1 /* remove.c -- core functions for removing files and directories
2 Copyright (C) 88, 90, 91, 1994-2009 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>. */
17 /* Extracted from rm.c and librarified, then rewritten by Jim Meyering. */
21 #include <sys/types.h>
26 #include "cycle-check.h"
28 #include "euidaccess-stat.h"
29 #include "file-type.h"
35 #include "root-dev-ino.h"
36 #include "unlinkdir.h"
37 #include "write-any-file.h"
40 /* Avoid shadowing warnings because these are functions declared
41 in dirname.h as well as locals used below. */
42 #define dir_name rm_dir_name
43 #define dir_len rm_dir_len
45 /* This is the maximum number of consecutive readdir/unlink calls that
46 can be made (with no intervening rewinddir or closedir/opendir) before
47 triggering a bug that makes readdir return NULL even though some
48 directory entries have not been processed. The bug afflicts SunOS's
49 readdir when applied to ufs file systems and Darwin 6.5's (and OSX
50 v.10.3.8's) HFS+. This maximum is conservative in that demonstrating
51 the problem requires a directory containing at least 16 deletable
52 entries (which doesn't count . and ..).
53 This problem also affects Darwin 7.9.0 (aka MacOS X 10.3.9) on HFS+
54 and NFS-mounted file systems, but not vfat ones. */
57 CONSECUTIVE_READDIR_UNLINK_THRESHOLD
= 10
60 /* If the heuristics in preprocess_dir suggest that there
61 are fewer than this many entries in a directory, then it
62 skips the preprocessing altogether. */
65 INODE_SORT_DIR_ENTRIES_THRESHOLD
= 10000
68 /* FIXME: in 2009, or whenever Darwin 7.9.0 (aka MacOS X 10.3.9) is no
69 longer relevant, remove this work-around code. Then, there will be
70 no need to perform the extra rewinddir call, ever. */
71 #define NEED_REWIND(readdir_unlink_count) \
72 (CONSECUTIVE_READDIR_UNLINK_THRESHOLD <= (readdir_unlink_count))
80 typedef enum Ternary Ternary
;
82 /* The prompt function may be called twice for a given directory.
83 The first time, we ask whether to descend into it, and the
84 second time, we ask whether to remove it. */
87 PA_DESCEND_INTO_DIR
= 2,
91 /* Initial capacity of per-directory hash table of entries that have
92 been processed but not been deleted. */
93 enum { HT_UNREMOVABLE_INITIAL_CAPACITY
= 13 };
95 /* An entry in the active directory stack.
96 Each entry corresponds to an `active' directory. */
99 /* For a given active directory, this is the set of names of
100 entries in that directory that could/should not be removed.
101 For example, `.' and `..', as well as files/dirs for which
102 unlink/rmdir failed e.g., due to access restrictions. */
103 Hash_table
*unremovable
;
105 /* Record the status for a given active directory; we need to know
106 whether an entry was not removed, either because of an error or
107 because the user declined. */
108 enum RM_status status
;
110 /* The directory's dev/ino. Used to ensure that a malicious user does
111 not replace a directory we're about to process with a symlink to
112 some other directory. */
113 struct dev_ino dev_ino
;
116 /* D_TYPE(D) is the type of directory entry D if known, DT_UNKNOWN
118 #if HAVE_STRUCT_DIRENT_D_TYPE
119 # define D_TYPE(d) ((d)->d_type)
121 # define D_TYPE(d) DT_UNKNOWN
123 /* Any int values will do here, so long as they're distinct.
124 Undef any existing macros out of the way. */
128 # define DT_UNKNOWN 0
133 struct dirstack_state
135 /* The name of the directory (starting with and relative to a command
136 line argument) being processed. When a subdirectory is entered, a new
137 component is appended (pushed). Remove (pop) the top component
138 upon chdir'ing out of a directory. This is used to form the full
139 name of the current directory or a file therein, when necessary. */
140 struct obstack dir_stack
;
142 /* Stack of lengths of directory names (including trailing slash)
143 appended to dir_stack. We have to have a separate stack of lengths
144 (rather than just popping back to previous slash) because the first
145 element pushed onto the dir stack may contain slashes. */
146 struct obstack len_stack
;
148 /* Stack of active directory entries.
149 The first `active' directory is the initial working directory.
150 Additional active dirs are pushed onto the stack as we `chdir'
151 into each directory to be processed. When finished with the
152 hierarchy under a directory, pop the active dir stack. */
153 struct obstack Active_dir
;
155 /* Used to detect cycles. */
156 struct cycle_check_state cycle_check_state
;
158 /* Target of a longjmp in case rm has to stop processing the current
159 command-line argument. This happens 1) when rm detects a directory
160 cycle or 2) when it has processed one or more directories, but then
161 is unable to return to the initial working directory to process
162 additional `.'-relative command-line arguments. */
163 jmp_buf current_arg_jumpbuf
;
165 typedef struct dirstack_state Dirstack_state
;
167 /* A static buffer and its allocated size, these variables are used by
168 xfull_filename and full_filename to form full, relative file names. */
170 static size_t g_n_allocated
;
172 /* Like fstatat, but cache the result. If ST->st_size is -1, the
173 status has not been gotten yet. If less than -1, fstatat failed
174 with errno == ST->st_ino. Otherwise, the status has already
175 been gotten, so return 0. */
177 cache_fstatat (int fd
, char const *file
, struct stat
*st
, int flag
)
179 if (st
->st_size
== -1 && fstatat (fd
, file
, st
, flag
) != 0)
184 if (0 <= st
->st_size
)
186 errno
= (int) st
->st_ino
;
190 /* Initialize a fstatat cache *ST. Return ST for convenience. */
191 static inline struct stat
*
192 cache_stat_init (struct stat
*st
)
198 /* Return true if *ST has been statted. */
200 cache_statted (struct stat
*st
)
202 return (st
->st_size
!= -1);
205 /* Return true if *ST has been statted successfully. */
207 cache_stat_ok (struct stat
*st
)
209 return (0 <= st
->st_size
);
220 hash_compare_strings (void const *x
, void const *y
)
222 return STREQ (x
, y
) ? true : false;
225 /* Obstack allocator: longjump on failure. */
227 rm_malloc (void *v_jumpbuf
, long size
)
229 jmp_buf *jumpbuf
= v_jumpbuf
;
230 void *p
= malloc (size
);
233 longjmp (*jumpbuf
, 1);
236 /* With the 2-arg allocator, we must also provide a two-argument freer. */
238 rm_free (void *v_jumpbuf ATTRIBUTE_UNUSED
, void *ptr
)
244 push_dir (Dirstack_state
*ds
, const char *dir_name
)
246 size_t len
= strlen (dir_name
);
248 /* Don't copy trailing slashes. */
249 while (1 < len
&& dir_name
[len
- 1] == '/')
252 /* Append the string onto the stack. */
253 obstack_grow (&ds
->dir_stack
, dir_name
, len
);
255 /* Append a trailing slash. */
256 obstack_1grow (&ds
->dir_stack
, '/');
258 /* Add one for the slash. */
261 /* Push the length (including slash) onto its stack. */
262 obstack_grow (&ds
->len_stack
, &len
, sizeof (len
));
265 /* Return the entry name of the directory on the top of the stack
266 in malloc'd storage. */
268 top_dir (Dirstack_state
*ds
)
270 size_t n_lengths
= obstack_object_size (&ds
->len_stack
) / sizeof (size_t);
271 size_t *length
= obstack_base (&ds
->len_stack
);
272 size_t top_len
= length
[n_lengths
- 1];
273 char const *p
= obstack_next_free (&ds
->dir_stack
) - top_len
;
274 char *q
= malloc (top_len
);
276 longjmp (ds
->current_arg_jumpbuf
, 1);
277 memcpy (q
, p
, top_len
- 1);
283 pop_dir (Dirstack_state
*ds
)
285 size_t n_lengths
= obstack_object_size (&ds
->len_stack
) / sizeof (size_t);
286 size_t *length
= obstack_base (&ds
->len_stack
);
288 assert (n_lengths
> 0);
289 size_t top_len
= length
[n_lengths
- 1];
290 assert (top_len
>= 2);
292 /* Pop the specified length of file name. */
293 assert (obstack_object_size (&ds
->dir_stack
) >= top_len
);
294 obstack_blank (&ds
->dir_stack
, -top_len
);
296 /* Pop the length stack, too. */
297 assert (obstack_object_size (&ds
->len_stack
) >= sizeof (size_t));
298 obstack_blank (&ds
->len_stack
, -(int) sizeof (size_t));
301 /* Copy the SRC_LEN bytes of data beginning at SRC into the DST_LEN-byte
302 buffer, DST, so that the last source byte is at the end of the destination
303 buffer. If SRC_LEN is longer than DST_LEN, then set *TRUNCATED.
304 Set *RESULT to point to the beginning of (the portion of) the source data
305 in DST. Return the number of bytes remaining in the destination buffer. */
308 right_justify (char *dst
, size_t dst_len
, const char *src
, size_t src_len
,
309 char **result
, bool *truncated
)
314 if (src_len
<= dst_len
)
317 dp
= dst
+ (dst_len
- src_len
);
322 sp
= src
+ (src_len
- dst_len
);
328 *result
= memcpy (dp
, sp
, src_len
);
329 return dst_len
- src_len
;
332 /* Using the global directory name obstack, create the full name of FILENAME.
333 Return it in sometimes-realloc'd space that should not be freed by the
334 caller. Realloc as necessary. If realloc fails, return NULL. */
337 full_filename0 (Dirstack_state
const *ds
, const char *filename
)
339 size_t dir_len
= obstack_object_size (&ds
->dir_stack
);
340 char *dir_name
= obstack_base (&ds
->dir_stack
);
341 size_t filename_len
= strlen (filename
);
342 size_t n_bytes_needed
= dir_len
+ filename_len
+ 1;
344 if (g_n_allocated
< n_bytes_needed
)
346 char *new_buf
= realloc (g_buf
, n_bytes_needed
);
351 g_n_allocated
= n_bytes_needed
;
354 if (STREQ (filename
, ".") && dir_len
)
356 /* FILENAME is just `.' and dir_len is nonzero.
357 Copy the directory part, omitting the trailing slash,
358 and append a trailing zero byte. */
359 char *p
= mempcpy (g_buf
, dir_name
, dir_len
- 1);
364 /* Copy the directory part, including trailing slash, and then
365 append the filename part, including a trailing zero byte. */
366 memcpy (mempcpy (g_buf
, dir_name
, dir_len
), filename
, filename_len
+ 1);
367 assert (strlen (g_buf
) + 1 == n_bytes_needed
);
373 /* Using the global directory name obstack, create the full name of FILENAME.
374 Return it in sometimes-realloc'd space that should not be freed by the
375 caller. Realloc as necessary. If realloc fails, die. */
378 xfull_filename (Dirstack_state
const *ds
, const char *filename
)
380 char *buf
= full_filename0 (ds
, filename
);
386 /* Using the global directory name obstack, create the full name FILENAME.
387 Return it in sometimes-realloc'd space that should not be freed by the
388 caller. Realloc as necessary. If realloc fails, use a static buffer
389 and put as long a suffix in that buffer as possible. Be careful not
392 #define full_filename(Filename) full_filename_ (ds, Filename)
394 full_filename_ (Dirstack_state
const *ds
, const char *filename
)
396 int saved_errno
= errno
;
397 char *full_name
= full_filename0 (ds
, filename
);
405 #define SBUF_SIZE 512
406 #define ELLIPSES_PREFIX "[...]"
407 static char static_buf
[SBUF_SIZE
];
410 size_t n_bytes_remaining
;
412 char *dir_name
= obstack_base (&ds
->dir_stack
);
413 size_t dir_len
= obstack_object_size (&ds
->dir_stack
);
416 n_bytes_remaining
= right_justify (static_buf
, SBUF_SIZE
, filename
,
417 strlen (filename
) + 1, &p
,
419 right_justify (static_buf
, n_bytes_remaining
, dir_name
, dir_len
,
421 if (file_truncated
|| dir_truncated
)
423 memcpy (static_buf
, ELLIPSES_PREFIX
,
424 sizeof (ELLIPSES_PREFIX
) - 1);
432 AD_stack_height (Dirstack_state
const *ds
)
434 return obstack_object_size (&ds
->Active_dir
) / sizeof (struct AD_ent
);
437 static inline struct AD_ent
*
438 AD_stack_top (Dirstack_state
const *ds
)
440 return (struct AD_ent
*)
441 ((char *) obstack_next_free (&ds
->Active_dir
) - sizeof (struct AD_ent
));
445 AD_stack_pop (Dirstack_state
*ds
)
447 assert (0 < AD_stack_height (ds
));
449 /* operate on Active_dir. pop and free top entry */
450 struct AD_ent
*top
= AD_stack_top (ds
);
451 if (top
->unremovable
)
452 hash_free (top
->unremovable
);
453 obstack_blank (&ds
->Active_dir
, -(int) sizeof (struct AD_ent
));
457 AD_stack_clear (Dirstack_state
*ds
)
459 while (0 < AD_stack_height (ds
))
465 /* Initialize obstack O just enough so that it may be freed
466 with obstack_free. */
468 obstack_init_minimal (struct obstack
*o
)
474 ds_init (Dirstack_state
*ds
)
477 struct obstack
*o
[3];
478 o
[0] = &ds
->dir_stack
;
479 o
[1] = &ds
->len_stack
;
480 o
[2] = &ds
->Active_dir
;
482 /* Ensure each of these is NULL, in case init/allocation
483 fails and we end up calling ds_free on all three while only
484 one or two has been initialized. */
485 for (i
= 0; i
< 3; i
++)
486 obstack_init_minimal (o
[i
]);
488 for (i
= 0; i
< 3; i
++)
489 obstack_specify_allocation_with_arg
490 (o
[i
], 0, 0, rm_malloc
, rm_free
, &ds
->current_arg_jumpbuf
);
494 ds_clear (Dirstack_state
*ds
)
496 obstack_free (&ds
->dir_stack
, obstack_finish (&ds
->dir_stack
));
497 obstack_free (&ds
->len_stack
, obstack_finish (&ds
->len_stack
));
498 while (0 < AD_stack_height (ds
))
500 obstack_free (&ds
->Active_dir
, obstack_finish (&ds
->Active_dir
));
504 ds_free (Dirstack_state
*ds
)
506 obstack_free (&ds
->dir_stack
, NULL
);
507 obstack_free (&ds
->len_stack
, NULL
);
508 obstack_free (&ds
->Active_dir
, NULL
);
511 /* Pop the active directory (AD) stack and prepare to move `up' one level,
512 safely. Moving `up' usually means opening `..', but when we've just
513 finished recursively processing a command-line directory argument,
514 there's nothing left on the stack, so set *FDP to AT_FDCWD in that case.
515 The idea is to return with *FDP opened on the parent directory,
516 assuming there are entries in that directory that we need to remove.
518 Note that we must not call opendir (or fdopendir) just yet, since
519 the caller must first remove the directory we're coming from.
520 That is because some file system implementations cache readdir
521 results at opendir time; so calling opendir, rmdir, readdir would
522 return an entry for the just-removed directory.
524 Whenever using chdir '..' (virtually, now, via openat), verify
525 that the post-chdir dev/ino numbers for `.' match the saved ones.
526 If any system call fails or if dev/ino don't match, then give a
527 diagnostic and longjump out.
528 Return the name (in malloc'd storage) of the
529 directory (usually now empty) from which we're coming, and which
530 corresponds to the input value of DIRP.
532 Finally, note that while this function's name is no longer as
533 accurate as it once was (it no longer calls chdir), it does open
534 the destination directory. */
536 AD_pop_and_chdir (DIR *dirp
, int *fdp
, Dirstack_state
*ds
)
538 struct AD_ent
*leaf_dir_ent
= AD_stack_top(ds
);
539 struct dev_ino leaf_dev_ino
= leaf_dir_ent
->dev_ino
;
540 enum RM_status old_status
= leaf_dir_ent
->status
;
543 /* Get the name of the current (but soon to be `previous') directory
544 from the top of the stack. */
545 char *prev_dir
= top_dir (ds
);
549 top
= AD_stack_top (ds
);
551 /* If the directory we're about to leave (and try to rmdir)
552 is the one whose dev_ino is being used to detect a cycle,
553 reset cycle_check_state.dev_ino to that of the parent.
554 Otherwise, once that directory is removed, its dev_ino
555 could be reused in the creation (by some other process)
556 of a directory that this rm process would encounter,
557 which would result in a false-positive cycle indication. */
558 CYCLE_CHECK_REFLECT_CHDIR_UP (&ds
->cycle_check_state
,
559 top
->dev_ino
, leaf_dev_ino
);
561 /* Propagate any failure to parent. */
562 UPDATE_STATUS (top
->status
, old_status
);
564 assert (AD_stack_height (ds
));
566 if (1 < AD_stack_height (ds
))
569 int fd
= openat (dirfd (dirp
), "..", O_RDONLY
);
570 if (closedir (dirp
) != 0)
572 error (0, errno
, _("FATAL: failed to close directory %s"),
573 quote (full_filename (prev_dir
)));
574 goto next_cmdline_arg
;
577 /* The above fails with EACCES when DIRP is readable but not
578 searchable, when using Solaris' openat. Without this openat
579 call, tests/rm2 would fail to remove directories a/2 and a/3. */
581 fd
= openat (AT_FDCWD
, xfull_filename (ds
, "."), O_RDONLY
);
585 error (0, errno
, _("FATAL: cannot open .. from %s"),
586 quote (full_filename (prev_dir
)));
587 goto next_cmdline_arg
;
593 _("FATAL: cannot ensure %s (returned to via ..) is safe"),
594 quote (full_filename (".")));
598 /* Ensure that post-chdir dev/ino match the stored ones. */
599 if ( ! SAME_INODE (sb
, top
->dev_ino
))
601 error (0, 0, _("FATAL: directory %s changed dev/ino"),
602 quote (full_filename (".")));
608 longjmp (ds
->current_arg_jumpbuf
, 1);
614 if (closedir (dirp
) != 0)
616 error (0, errno
, _("FATAL: failed to close directory %s"),
617 quote (full_filename (prev_dir
)));
618 goto next_cmdline_arg
;
626 /* Initialize *HT if it is NULL. Return *HT. */
628 AD_ensure_initialized (Hash_table
**ht
)
632 *ht
= hash_initialize (HT_UNREMOVABLE_INITIAL_CAPACITY
, NULL
, hash_pjw
,
633 hash_compare_strings
, hash_freer
);
641 /* Initialize *HT if it is NULL.
642 Insert FILENAME into HT. */
644 AD_mark_helper (Hash_table
**ht
, char *filename
)
646 void *ent
= hash_insert (AD_ensure_initialized (ht
), filename
);
656 /* Mark FILENAME (in current directory) as unremovable. */
658 AD_mark_as_unremovable (Dirstack_state
*ds
, char const *filename
)
660 AD_mark_helper (&AD_stack_top(ds
)->unremovable
, xstrdup (filename
));
663 /* Mark the current directory as unremovable. I.e., mark the entry
664 in the parent directory corresponding to `.'.
665 This happens e.g., when an opendir fails and the only name
666 the caller has conveniently at hand is `.'. */
668 AD_mark_current_as_unremovable (Dirstack_state
*ds
)
670 struct AD_ent
*top
= AD_stack_top (ds
);
671 char *curr
= top_dir (ds
);
673 assert (1 < AD_stack_height (ds
));
676 AD_mark_helper (&top
->unremovable
, curr
);
679 /* Push an initial dummy entry onto the stack.
680 This will always be the bottommost entry on the stack. */
682 AD_push_initial (Dirstack_state
*ds
)
686 /* Extend the stack. */
687 obstack_blank (&ds
->Active_dir
, sizeof (struct AD_ent
));
689 /* Fill in the new values. */
690 top
= AD_stack_top (ds
);
691 top
->unremovable
= NULL
;
693 /* These should never be used.
694 Give them values that might look suspicious
695 in a debugger or in a diagnostic. */
696 top
->dev_ino
.st_dev
= TYPE_MAXIMUM (dev_t
);
697 top
->dev_ino
.st_ino
= TYPE_MAXIMUM (ino_t
);
700 /* Push info about the current working directory (".") onto the
701 active directory stack. DIR is the ./-relative name through
702 which we've just `chdir'd to this directory. DIR_SB_FROM_PARENT
703 is the result of calling lstat on DIR from the parent of DIR.
704 Longjump out (skipping the entire command line argument we're
705 dealing with) if `fstat (FD_CWD, ...' fails or if someone has
706 replaced DIR with e.g., a symlink to some other directory. */
708 AD_push (int fd_cwd
, Dirstack_state
*ds
, char const *dir
,
709 struct stat
const *dir_sb_from_parent
)
715 /* If our uses of openat are guaranteed not to
716 follow a symlink, then we can skip this check. */
717 if (! HAVE_WORKING_O_NOFOLLOW
)
720 if (fstat (fd_cwd
, &sb
) != 0)
722 error (0, errno
, _("FATAL: cannot enter directory %s"),
723 quote (full_filename (".")));
724 longjmp (ds
->current_arg_jumpbuf
, 1);
727 if ( ! SAME_INODE (sb
, *dir_sb_from_parent
))
730 _("FATAL: just-changed-to directory %s changed dev/ino"),
731 quote (full_filename (".")));
732 longjmp (ds
->current_arg_jumpbuf
, 1);
736 if (cycle_check (&ds
->cycle_check_state
, dir_sb_from_parent
))
739 WARNING: Circular directory structure.\n\
740 This almost certainly means that you have a corrupted file system.\n\
741 NOTIFY YOUR SYSTEM MANAGER.\n\
742 The following directory is part of the cycle:\n %s\n"),
743 quote (full_filename (".")));
744 longjmp (ds
->current_arg_jumpbuf
, 1);
747 /* Extend the stack. */
748 obstack_blank (&ds
->Active_dir
, sizeof (struct AD_ent
));
750 /* The active directory stack must be one larger than the length stack. */
751 assert (AD_stack_height (ds
) ==
752 1 + obstack_object_size (&ds
->len_stack
) / sizeof (size_t));
754 /* Fill in the new values. */
755 top
= AD_stack_top (ds
);
756 top
->dev_ino
.st_dev
= dir_sb_from_parent
->st_dev
;
757 top
->dev_ino
.st_ino
= dir_sb_from_parent
->st_ino
;
758 top
->unremovable
= NULL
;
762 AD_is_removable (Dirstack_state
const *ds
, char const *file
)
764 struct AD_ent
*top
= AD_stack_top (ds
);
765 return ! (top
->unremovable
&& hash_lookup (top
->unremovable
, file
));
768 /* Return 1 if FILE is an unwritable non-symlink,
769 0 if it is writable or some other type of file,
770 -1 and set errno if there is some problem in determining the answer.
771 Set *BUF to the file status.
772 This is to avoid calling euidaccess when FILE is a symlink. */
774 write_protected_non_symlink (int fd_cwd
,
776 Dirstack_state
const *ds
,
779 if (can_write_any_file ())
781 if (cache_fstatat (fd_cwd
, file
, buf
, AT_SYMLINK_NOFOLLOW
) != 0)
783 if (S_ISLNK (buf
->st_mode
))
785 /* Here, we know FILE is not a symbolic link. */
787 /* In order to be reentrant -- i.e., to avoid changing the working
788 directory, and at the same time to be able to deal with alternate
789 access control mechanisms (ACLs, xattr-style attributes) and
790 arbitrarily deep trees -- we need a function like eaccessat, i.e.,
791 like Solaris' eaccess, but fd-relative, in the spirit of openat. */
793 /* In the absence of a native eaccessat function, here are some of
794 the implementation choices [#4 and #5 were suggested by Paul Eggert]:
795 1) call openat with O_WRONLY|O_NOCTTY
796 Disadvantage: may create the file and doesn't work for directory,
797 may mistakenly report `unwritable' for EROFS or ACLs even though
798 perm bits say the file is writable.
800 2) fake eaccessat (save_cwd, fchdir, call euidaccess, restore_cwd)
801 Disadvantage: changes working directory (not reentrant) and can't
802 work if save_cwd fails.
804 3) if (euidaccess (xfull_filename (file), W_OK) == 0)
805 Disadvantage: doesn't work if xfull_filename is too long.
806 Inefficient for very deep trees (O(Depth^2)).
808 4) If the full pathname is sufficiently short (say, less than
809 PATH_MAX or 8192 bytes, whichever is shorter):
810 use method (3) (i.e., euidaccess (xfull_filename (file), W_OK));
811 Otherwise: vfork, fchdir in the child, run euidaccess in the
812 child, then the child exits with a status that tells the parent
813 whether euidaccess succeeded.
815 This avoids the O(N**2) algorithm of method (3), and it also avoids
816 the failure-due-to-too-long-file-names of method (3), but it's fast
817 in the normal shallow case. It also avoids the lack-of-reentrancy
818 and the save_cwd problems.
819 Disadvantage; it uses a process slot for very-long file names,
820 and would be very slow for hierarchies with many such files.
822 5) If the full file name is sufficiently short (say, less than
823 PATH_MAX or 8192 bytes, whichever is shorter):
824 use method (3) (i.e., euidaccess (xfull_filename (file), W_OK));
825 Otherwise: look just at the file bits. Perhaps issue a warning
826 the first time this occurs.
828 This is like (4), except for the "Otherwise" case where it isn't as
829 "perfect" as (4) but is considerably faster. It conforms to current
830 POSIX, and is uniformly better than what Solaris and FreeBSD do (they
831 mess up with long file names). */
834 /* This implements #5: */
836 = obstack_object_size (&ds
->dir_stack
) + strlen (file
);
838 if (MIN (PATH_MAX
, 8192) <= file_name_len
)
839 return ! euidaccess_stat (buf
, W_OK
);
840 if (euidaccess (xfull_filename (ds
, file
), W_OK
) == 0)
848 /* Perhaps some other process has removed the file, or perhaps this
849 is a buggy NFS client. */
854 /* Prompt whether to remove FILENAME, if required via a combination of
855 the options specified by X and/or file attributes. If the file may
856 be removed, return RM_OK. If the user declines to remove the file,
857 return RM_USER_DECLINED. If not ignoring missing files and we
858 cannot lstat FILENAME, then return RM_ERROR.
860 *PDIRENT_TYPE is the type of the directory entry; update it to DT_DIR
861 or DT_LNK as needed. *SBUF is the file's status.
863 Depending on MODE, ask whether to `descend into' or to `remove' the
864 directory FILENAME. MODE is ignored when FILENAME is not a directory.
865 Set *IS_EMPTY to T_YES if FILENAME is an empty directory, and it is
866 appropriate to try to remove it with rmdir (e.g. recursive mode).
867 Don't even try to set *IS_EMPTY when MODE == PA_REMOVE_DIR. */
868 static enum RM_status
869 prompt (int fd_cwd
, Dirstack_state
const *ds
, char const *filename
,
870 int *pdirent_type
, struct stat
*sbuf
,
871 struct rm_options
const *x
, enum Prompt_action mode
,
874 int write_protected
= 0;
875 int dirent_type
= *pdirent_type
;
877 *is_empty
= T_UNKNOWN
;
879 if (x
->interactive
== RMI_NEVER
)
884 if (!x
->ignore_missing_files
885 && ((x
->interactive
== RMI_ALWAYS
) || x
->stdin_tty
)
886 && dirent_type
!= DT_LNK
)
888 write_protected
= write_protected_non_symlink (fd_cwd
, filename
, ds
, sbuf
);
892 if (write_protected
|| x
->interactive
== RMI_ALWAYS
)
894 if (0 <= write_protected
&& dirent_type
== DT_UNKNOWN
)
896 if (cache_fstatat (fd_cwd
, filename
, sbuf
, AT_SYMLINK_NOFOLLOW
) == 0)
898 if (S_ISLNK (sbuf
->st_mode
))
899 dirent_type
= DT_LNK
;
900 else if (S_ISDIR (sbuf
->st_mode
))
901 dirent_type
= DT_DIR
;
902 /* Otherwise it doesn't matter, so leave it DT_UNKNOWN. */
903 *pdirent_type
= dirent_type
;
907 /* This happens, e.g., with `rm '''. */
908 write_protected
= -1;
913 if (0 <= write_protected
)
917 /* Using permissions doesn't make sense for symlinks. */
918 if (x
->interactive
!= RMI_ALWAYS
)
925 write_protected
= -1;
931 char const *quoted_name
= quote (full_filename (filename
));
933 if (write_protected
< 0)
935 error (0, wp_errno
, _("cannot remove %s"), quoted_name
);
939 /* Issue the prompt. */
940 /* FIXME: use a variant of error (instead of fprintf) that doesn't
941 append a newline. Then we won't have to declare program_name in
943 if (dirent_type
== DT_DIR
944 && mode
== PA_DESCEND_INTO_DIR
945 && ((*is_empty
= (is_empty_dir (fd_cwd
, filename
) ? T_YES
: T_NO
))
949 ? _("%s: descend into write-protected directory %s? ")
950 : _("%s: descend into directory %s? ")),
951 program_name
, quoted_name
);
954 if (cache_fstatat (fd_cwd
, filename
, sbuf
, AT_SYMLINK_NOFOLLOW
) != 0)
956 error (0, errno
, _("cannot remove %s"), quoted_name
);
962 /* TRANSLATORS: You may find it more convenient to
963 translate "%s: remove %s (write-protected) %s? "
964 instead. It should avoid grammatical problems
965 with the output of file_type. */
966 ? _("%s: remove write-protected %s %s? ")
967 : _("%s: remove %s %s? ")),
968 program_name
, file_type (sbuf
), quoted_name
);
972 return RM_USER_DECLINED
;
977 /* Return true if FILENAME is a directory (and not a symlink to a directory).
978 Otherwise, including the case in which lstat fails, return false.
979 *ST is FILENAME's tstatus.
980 Do not modify errno. */
982 is_dir_lstat (int fd_cwd
, char const *filename
, struct stat
*st
)
984 int saved_errno
= errno
;
986 (cache_fstatat (fd_cwd
, filename
, st
, AT_SYMLINK_NOFOLLOW
) == 0
987 && S_ISDIR (st
->st_mode
));
992 /* Return true if FILENAME is a non-directory.
993 Otherwise, including the case in which lstat fails, return false.
994 *ST is FILENAME's tstatus.
995 Do not modify errno. */
997 is_nondir_lstat (int fd_cwd
, char const *filename
, struct stat
*st
)
999 int saved_errno
= errno
;
1001 (cache_fstatat (fd_cwd
, filename
, st
, AT_SYMLINK_NOFOLLOW
) == 0
1002 && !S_ISDIR (st
->st_mode
));
1003 errno
= saved_errno
;
1007 #define DO_UNLINK(Fd_cwd, Filename, X) \
1010 if (unlinkat (Fd_cwd, Filename, 0) == 0) \
1013 printf (_("removed %s\n"), quote (full_filename (Filename))); \
1017 if (ignorable_missing (X, errno)) \
1022 #define DO_RMDIR(Fd_cwd, Filename, X) \
1025 if (unlinkat (Fd_cwd, Filename, AT_REMOVEDIR) == 0) /* rmdir */ \
1028 printf (_("removed directory: %s\n"), \
1029 quote (full_filename (Filename))); \
1033 if (ignorable_missing (X, errno)) \
1036 if (errno == ENOTEMPTY || errno == EEXIST) \
1037 return RM_NONEMPTY_DIR; \
1041 /* When a function like unlink, rmdir, or fstatat fails with an errno
1042 value of ERRNUM, return true if the specified file system object
1043 is guaranteed not to exist; otherwise, return false. */
1045 nonexistent_file_errno (int errnum
)
1047 /* Do not include ELOOP here, since the specified file may indeed
1048 exist, but be (in)accessible only via too long a symlink chain.
1049 Likewise for ENAMETOOLONG, since rm -f ./././.../foo may fail
1050 if the "..." part expands to a long enough sequence of "./"s,
1051 even though ./foo does indeed exist. */
1063 /* Encapsulate the test for whether the errno value, ERRNUM, is ignorable. */
1065 ignorable_missing (struct rm_options
const *x
, int errnum
)
1067 return x
->ignore_missing_files
&& nonexistent_file_errno (errnum
);
1070 /* Remove the file or directory specified by FILENAME.
1071 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not.
1072 But if FILENAME specifies a non-empty directory, return RM_NONEMPTY_DIR. */
1074 static enum RM_status
1075 remove_entry (int fd_cwd
, Dirstack_state
const *ds
, char const *filename
,
1076 int dirent_type_arg
, struct stat
*st
,
1077 struct rm_options
const *x
)
1079 Ternary is_empty_directory
;
1080 enum RM_status s
= prompt (fd_cwd
, ds
, filename
, &dirent_type_arg
, st
, x
,
1081 PA_DESCEND_INTO_DIR
,
1082 &is_empty_directory
);
1083 int dirent_type
= dirent_type_arg
;
1087 /* Why bother with the following if/else block? Because on systems with
1088 an unlink function that *can* unlink directories, we must determine the
1089 type of each entry before removing it. Otherwise, we'd risk unlinking
1090 an entire directory tree simply by unlinking a single directory; then
1091 all the storage associated with that hierarchy would not be freed until
1092 the next fsck. Not nice. To avoid that, on such slightly losing
1093 systems, we need to call lstat to determine the type of each entry,
1094 and that represents extra overhead that -- it turns out -- we can
1095 avoid on non-losing systems, since there, unlink will never remove
1096 a directory. Also, on systems where unlink may unlink directories,
1097 we're forced to allow a race condition: we lstat a non-directory, then
1098 go to unlink it, but in the mean time, a malicious someone could have
1099 replaced it with a directory. */
1101 if (cannot_unlink_dir ())
1103 if (dirent_type
== DT_DIR
&& ! x
->recursive
)
1105 error (0, EISDIR
, _("cannot remove %s"),
1106 quote (full_filename (filename
)));
1110 /* is_empty_directory is set iff it's ok to use rmdir.
1111 Note that it's set only in interactive mode -- in which case it's
1112 an optimization that arranges so that the user is asked just
1113 once whether to remove the directory. */
1114 if (is_empty_directory
== T_YES
)
1115 DO_RMDIR (fd_cwd
, filename
, x
);
1117 /* If we happen to know that FILENAME is a directory, return now
1118 and let the caller remove it -- this saves the overhead of a failed
1119 unlink call. If FILENAME is a command-line argument, then
1120 DIRENT_TYPE is DT_UNKNOWN so we'll first try to unlink it.
1121 Using unlink here is ok, because it cannot remove a
1123 if (dirent_type
== DT_DIR
)
1124 return RM_NONEMPTY_DIR
;
1126 DO_UNLINK (fd_cwd
, filename
, x
);
1128 /* Upon a failed attempt to unlink a directory, most non GNU/Linux
1129 systems set errno to the POSIX-required value EPERM. In that case,
1130 change errno to EISDIR so that we emit a better diagnostic. */
1131 if (! x
->recursive
&& errno
== EPERM
&& is_dir_lstat (fd_cwd
,
1136 || (cache_stat_ok (st
) && !S_ISDIR (st
->st_mode
))
1137 || ((errno
== EACCES
|| errno
== EPERM
)
1138 && is_nondir_lstat (fd_cwd
, filename
, st
))
1141 if (ignorable_missing (x
, errno
))
1144 /* Either --recursive is not in effect, or the file cannot be a
1145 directory. Report the unlink problem and fail. */
1146 error (0, errno
, _("cannot remove %s"),
1147 quote (full_filename (filename
)));
1150 assert (!cache_stat_ok (st
) || S_ISDIR (st
->st_mode
));
1154 /* If we don't already know whether FILENAME is a directory,
1155 find out now. Then, if it's a non-directory, we can use
1158 if (dirent_type
== DT_UNKNOWN
)
1160 if (fstatat (fd_cwd
, filename
, st
, AT_SYMLINK_NOFOLLOW
))
1162 if (ignorable_missing (x
, errno
))
1165 error (0, errno
, _("cannot remove %s"),
1166 quote (full_filename (filename
)));
1170 if (S_ISDIR (st
->st_mode
))
1171 dirent_type
= DT_DIR
;
1174 if (dirent_type
!= DT_DIR
)
1176 /* At this point, barring race conditions, FILENAME is known
1177 to be a non-directory, so it's ok to try to unlink it. */
1178 DO_UNLINK (fd_cwd
, filename
, x
);
1180 /* unlink failed with some other error code. report it. */
1181 error (0, errno
, _("cannot remove %s"),
1182 quote (full_filename (filename
)));
1188 error (0, EISDIR
, _("cannot remove %s"),
1189 quote (full_filename (filename
)));
1193 if (is_empty_directory
== T_YES
)
1195 DO_RMDIR (fd_cwd
, filename
, x
);
1196 /* Don't diagnose any failure here.
1197 It'll be detected when the caller tries another way. */
1201 return RM_NONEMPTY_DIR
;
1204 /* Given FD_CWD, the file descriptor for an open directory,
1205 open its subdirectory F (F is already `known' to be a directory,
1206 so if it is no longer one, someone is playing games), return a DIR*
1207 pointer for F, and put F's `stat' data in *SUBDIR_SB.
1208 Upon failure give a diagnostic and return NULL.
1209 If PREV_ERRNO is nonzero, it is the errno value from a preceding failed
1210 unlink- or rmdir-like system call -- use that value instead of ENOTDIR
1211 if an opened file turns out not to be a directory. This is important
1212 when the preceding non-dir-unlink failed due to e.g., EPERM or EACCES.
1213 The caller must use a nonnnull CWD_ERRNO the first
1214 time this function is called for each command-line-specified directory.
1215 If CWD_ERRNO is not null, set *CWD_ERRNO to the appropriate error number
1216 if this function fails to restore the initial working directory.
1217 If it is null, report an error and exit if the working directory
1220 fd_to_subdirp (int fd_cwd
, char const *f
,
1222 struct stat
*subdir_sb
,
1223 int *cwd_errno ATTRIBUTE_UNUSED
)
1225 int open_flags
= O_RDONLY
| O_NOCTTY
| O_NOFOLLOW
| O_NONBLOCK
;
1226 int fd_sub
= openat_permissive (fd_cwd
, f
, open_flags
, 0, cwd_errno
);
1229 /* Record dev/ino of F. We may compare them against saved values
1230 to thwart any attempt to subvert the traversal. They are also used
1231 to detect directory cycles. */
1234 else if (fstat (fd_sub
, subdir_sb
) != 0)
1235 saved_errno
= errno
;
1236 else if (S_ISDIR (subdir_sb
->st_mode
))
1238 DIR *subdir_dirp
= fdopendir (fd_sub
);
1241 saved_errno
= errno
;
1244 saved_errno
= (prev_errno
? prev_errno
: ENOTDIR
);
1247 errno
= saved_errno
;
1254 char name
[FLEXIBLE_ARRAY_MEMBER
];
1257 #if HAVE_STRUCT_DIRENT_D_TYPE
1258 /* A comparison function to sort on increasing inode number. */
1260 compare_ino (void const *av
, void const *bv
)
1262 struct readdir_data
const *const *a
= av
;
1263 struct readdir_data
const *const *b
= bv
;
1264 return (a
[0]->ino
< b
[0]->ino
? -1
1265 : b
[0]->ino
< a
[0]->ino
? 1 : 0);
1268 /* Return an approximation of the maximum number of dirent entries
1269 in a directory with stat data *ST. */
1271 dirent_count (struct stat
const *st
)
1273 return st
->st_size
/ 16;
1276 #if defined __linux__ \
1277 && HAVE_SYS_VFS_H && HAVE_FSTATFS && HAVE_STRUCT_STATFS_F_TYPE
1278 # include <sys/vfs.h>
1281 /* Return false if it is easy to determine the file system type of
1282 the directory on which DIR_FD is open, and sorting dirents on
1283 inode numbers is known not to improve traversal performance with
1284 that type of file system. Otherwise, return true. */
1286 dirent_inode_sort_may_be_useful (int dir_fd
)
1288 /* Skip the sort only if we can determine efficiently
1289 that skipping it is the right thing to do.
1290 The cost of performing an unnecessary sort is negligible,
1291 while the cost of *not* performing it can be O(N^2) with
1292 a very large constant. */
1293 struct statfs fs_buf
;
1295 /* If fstatfs fails, assume sorting would be useful. */
1296 if (fstatfs (dir_fd
, &fs_buf
) != 0)
1299 /* FIXME: what about when f_type is not an integral type?
1300 deal with that if/when it's encountered. */
1301 switch (fs_buf
.f_type
)
1305 /* On a file system of any of these types, sorting
1306 is unnecessary, and hence wasteful. */
1313 # else /* !HAVE_STRUCT_STATFS_F_TYPE */
1314 static bool dirent_inode_sort_may_be_useful (int dir_fd
) { return true; }
1315 # endif /* !HAVE_STRUCT_STATFS_F_TYPE */
1316 #endif /* HAVE_STRUCT_DIRENT_D_TYPE */
1318 /* When a directory contains very many entries, operating on N entries in
1319 readdir order can be very seek-intensive (be it to unlink or even to
1320 merely stat each entry), to the point that it results in O(N^2) work.
1321 This is file-system-specific: ext3 and ext4 (as of 2008) are susceptible,
1322 but tmpfs is not. The general solution is to process entries in inode
1323 order. That means reading all entries, and sorting them before operating
1324 on any. As such, it is useful only on systems with useful dirent.d_ino.
1325 Since 'rm -r's removal process must traverse into directories and since
1326 this preprocessing phase can allocate O(N) storage, here we store and
1327 sort only non-directory entries, and then remove all of those, so that we
1328 can free all allocated storage before traversing into any subdirectory.
1329 Perform this optimization only when not interactive and not in verbose
1330 mode, to keep the implementation simple and to minimize duplication.
1331 Upon failure, simply free any resources and return. */
1333 preprocess_dir (DIR **dirp
, struct rm_options
const *x
)
1335 #if HAVE_STRUCT_DIRENT_D_TYPE
1338 /* There are many reasons to return right away, skipping this
1339 optimization. The penalty for being wrong is that we will
1340 perform a small amount of extra work.
1342 Skip this optimization if... */
1344 int dir_fd
= dirfd (*dirp
);
1345 if (/* - there is a chance of interactivity */
1346 x
->interactive
!= RMI_NEVER
1348 /* - we're in verbose mode */
1351 /* - privileged users can unlink nonempty directories.
1352 Otherwise, there'd be a race condition between the readdir
1353 call (in which we learn dirent.d_type) and the unlink, by
1354 which time the non-directory may be replaced with a directory. */
1355 || ! cannot_unlink_dir ()
1357 /* - we can't fstat the file descriptor */
1358 || fstat (dir_fd
, &st
) != 0
1360 /* - the directory is smaller than some threshold.
1361 Estimate the number of inodes with a heuristic.
1362 There's no significant benefit to sorting if there are
1364 || dirent_count (&st
) < INODE_SORT_DIR_ENTRIES_THRESHOLD
1366 /* Sort only if it might help. */
1367 || ! dirent_inode_sort_may_be_useful (dir_fd
))
1370 /* FIXME: maybe test file system type, too; skip if it's tmpfs: see fts.c */
1372 struct obstack o_readdir_data
; /* readdir data: inode,name pairs */
1373 struct obstack o_p
; /* an array of pointers to each inode,name pair */
1375 /* Arrange to longjmp upon obstack allocation failure. */
1376 jmp_buf readdir_jumpbuf
;
1377 if (setjmp (readdir_jumpbuf
))
1380 obstack_init_minimal (&o_readdir_data
);
1381 obstack_init_minimal (&o_p
);
1383 obstack_specify_allocation_with_arg (&o_readdir_data
, 0, 0,
1384 rm_malloc
, rm_free
, &readdir_jumpbuf
);
1385 obstack_specify_allocation_with_arg (&o_p
, 0, 0,
1386 rm_malloc
, rm_free
, &readdir_jumpbuf
);
1388 /* Read all entries, storing <d_ino, d_name> for each non-dir one.
1389 Maintain a parallel list of pointers into the primary buffer. */
1392 struct dirent
const *dp
;
1393 dp
= readdir_ignoring_dot_and_dotdot (*dirp
);
1394 /* no need to distinguish EOF from failure */
1398 /* Skip known-directory and type-unknown entries. */
1399 if (D_TYPE (dp
) == DT_UNKNOWN
|| D_TYPE (dp
) == DT_DIR
)
1402 size_t name_len
= strlen (dp
->d_name
);
1403 size_t ent_len
= offsetof (struct readdir_data
, name
) + name_len
+ 1;
1404 struct readdir_data
*v
= obstack_alloc (&o_readdir_data
, ent_len
);
1405 v
->ino
= D_INO (dp
);
1406 memcpy (v
->name
, dp
->d_name
, name_len
+ 1);
1408 /* Append V to the list of pointers. */
1409 obstack_ptr_grow (&o_p
, v
);
1412 /* Compute size and finalize VV. */
1413 size_t n
= obstack_object_size (&o_p
) / sizeof (void *);
1414 struct readdir_data
**vv
= obstack_finish (&o_p
);
1416 /* Sort on inode number. */
1417 qsort(vv
, n
, sizeof *vv
, compare_ino
);
1419 /* Iterate through those pointers, unlinking each name. */
1420 for (size_t i
= 0; i
< n
; i
++)
1422 /* ignore failure */
1423 unlinkat (dir_fd
, vv
[i
]->name
, 0);
1427 obstack_free (&o_readdir_data
, NULL
);
1428 obstack_free (&o_p
, NULL
);
1433 /* Remove entries in the directory open on DIRP
1434 Upon finding a directory that is both non-empty and that can be chdir'd
1435 into, return RM_OK and set *SUBDIR and fill in SUBDIR_SB, where
1436 SUBDIR is the malloc'd name of the subdirectory if the chdir succeeded,
1437 NULL otherwise (e.g., if opendir failed or if there was no subdirectory).
1438 Likewise, SUBDIR_SB is the result of calling lstat on SUBDIR.
1439 Return RM_OK if all entries are removed. Return RM_ERROR if any
1440 entry cannot be removed. Otherwise, return RM_USER_DECLINED if
1441 the user declines to remove at least one entry. Remove as much as
1442 possible, continuing even if we fail to remove some entries. */
1443 static enum RM_status
1444 remove_cwd_entries (DIR **dirp
,
1445 Dirstack_state
*ds
, char **subdir
, struct stat
*subdir_sb
,
1446 struct rm_options
const *x
)
1448 struct AD_ent
*top
= AD_stack_top (ds
);
1449 enum RM_status status
= top
->status
;
1450 size_t n_unlinked_since_opendir_or_last_rewind
= 0;
1452 assert (VALID_STATUS (status
));
1455 /* This is just an optimization.
1456 It's not a fatal problem if it fails. */
1457 preprocess_dir (dirp
, x
);
1461 struct dirent
const *dp
;
1462 enum RM_status tmp_status
;
1465 /* Set errno to zero so we can distinguish between a readdir failure
1466 and when readdir simply finds that there are no more entries. */
1468 dp
= readdir_ignoring_dot_and_dotdot (*dirp
);
1475 else if (NEED_REWIND (n_unlinked_since_opendir_or_last_rewind
))
1477 /* Call rewinddir if we've called unlink or rmdir so many times
1478 (since the opendir or the previous rewinddir) that this
1479 NULL-return may be the symptom of a buggy readdir. */
1481 n_unlinked_since_opendir_or_last_rewind
= 0;
1489 /* Skip files we've already tried/failed to remove. */
1490 if ( ! AD_is_removable (ds
, f
))
1493 /* Pass dp->d_type info to remove_entry so the non-glibc
1494 case can decide whether to use unlink or chdir.
1495 Systems without the d_type member will have to endure
1496 the performance hit of first calling lstat F. */
1497 cache_stat_init (subdir_sb
);
1498 tmp_status
= remove_entry (dirfd (*dirp
), ds
, f
,
1499 D_TYPE (dp
), subdir_sb
, x
);
1503 /* Count how many files we've unlinked since the initial
1504 opendir or the last rewinddir. On buggy systems, if you
1505 remove too many, readdir returns NULL even though there
1506 remain unprocessed directory entries. */
1507 ++n_unlinked_since_opendir_or_last_rewind
;
1511 case RM_USER_DECLINED
:
1512 AD_mark_as_unremovable (ds
, f
);
1513 UPDATE_STATUS (status
, tmp_status
);
1516 case RM_NONEMPTY_DIR
:
1518 DIR *subdir_dirp
= fd_to_subdirp (dirfd (*dirp
), f
,
1519 errno
, subdir_sb
, NULL
);
1520 if (subdir_dirp
== NULL
)
1524 /* CAUTION: this test and diagnostic are identical to
1525 those following the other use of fd_to_subdirp. */
1526 if (ignorable_missing (x
, errno
))
1528 /* With -f, don't report "file not found". */
1532 /* Upon fd_to_subdirp failure, try to remove F directly,
1533 in case it's just an empty directory. */
1534 int saved_errno
= errno
;
1535 if (unlinkat (dirfd (*dirp
), f
, AT_REMOVEDIR
) == 0)
1538 error (0, saved_errno
,
1539 _("cannot remove %s"), quote (full_filename (f
)));
1542 if (status
== RM_ERROR
)
1543 AD_mark_as_unremovable (ds
, f
);
1547 *subdir
= xstrdup (f
);
1548 if (closedir (*dirp
) != 0)
1550 error (0, 0, _("failed to close directory %s"),
1551 quote (full_filename (".")));
1554 *dirp
= subdir_dirp
;
1560 /* Record status for this directory. */
1561 UPDATE_STATUS (top
->status
, status
);
1567 /* Ensure that *dirp is not NULL and that its file descriptor is valid. */
1568 assert (*dirp
!= NULL
);
1569 assert (0 <= fcntl (dirfd (*dirp
), F_GETFD
));
1574 /* Do this after each call to AD_push or AD_push_initial.
1575 Because the status = RM_OK bit is too remove-specific to
1576 go into the general-purpose AD_* package. */
1577 #define AD_INIT_OTHER_MEMBERS() \
1580 AD_stack_top(ds)->status = RM_OK; \
1584 /* Remove the hierarchy rooted at DIR.
1585 Do that by changing into DIR, then removing its contents, then
1586 returning to the original working directory and removing DIR itself.
1587 Don't use recursion. Be careful when using chdir ".." that we
1588 return to the same directory from which we came, if necessary.
1589 Return an RM_status value to indicate success or failure. */
1591 static enum RM_status
1592 remove_dir (int fd_cwd
, Dirstack_state
*ds
, char const *dir
,
1593 struct stat
*dir_st
,
1594 struct rm_options
const *x
, int *cwd_errno
)
1596 enum RM_status status
;
1597 dev_t current_dev
= dir_st
->st_dev
;
1599 /* There is a race condition in that an attacker could replace the nonempty
1600 directory, DIR, with a symlink between the preceding call to rmdir
1601 (unlinkat, in our caller) and fd_to_subdirp's openat call. But on most
1602 systems, even those without openat, this isn't a problem, since we ensure
1603 that opening a symlink will fail, when that is possible. Otherwise,
1604 fd_to_subdirp's fstat, along with the `fstat' and the dev/ino
1605 comparison in AD_push ensure that we detect it and fail. */
1607 DIR *dirp
= fd_to_subdirp (fd_cwd
, dir
, 0, dir_st
, cwd_errno
);
1611 /* CAUTION: this test and diagnostic are identical to
1612 those following the other use of fd_to_subdirp. */
1613 if (ignorable_missing (x
, errno
))
1615 /* With -f, don't report "file not found". */
1619 /* Upon fd_to_subdirp failure, try to remove DIR directly,
1620 in case it's just an empty directory. */
1621 int saved_errno
= errno
;
1622 if (unlinkat (fd_cwd
, dir
, AT_REMOVEDIR
) == 0)
1625 error (0, saved_errno
,
1626 _("cannot remove %s"), quote (full_filename (dir
)));
1632 if (ROOT_DEV_INO_CHECK (x
->root_dev_ino
, dir_st
))
1634 ROOT_DEV_INO_WARN (full_filename (dir
));
1636 goto closedir_and_return
;
1639 AD_push (dirfd (dirp
), ds
, dir
, dir_st
);
1640 AD_INIT_OTHER_MEMBERS ();
1646 char *subdir
= NULL
;
1647 struct stat subdir_sb
;
1648 enum RM_status tmp_status
;
1650 tmp_status
= remove_cwd_entries (&dirp
, ds
, &subdir
, &subdir_sb
, x
);
1652 if (tmp_status
!= RM_OK
)
1654 UPDATE_STATUS (status
, tmp_status
);
1655 AD_mark_current_as_unremovable (ds
);
1659 if ( ! x
->one_file_system
1660 || subdir_sb
.st_dev
== current_dev
)
1662 AD_push (dirfd (dirp
), ds
, subdir
, &subdir_sb
);
1663 AD_INIT_OTHER_MEMBERS ();
1668 /* Here, --one-file-system is in effect, and with remove_cwd_entries'
1669 traversal into the current directory, (known as SUBDIR, from ..),
1670 DIRP's device number is different from CURRENT_DEV. Arrange not
1671 to do anything more with this hierarchy. */
1672 error (0, 0, _("skipping %s, since it's on a different device"),
1673 quote (full_filename (subdir
)));
1675 AD_mark_current_as_unremovable (ds
);
1676 tmp_status
= RM_ERROR
;
1677 UPDATE_STATUS (status
, tmp_status
);
1680 /* Execution reaches this point when we've removed the last
1681 removable entry from the current directory -- or, with
1682 --one-file-system, when the current directory is on a
1683 different file system. */
1686 /* The name of the directory that we have just processed,
1687 nominally removing all of its contents. */
1688 char *empty_dir
= AD_pop_and_chdir (dirp
, &fd
, ds
);
1690 assert (fd
!= AT_FDCWD
|| AD_stack_height (ds
) == 1);
1692 /* Try to remove EMPTY_DIR only if remove_cwd_entries succeeded. */
1693 if (tmp_status
== RM_OK
)
1695 struct stat empty_st
;
1697 int dirent_type
= DT_DIR
;
1698 enum RM_status s
= prompt (fd
, ds
, empty_dir
, &dirent_type
,
1699 cache_stat_init (&empty_st
), x
,
1700 PA_REMOVE_DIR
, &is_empty
);
1708 goto closedir_and_return
;
1711 if (unlinkat (fd
, empty_dir
, AT_REMOVEDIR
) == 0)
1714 printf (_("removed directory: %s\n"),
1715 quote (full_filename (empty_dir
)));
1719 error (0, errno
, _("cannot remove directory %s"),
1720 quote (full_filename (empty_dir
)));
1721 AD_mark_as_unremovable (ds
, empty_dir
);
1723 UPDATE_STATUS (AD_stack_top(ds
)->status
, status
);
1732 dirp
= fdopendir (fd
);
1735 error (0, errno
, _("FATAL: cannot return to .. from %s"),
1736 quote (full_filename (".")));
1738 longjmp (ds
->current_arg_jumpbuf
, 1);
1743 /* If the first/final hash table of unremovable entries was used,
1747 closedir_and_return
:;
1748 if (dirp
!= NULL
&& closedir (dirp
) != 0)
1750 error (0, 0, _("failed to close directory %s"),
1751 quote (full_filename (".")));
1758 /* Remove the file or directory specified by FILENAME.
1759 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not. */
1761 static enum RM_status
1762 rm_1 (Dirstack_state
*ds
, char const *filename
,
1763 struct rm_options
const *x
, int *cwd_errno
)
1765 char const *base
= last_component (filename
);
1766 if (dot_or_dotdot (base
))
1768 error (0, 0, _(base
== filename
1769 ? N_("cannot remove directory %s")
1770 : N_("cannot remove %s directory %s")),
1771 quote_n (0, base
), quote_n (1, filename
));
1776 cache_stat_init (&st
);
1777 cycle_check_init (&ds
->cycle_check_state
);
1778 if (x
->root_dev_ino
)
1780 if (cache_fstatat (AT_FDCWD
, filename
, &st
, AT_SYMLINK_NOFOLLOW
) != 0)
1782 if (ignorable_missing (x
, errno
))
1784 error (0, errno
, _("cannot remove %s"), quote (filename
));
1787 if (SAME_INODE (st
, *(x
->root_dev_ino
)))
1789 error (0, 0, _("cannot remove root directory %s"), quote (filename
));
1794 AD_push_initial (ds
);
1795 AD_INIT_OTHER_MEMBERS ();
1797 enum RM_status status
= remove_entry (AT_FDCWD
, ds
, filename
,
1798 DT_UNKNOWN
, &st
, x
);
1799 if (status
== RM_NONEMPTY_DIR
)
1801 /* In the event that remove_dir->remove_cwd_entries detects
1802 a directory cycle, arrange to fail, give up on this FILE, but
1803 continue on with any other arguments. */
1804 if (setjmp (ds
->current_arg_jumpbuf
))
1807 status
= remove_dir (AT_FDCWD
, ds
, filename
, &st
, x
, cwd_errno
);
1809 AD_stack_clear (ds
);
1816 /* Remove all files and/or directories specified by N_FILES and FILE.
1817 Apply the options in X. */
1818 extern enum RM_status
1819 rm (size_t n_files
, char const *const *file
, struct rm_options
const *x
)
1821 enum RM_status status
= RM_OK
;
1826 /* Arrange for obstack allocation failure to longjmp. */
1827 if (setjmp (ds
.current_arg_jumpbuf
))
1835 for (i
= 0; i
< n_files
; i
++)
1837 if (cwd_errno
&& IS_RELATIVE_FILE_NAME (file
[i
]))
1839 error (0, 0, _("cannot remove relative-named %s"), quote (file
[i
]));
1844 enum RM_status s
= rm_1 (&ds
, file
[i
], x
, &cwd_errno
);
1845 assert (VALID_STATUS (s
));
1846 UPDATE_STATUS (status
, s
);
1850 if (x
->require_restore_cwd
&& cwd_errno
)
1852 error (0, cwd_errno
,
1853 _("cannot restore current working directory"));