; i++)
{
char *qname = xstrdup (quotef (file[i]));
if (STREQ (file[i], "-"))
{
ok &= wipefd (STDOUT_FILENO, qname, randint_source, &flags);
}
else
{
/* Plain filename - Note that this overwrites *argv! */
ok &= wipefile (file[i], qname, randint_source, &flags);
}
free (qname);
}
return ok ? EXIT_SUCCESS : EXIT_FAILURE;
}
/*
* vim:sw=2:sts=2:
*/