global: convert indentation-TABs to spaces
[coreutils.git] / src / remove.c
blob6c8613bfad290bc2b22ed43e8321784d92b7ed51
1 /* remove.c -- core functions for removing files and directories
2 Copyright (C) 88, 90, 91, 1994-2009 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>. */
17 /* Extracted from rm.c and librarified, then rewritten by Jim Meyering. */
19 #include <config.h>
20 #include <stdio.h>
21 #include <sys/types.h>
22 #include <setjmp.h>
23 #include <assert.h>
25 #include "system.h"
26 #include "cycle-check.h"
27 #include "error.h"
28 #include "euidaccess-stat.h"
29 #include "file-type.h"
30 #include "hash.h"
31 #include "hash-pjw.h"
32 #include "obstack.h"
33 #include "quote.h"
34 #include "remove.h"
35 #include "root-dev-ino.h"
36 #include "unlinkdir.h"
37 #include "write-any-file.h"
38 #include "yesno.h"
40 /* Avoid shadowing warnings because these are functions declared
41 in dirname.h as well as locals used below. */
42 #define dir_name rm_dir_name
43 #define dir_len rm_dir_len
45 /* This is the maximum number of consecutive readdir/unlink calls that
46 can be made (with no intervening rewinddir or closedir/opendir) before
47 triggering a bug that makes readdir return NULL even though some
48 directory entries have not been processed. The bug afflicts SunOS's
49 readdir when applied to ufs file systems and Darwin 6.5's (and OSX
50 v.10.3.8's) HFS+. This maximum is conservative in that demonstrating
51 the problem requires a directory containing at least 16 deletable
52 entries (which doesn't count . and ..).
53 This problem also affects Darwin 7.9.0 (aka MacOS X 10.3.9) on HFS+
54 and NFS-mounted file systems, but not vfat ones. */
55 enum
57 CONSECUTIVE_READDIR_UNLINK_THRESHOLD = 10
60 /* If the heuristics in preprocess_dir suggest that there
61 are fewer than this many entries in a directory, then it
62 skips the preprocessing altogether. */
63 enum
65 INODE_SORT_DIR_ENTRIES_THRESHOLD = 10000
68 /* FIXME: in 2009, or whenever Darwin 7.9.0 (aka MacOS X 10.3.9) is no
69 longer relevant, remove this work-around code. Then, there will be
70 no need to perform the extra rewinddir call, ever. */
71 #define NEED_REWIND(readdir_unlink_count) \
72 (CONSECUTIVE_READDIR_UNLINK_THRESHOLD <= (readdir_unlink_count))
74 enum Ternary
76 T_UNKNOWN = 2,
77 T_NO,
78 T_YES
80 typedef enum Ternary Ternary;
82 /* The prompt function may be called twice for a given directory.
83 The first time, we ask whether to descend into it, and the
84 second time, we ask whether to remove it. */
85 enum Prompt_action
87 PA_DESCEND_INTO_DIR = 2,
88 PA_REMOVE_DIR
91 /* Initial capacity of per-directory hash table of entries that have
92 been processed but not been deleted. */
93 enum { HT_UNREMOVABLE_INITIAL_CAPACITY = 13 };
95 /* An entry in the active directory stack.
96 Each entry corresponds to an `active' directory. */
97 struct AD_ent
99 /* For a given active directory, this is the set of names of
100 entries in that directory that could/should not be removed.
101 For example, `.' and `..', as well as files/dirs for which
102 unlink/rmdir failed e.g., due to access restrictions. */
103 Hash_table *unremovable;
105 /* Record the status for a given active directory; we need to know
106 whether an entry was not removed, either because of an error or
107 because the user declined. */
108 enum RM_status status;
110 /* The directory's dev/ino. Used to ensure that a malicious user does
111 not replace a directory we're about to process with a symlink to
112 some other directory. */
113 struct dev_ino dev_ino;
116 /* D_TYPE(D) is the type of directory entry D if known, DT_UNKNOWN
117 otherwise. */
118 #if HAVE_STRUCT_DIRENT_D_TYPE
119 # define D_TYPE(d) ((d)->d_type)
120 #else
121 # define D_TYPE(d) DT_UNKNOWN
123 /* Any int values will do here, so long as they're distinct.
124 Undef any existing macros out of the way. */
125 # undef DT_UNKNOWN
126 # undef DT_DIR
127 # undef DT_LNK
128 # define DT_UNKNOWN 0
129 # define DT_DIR 1
130 # define DT_LNK 2
131 #endif
133 struct dirstack_state
135 /* The name of the directory (starting with and relative to a command
136 line argument) being processed. When a subdirectory is entered, a new
137 component is appended (pushed). Remove (pop) the top component
138 upon chdir'ing out of a directory. This is used to form the full
139 name of the current directory or a file therein, when necessary. */
140 struct obstack dir_stack;
142 /* Stack of lengths of directory names (including trailing slash)
143 appended to dir_stack. We have to have a separate stack of lengths
144 (rather than just popping back to previous slash) because the first
145 element pushed onto the dir stack may contain slashes. */
146 struct obstack len_stack;
148 /* Stack of active directory entries.
149 The first `active' directory is the initial working directory.
150 Additional active dirs are pushed onto the stack as we `chdir'
151 into each directory to be processed. When finished with the
152 hierarchy under a directory, pop the active dir stack. */
153 struct obstack Active_dir;
155 /* Used to detect cycles. */
156 struct cycle_check_state cycle_check_state;
158 /* Target of a longjmp in case rm has to stop processing the current
159 command-line argument. This happens 1) when rm detects a directory
160 cycle or 2) when it has processed one or more directories, but then
161 is unable to return to the initial working directory to process
162 additional `.'-relative command-line arguments. */
163 jmp_buf current_arg_jumpbuf;
165 typedef struct dirstack_state Dirstack_state;
167 /* A static buffer and its allocated size, these variables are used by
168 xfull_filename and full_filename to form full, relative file names. */
169 static char *g_buf;
170 static size_t g_n_allocated;
172 /* Like fstatat, but cache the result. If ST->st_size is -1, the
173 status has not been gotten yet. If less than -1, fstatat failed
174 with errno == ST->st_ino. Otherwise, the status has already
175 been gotten, so return 0. */
176 static int
177 cache_fstatat (int fd, char const *file, struct stat *st, int flag)
179 if (st->st_size == -1 && fstatat (fd, file, st, flag) != 0)
181 st->st_size = -2;
182 st->st_ino = errno;
184 if (0 <= st->st_size)
185 return 0;
186 errno = (int) st->st_ino;
187 return -1;
190 /* Initialize a fstatat cache *ST. Return ST for convenience. */
191 static inline struct stat *
192 cache_stat_init (struct stat *st)
194 st->st_size = -1;
195 return st;
198 /* Return true if *ST has been statted. */
199 static inline bool
200 cache_statted (struct stat *st)
202 return (st->st_size != -1);
205 /* Return true if *ST has been statted successfully. */
206 static inline bool
207 cache_stat_ok (struct stat *st)
209 return (0 <= st->st_size);
213 static void
214 hash_freer (void *x)
216 free (x);
219 static bool
220 hash_compare_strings (void const *x, void const *y)
222 return STREQ (x, y) ? true : false;
225 /* Obstack allocator: longjump on failure. */
226 static void *
227 rm_malloc (void *v_jumpbuf, long size)
229 jmp_buf *jumpbuf = v_jumpbuf;
230 void *p = malloc (size);
231 if (p)
232 return p;
233 longjmp (*jumpbuf, 1);
236 /* With the 2-arg allocator, we must also provide a two-argument freer. */
237 static void
238 rm_free (void *v_jumpbuf ATTRIBUTE_UNUSED, void *ptr)
240 free (ptr);
243 static inline void
244 push_dir (Dirstack_state *ds, const char *dir_name)
246 size_t len = strlen (dir_name);
248 /* Don't copy trailing slashes. */
249 while (1 < len && dir_name[len - 1] == '/')
250 --len;
252 /* Append the string onto the stack. */
253 obstack_grow (&ds->dir_stack, dir_name, len);
255 /* Append a trailing slash. */
256 obstack_1grow (&ds->dir_stack, '/');
258 /* Add one for the slash. */
259 ++len;
261 /* Push the length (including slash) onto its stack. */
262 obstack_grow (&ds->len_stack, &len, sizeof (len));
265 /* Return the entry name of the directory on the top of the stack
266 in malloc'd storage. */
267 static inline char *
268 top_dir (Dirstack_state *ds)
270 size_t n_lengths = obstack_object_size (&ds->len_stack) / sizeof (size_t);
271 size_t *length = obstack_base (&ds->len_stack);
272 size_t top_len = length[n_lengths - 1];
273 char const *p = obstack_next_free (&ds->dir_stack) - top_len;
274 char *q = malloc (top_len);
275 if (q == NULL)
276 longjmp (ds->current_arg_jumpbuf, 1);
277 memcpy (q, p, top_len - 1);
278 q[top_len - 1] = 0;
279 return q;
282 static inline void
283 pop_dir (Dirstack_state *ds)
285 size_t n_lengths = obstack_object_size (&ds->len_stack) / sizeof (size_t);
286 size_t *length = obstack_base (&ds->len_stack);
288 assert (n_lengths > 0);
289 size_t top_len = length[n_lengths - 1];
290 assert (top_len >= 2);
292 /* Pop the specified length of file name. */
293 assert (obstack_object_size (&ds->dir_stack) >= top_len);
294 obstack_blank (&ds->dir_stack, -top_len);
296 /* Pop the length stack, too. */
297 assert (obstack_object_size (&ds->len_stack) >= sizeof (size_t));
298 obstack_blank (&ds->len_stack, -(int) sizeof (size_t));
301 /* Copy the SRC_LEN bytes of data beginning at SRC into the DST_LEN-byte
302 buffer, DST, so that the last source byte is at the end of the destination
303 buffer. If SRC_LEN is longer than DST_LEN, then set *TRUNCATED.
304 Set *RESULT to point to the beginning of (the portion of) the source data
305 in DST. Return the number of bytes remaining in the destination buffer. */
307 static size_t
308 right_justify (char *dst, size_t dst_len, const char *src, size_t src_len,
309 char **result, bool *truncated)
311 const char *sp;
312 char *dp;
314 if (src_len <= dst_len)
316 sp = src;
317 dp = dst + (dst_len - src_len);
318 *truncated = false;
320 else
322 sp = src + (src_len - dst_len);
323 dp = dst;
324 src_len = dst_len;
325 *truncated = true;
328 *result = memcpy (dp, sp, src_len);
329 return dst_len - src_len;
332 /* Using the global directory name obstack, create the full name of FILENAME.
333 Return it in sometimes-realloc'd space that should not be freed by the
334 caller. Realloc as necessary. If realloc fails, return NULL. */
336 static char *
337 full_filename0 (Dirstack_state const *ds, const char *filename)
339 size_t dir_len = obstack_object_size (&ds->dir_stack);
340 char *dir_name = obstack_base (&ds->dir_stack);
341 size_t filename_len = strlen (filename);
342 size_t n_bytes_needed = dir_len + filename_len + 1;
344 if (g_n_allocated < n_bytes_needed)
346 char *new_buf = realloc (g_buf, n_bytes_needed);
347 if (new_buf == NULL)
348 return NULL;
350 g_buf = new_buf;
351 g_n_allocated = n_bytes_needed;
354 if (STREQ (filename, ".") && dir_len)
356 /* FILENAME is just `.' and dir_len is nonzero.
357 Copy the directory part, omitting the trailing slash,
358 and append a trailing zero byte. */
359 char *p = mempcpy (g_buf, dir_name, dir_len - 1);
360 *p = 0;
362 else
364 /* Copy the directory part, including trailing slash, and then
365 append the filename part, including a trailing zero byte. */
366 memcpy (mempcpy (g_buf, dir_name, dir_len), filename, filename_len + 1);
367 assert (strlen (g_buf) + 1 == n_bytes_needed);
370 return g_buf;
373 /* Using the global directory name obstack, create the full name of FILENAME.
374 Return it in sometimes-realloc'd space that should not be freed by the
375 caller. Realloc as necessary. If realloc fails, die. */
377 static char *
378 xfull_filename (Dirstack_state const *ds, const char *filename)
380 char *buf = full_filename0 (ds, filename);
381 if (buf == NULL)
382 xalloc_die ();
383 return buf;
386 /* Using the global directory name obstack, create the full name FILENAME.
387 Return it in sometimes-realloc'd space that should not be freed by the
388 caller. Realloc as necessary. If realloc fails, use a static buffer
389 and put as long a suffix in that buffer as possible. Be careful not
390 to change errno. */
392 #define full_filename(Filename) full_filename_ (ds, Filename)
393 static char *
394 full_filename_ (Dirstack_state const *ds, const char *filename)
396 int saved_errno = errno;
397 char *full_name = full_filename0 (ds, filename);
398 if (full_name)
400 errno = saved_errno;
401 return full_name;
405 #define SBUF_SIZE 512
406 #define ELLIPSES_PREFIX "[...]"
407 static char static_buf[SBUF_SIZE];
408 bool file_truncated;
409 bool dir_truncated;
410 size_t n_bytes_remaining;
411 char *p;
412 char *dir_name = obstack_base (&ds->dir_stack);
413 size_t dir_len = obstack_object_size (&ds->dir_stack);
415 free (g_buf);
416 n_bytes_remaining = right_justify (static_buf, SBUF_SIZE, filename,
417 strlen (filename) + 1, &p,
418 &file_truncated);
419 right_justify (static_buf, n_bytes_remaining, dir_name, dir_len,
420 &p, &dir_truncated);
421 if (file_truncated || dir_truncated)
423 memcpy (static_buf, ELLIPSES_PREFIX,
424 sizeof (ELLIPSES_PREFIX) - 1);
426 errno = saved_errno;
427 return p;
431 static inline size_t
432 AD_stack_height (Dirstack_state const *ds)
434 return obstack_object_size (&ds->Active_dir) / sizeof (struct AD_ent);
437 static inline struct AD_ent *
438 AD_stack_top (Dirstack_state const *ds)
440 return (struct AD_ent *)
441 ((char *) obstack_next_free (&ds->Active_dir) - sizeof (struct AD_ent));
444 static void
445 AD_stack_pop (Dirstack_state *ds)
447 assert (0 < AD_stack_height (ds));
449 /* operate on Active_dir. pop and free top entry */
450 struct AD_ent *top = AD_stack_top (ds);
451 if (top->unremovable)
452 hash_free (top->unremovable);
453 obstack_blank (&ds->Active_dir, -(int) sizeof (struct AD_ent));
456 static void
457 AD_stack_clear (Dirstack_state *ds)
459 while (0 < AD_stack_height (ds))
461 AD_stack_pop (ds);
465 /* Initialize obstack O just enough so that it may be freed
466 with obstack_free. */
467 static void
468 obstack_init_minimal (struct obstack *o)
470 o->chunk = NULL;
473 static void
474 ds_init (Dirstack_state *ds)
476 unsigned int i;
477 struct obstack *o[3];
478 o[0] = &ds->dir_stack;
479 o[1] = &ds->len_stack;
480 o[2] = &ds->Active_dir;
482 /* Ensure each of these is NULL, in case init/allocation
483 fails and we end up calling ds_free on all three while only
484 one or two has been initialized. */
485 for (i = 0; i < 3; i++)
486 obstack_init_minimal (o[i]);
488 for (i = 0; i < 3; i++)
489 obstack_specify_allocation_with_arg
490 (o[i], 0, 0, rm_malloc, rm_free, &ds->current_arg_jumpbuf);
493 static void
494 ds_clear (Dirstack_state *ds)
496 obstack_free (&ds->dir_stack, obstack_finish (&ds->dir_stack));
497 obstack_free (&ds->len_stack, obstack_finish (&ds->len_stack));
498 while (0 < AD_stack_height (ds))
499 AD_stack_pop (ds);
500 obstack_free (&ds->Active_dir, obstack_finish (&ds->Active_dir));
503 static void
504 ds_free (Dirstack_state *ds)
506 obstack_free (&ds->dir_stack, NULL);
507 obstack_free (&ds->len_stack, NULL);
508 obstack_free (&ds->Active_dir, NULL);
511 /* Pop the active directory (AD) stack and prepare to move `up' one level,
512 safely. Moving `up' usually means opening `..', but when we've just
513 finished recursively processing a command-line directory argument,
514 there's nothing left on the stack, so set *FDP to AT_FDCWD in that case.
515 The idea is to return with *FDP opened on the parent directory,
516 assuming there are entries in that directory that we need to remove.
518 Note that we must not call opendir (or fdopendir) just yet, since
519 the caller must first remove the directory we're coming from.
520 That is because some file system implementations cache readdir
521 results at opendir time; so calling opendir, rmdir, readdir would
522 return an entry for the just-removed directory.
524 Whenever using chdir '..' (virtually, now, via openat), verify
525 that the post-chdir dev/ino numbers for `.' match the saved ones.
526 If any system call fails or if dev/ino don't match, then give a
527 diagnostic and longjump out.
528 Return the name (in malloc'd storage) of the
529 directory (usually now empty) from which we're coming, and which
530 corresponds to the input value of DIRP.
532 Finally, note that while this function's name is no longer as
533 accurate as it once was (it no longer calls chdir), it does open
534 the destination directory. */
535 static char *
536 AD_pop_and_chdir (DIR *dirp, int *fdp, Dirstack_state *ds)
538 struct AD_ent *leaf_dir_ent = AD_stack_top(ds);
539 struct dev_ino leaf_dev_ino = leaf_dir_ent->dev_ino;
540 enum RM_status old_status = leaf_dir_ent->status;
541 struct AD_ent *top;
543 /* Get the name of the current (but soon to be `previous') directory
544 from the top of the stack. */
545 char *prev_dir = top_dir (ds);
547 AD_stack_pop (ds);
548 pop_dir (ds);
549 top = AD_stack_top (ds);
551 /* If the directory we're about to leave (and try to rmdir)
552 is the one whose dev_ino is being used to detect a cycle,
553 reset cycle_check_state.dev_ino to that of the parent.
554 Otherwise, once that directory is removed, its dev_ino
555 could be reused in the creation (by some other process)
556 of a directory that this rm process would encounter,
557 which would result in a false-positive cycle indication. */
558 CYCLE_CHECK_REFLECT_CHDIR_UP (&ds->cycle_check_state,
559 top->dev_ino, leaf_dev_ino);
561 /* Propagate any failure to parent. */
562 UPDATE_STATUS (top->status, old_status);
564 assert (AD_stack_height (ds));
566 if (1 < AD_stack_height (ds))
568 struct stat sb;
569 int fd = openat (dirfd (dirp), "..", O_RDONLY);
570 if (closedir (dirp) != 0)
572 error (0, errno, _("FATAL: failed to close directory %s"),
573 quote (full_filename (prev_dir)));
574 goto next_cmdline_arg;
577 /* The above fails with EACCES when DIRP is readable but not
578 searchable, when using Solaris' openat. Without this openat
579 call, tests/rm2 would fail to remove directories a/2 and a/3. */
580 if (fd < 0)
581 fd = openat (AT_FDCWD, xfull_filename (ds, "."), O_RDONLY);
583 if (fd < 0)
585 error (0, errno, _("FATAL: cannot open .. from %s"),
586 quote (full_filename (prev_dir)));
587 goto next_cmdline_arg;
590 if (fstat (fd, &sb))
592 error (0, errno,
593 _("FATAL: cannot ensure %s (returned to via ..) is safe"),
594 quote (full_filename (".")));
595 goto close_and_next;
598 /* Ensure that post-chdir dev/ino match the stored ones. */
599 if ( ! SAME_INODE (sb, top->dev_ino))
601 error (0, 0, _("FATAL: directory %s changed dev/ino"),
602 quote (full_filename (".")));
603 close_and_next:;
604 close (fd);
606 next_cmdline_arg:;
607 free (prev_dir);
608 longjmp (ds->current_arg_jumpbuf, 1);
610 *fdp = fd;
612 else
614 if (closedir (dirp) != 0)
616 error (0, errno, _("FATAL: failed to close directory %s"),
617 quote (full_filename (prev_dir)));
618 goto next_cmdline_arg;
620 *fdp = AT_FDCWD;
623 return prev_dir;
626 /* Initialize *HT if it is NULL. Return *HT. */
627 static Hash_table *
628 AD_ensure_initialized (Hash_table **ht)
630 if (*ht == NULL)
632 *ht = hash_initialize (HT_UNREMOVABLE_INITIAL_CAPACITY, NULL, hash_pjw,
633 hash_compare_strings, hash_freer);
634 if (*ht == NULL)
635 xalloc_die ();
638 return *ht;
641 /* Initialize *HT if it is NULL.
642 Insert FILENAME into HT. */
643 static void
644 AD_mark_helper (Hash_table **ht, char *filename)
646 void *ent = hash_insert (AD_ensure_initialized (ht), filename);
647 if (ent == NULL)
648 xalloc_die ();
649 else
651 if (ent != filename)
652 free (filename);
656 /* Mark FILENAME (in current directory) as unremovable. */
657 static void
658 AD_mark_as_unremovable (Dirstack_state *ds, char const *filename)
660 AD_mark_helper (&AD_stack_top(ds)->unremovable, xstrdup (filename));
663 /* Mark the current directory as unremovable. I.e., mark the entry
664 in the parent directory corresponding to `.'.
665 This happens e.g., when an opendir fails and the only name
666 the caller has conveniently at hand is `.'. */
667 static void
668 AD_mark_current_as_unremovable (Dirstack_state *ds)
670 struct AD_ent *top = AD_stack_top (ds);
671 char *curr = top_dir (ds);
673 assert (1 < AD_stack_height (ds));
675 --top;
676 AD_mark_helper (&top->unremovable, curr);
679 /* Push an initial dummy entry onto the stack.
680 This will always be the bottommost entry on the stack. */
681 static void
682 AD_push_initial (Dirstack_state *ds)
684 struct AD_ent *top;
686 /* Extend the stack. */
687 obstack_blank (&ds->Active_dir, sizeof (struct AD_ent));
689 /* Fill in the new values. */
690 top = AD_stack_top (ds);
691 top->unremovable = NULL;
693 /* These should never be used.
694 Give them values that might look suspicious
695 in a debugger or in a diagnostic. */
696 top->dev_ino.st_dev = TYPE_MAXIMUM (dev_t);
697 top->dev_ino.st_ino = TYPE_MAXIMUM (ino_t);
700 /* Push info about the current working directory (".") onto the
701 active directory stack. DIR is the ./-relative name through
702 which we've just `chdir'd to this directory. DIR_SB_FROM_PARENT
703 is the result of calling lstat on DIR from the parent of DIR.
704 Longjump out (skipping the entire command line argument we're
705 dealing with) if `fstat (FD_CWD, ...' fails or if someone has
706 replaced DIR with e.g., a symlink to some other directory. */
707 static void
708 AD_push (int fd_cwd, Dirstack_state *ds, char const *dir,
709 struct stat const *dir_sb_from_parent)
711 struct AD_ent *top;
713 push_dir (ds, dir);
715 /* If our uses of openat are guaranteed not to
716 follow a symlink, then we can skip this check. */
717 if (! HAVE_WORKING_O_NOFOLLOW)
719 struct stat sb;
720 if (fstat (fd_cwd, &sb) != 0)
722 error (0, errno, _("FATAL: cannot enter directory %s"),
723 quote (full_filename (".")));
724 longjmp (ds->current_arg_jumpbuf, 1);
727 if ( ! SAME_INODE (sb, *dir_sb_from_parent))
729 error (0, 0,
730 _("FATAL: just-changed-to directory %s changed dev/ino"),
731 quote (full_filename (".")));
732 longjmp (ds->current_arg_jumpbuf, 1);
736 if (cycle_check (&ds->cycle_check_state, dir_sb_from_parent))
738 error (0, 0, _("\
739 WARNING: Circular directory structure.\n\
740 This almost certainly means that you have a corrupted file system.\n\
741 NOTIFY YOUR SYSTEM MANAGER.\n\
742 The following directory is part of the cycle:\n %s\n"),
743 quote (full_filename (".")));
744 longjmp (ds->current_arg_jumpbuf, 1);
747 /* Extend the stack. */
748 obstack_blank (&ds->Active_dir, sizeof (struct AD_ent));
750 /* The active directory stack must be one larger than the length stack. */
751 assert (AD_stack_height (ds) ==
752 1 + obstack_object_size (&ds->len_stack) / sizeof (size_t));
754 /* Fill in the new values. */
755 top = AD_stack_top (ds);
756 top->dev_ino.st_dev = dir_sb_from_parent->st_dev;
757 top->dev_ino.st_ino = dir_sb_from_parent->st_ino;
758 top->unremovable = NULL;
761 static inline bool
762 AD_is_removable (Dirstack_state const *ds, char const *file)
764 struct AD_ent *top = AD_stack_top (ds);
765 return ! (top->unremovable && hash_lookup (top->unremovable, file));
768 /* Return 1 if FILE is an unwritable non-symlink,
769 0 if it is writable or some other type of file,
770 -1 and set errno if there is some problem in determining the answer.
771 Set *BUF to the file status.
772 This is to avoid calling euidaccess when FILE is a symlink. */
773 static int
774 write_protected_non_symlink (int fd_cwd,
775 char const *file,
776 Dirstack_state const *ds,
777 struct stat *buf)
779 if (can_write_any_file ())
780 return 0;
781 if (cache_fstatat (fd_cwd, file, buf, AT_SYMLINK_NOFOLLOW) != 0)
782 return -1;
783 if (S_ISLNK (buf->st_mode))
784 return 0;
785 /* Here, we know FILE is not a symbolic link. */
787 /* In order to be reentrant -- i.e., to avoid changing the working
788 directory, and at the same time to be able to deal with alternate
789 access control mechanisms (ACLs, xattr-style attributes) and
790 arbitrarily deep trees -- we need a function like eaccessat, i.e.,
791 like Solaris' eaccess, but fd-relative, in the spirit of openat. */
793 /* In the absence of a native eaccessat function, here are some of
794 the implementation choices [#4 and #5 were suggested by Paul Eggert]:
795 1) call openat with O_WRONLY|O_NOCTTY
796 Disadvantage: may create the file and doesn't work for directory,
797 may mistakenly report `unwritable' for EROFS or ACLs even though
798 perm bits say the file is writable.
800 2) fake eaccessat (save_cwd, fchdir, call euidaccess, restore_cwd)
801 Disadvantage: changes working directory (not reentrant) and can't
802 work if save_cwd fails.
804 3) if (euidaccess (xfull_filename (file), W_OK) == 0)
805 Disadvantage: doesn't work if xfull_filename is too long.
806 Inefficient for very deep trees (O(Depth^2)).
808 4) If the full pathname is sufficiently short (say, less than
809 PATH_MAX or 8192 bytes, whichever is shorter):
810 use method (3) (i.e., euidaccess (xfull_filename (file), W_OK));
811 Otherwise: vfork, fchdir in the child, run euidaccess in the
812 child, then the child exits with a status that tells the parent
813 whether euidaccess succeeded.
815 This avoids the O(N**2) algorithm of method (3), and it also avoids
816 the failure-due-to-too-long-file-names of method (3), but it's fast
817 in the normal shallow case. It also avoids the lack-of-reentrancy
818 and the save_cwd problems.
819 Disadvantage; it uses a process slot for very-long file names,
820 and would be very slow for hierarchies with many such files.
822 5) If the full file name is sufficiently short (say, less than
823 PATH_MAX or 8192 bytes, whichever is shorter):
824 use method (3) (i.e., euidaccess (xfull_filename (file), W_OK));
825 Otherwise: look just at the file bits. Perhaps issue a warning
826 the first time this occurs.
828 This is like (4), except for the "Otherwise" case where it isn't as
829 "perfect" as (4) but is considerably faster. It conforms to current
830 POSIX, and is uniformly better than what Solaris and FreeBSD do (they
831 mess up with long file names). */
834 /* This implements #5: */
835 size_t file_name_len
836 = obstack_object_size (&ds->dir_stack) + strlen (file);
838 if (MIN (PATH_MAX, 8192) <= file_name_len)
839 return ! euidaccess_stat (buf, W_OK);
840 if (euidaccess (xfull_filename (ds, file), W_OK) == 0)
841 return 0;
842 if (errno == EACCES)
844 errno = 0;
845 return 1;
848 /* Perhaps some other process has removed the file, or perhaps this
849 is a buggy NFS client. */
850 return -1;
854 /* Prompt whether to remove FILENAME, if required via a combination of
855 the options specified by X and/or file attributes. If the file may
856 be removed, return RM_OK. If the user declines to remove the file,
857 return RM_USER_DECLINED. If not ignoring missing files and we
858 cannot lstat FILENAME, then return RM_ERROR.
860 *PDIRENT_TYPE is the type of the directory entry; update it to DT_DIR
861 or DT_LNK as needed. *SBUF is the file's status.
863 Depending on MODE, ask whether to `descend into' or to `remove' the
864 directory FILENAME. MODE is ignored when FILENAME is not a directory.
865 Set *IS_EMPTY to T_YES if FILENAME is an empty directory, and it is
866 appropriate to try to remove it with rmdir (e.g. recursive mode).
867 Don't even try to set *IS_EMPTY when MODE == PA_REMOVE_DIR. */
868 static enum RM_status
869 prompt (int fd_cwd, Dirstack_state const *ds, char const *filename,
870 int *pdirent_type, struct stat *sbuf,
871 struct rm_options const *x, enum Prompt_action mode,
872 Ternary *is_empty)
874 int write_protected = 0;
875 int dirent_type = *pdirent_type;
877 *is_empty = T_UNKNOWN;
879 if (x->interactive == RMI_NEVER)
880 return RM_OK;
882 int wp_errno = 0;
884 if (!x->ignore_missing_files
885 && ((x->interactive == RMI_ALWAYS) || x->stdin_tty)
886 && dirent_type != DT_LNK)
888 write_protected = write_protected_non_symlink (fd_cwd, filename, ds, sbuf);
889 wp_errno = errno;
892 if (write_protected || x->interactive == RMI_ALWAYS)
894 if (0 <= write_protected && dirent_type == DT_UNKNOWN)
896 if (cache_fstatat (fd_cwd, filename, sbuf, AT_SYMLINK_NOFOLLOW) == 0)
898 if (S_ISLNK (sbuf->st_mode))
899 dirent_type = DT_LNK;
900 else if (S_ISDIR (sbuf->st_mode))
901 dirent_type = DT_DIR;
902 /* Otherwise it doesn't matter, so leave it DT_UNKNOWN. */
903 *pdirent_type = dirent_type;
905 else
907 /* This happens, e.g., with `rm '''. */
908 write_protected = -1;
909 wp_errno = errno;
913 if (0 <= write_protected)
914 switch (dirent_type)
916 case DT_LNK:
917 /* Using permissions doesn't make sense for symlinks. */
918 if (x->interactive != RMI_ALWAYS)
919 return RM_OK;
920 break;
922 case DT_DIR:
923 if (!x->recursive)
925 write_protected = -1;
926 wp_errno = EISDIR;
928 break;
931 char const *quoted_name = quote (full_filename (filename));
933 if (write_protected < 0)
935 error (0, wp_errno, _("cannot remove %s"), quoted_name);
936 return RM_ERROR;
939 /* Issue the prompt. */
940 /* FIXME: use a variant of error (instead of fprintf) that doesn't
941 append a newline. Then we won't have to declare program_name in
942 this file. */
943 if (dirent_type == DT_DIR
944 && mode == PA_DESCEND_INTO_DIR
945 && ((*is_empty = (is_empty_dir (fd_cwd, filename) ? T_YES : T_NO))
946 == T_NO))
947 fprintf (stderr,
948 (write_protected
949 ? _("%s: descend into write-protected directory %s? ")
950 : _("%s: descend into directory %s? ")),
951 program_name, quoted_name);
952 else
954 if (cache_fstatat (fd_cwd, filename, sbuf, AT_SYMLINK_NOFOLLOW) != 0)
956 error (0, errno, _("cannot remove %s"), quoted_name);
957 return RM_ERROR;
960 fprintf (stderr,
961 (write_protected
962 /* TRANSLATORS: You may find it more convenient to
963 translate "%s: remove %s (write-protected) %s? "
964 instead. It should avoid grammatical problems
965 with the output of file_type. */
966 ? _("%s: remove write-protected %s %s? ")
967 : _("%s: remove %s %s? ")),
968 program_name, file_type (sbuf), quoted_name);
971 if (!yesno ())
972 return RM_USER_DECLINED;
974 return RM_OK;
977 /* Return true if FILENAME is a directory (and not a symlink to a directory).
978 Otherwise, including the case in which lstat fails, return false.
979 *ST is FILENAME's tstatus.
980 Do not modify errno. */
981 static inline bool
982 is_dir_lstat (int fd_cwd, char const *filename, struct stat *st)
984 int saved_errno = errno;
985 bool is_dir =
986 (cache_fstatat (fd_cwd, filename, st, AT_SYMLINK_NOFOLLOW) == 0
987 && S_ISDIR (st->st_mode));
988 errno = saved_errno;
989 return is_dir;
992 /* Return true if FILENAME is a non-directory.
993 Otherwise, including the case in which lstat fails, return false.
994 *ST is FILENAME's tstatus.
995 Do not modify errno. */
996 static inline bool
997 is_nondir_lstat (int fd_cwd, char const *filename, struct stat *st)
999 int saved_errno = errno;
1000 bool is_non_dir =
1001 (cache_fstatat (fd_cwd, filename, st, AT_SYMLINK_NOFOLLOW) == 0
1002 && !S_ISDIR (st->st_mode));
1003 errno = saved_errno;
1004 return is_non_dir;
1007 #define DO_UNLINK(Fd_cwd, Filename, X) \
1008 do \
1010 if (unlinkat (Fd_cwd, Filename, 0) == 0) \
1012 if ((X)->verbose) \
1013 printf (_("removed %s\n"), quote (full_filename (Filename))); \
1014 return RM_OK; \
1017 if (ignorable_missing (X, errno)) \
1018 return RM_OK; \
1020 while (0)
1022 #define DO_RMDIR(Fd_cwd, Filename, X) \
1023 do \
1025 if (unlinkat (Fd_cwd, Filename, AT_REMOVEDIR) == 0) /* rmdir */ \
1027 if ((X)->verbose) \
1028 printf (_("removed directory: %s\n"), \
1029 quote (full_filename (Filename))); \
1030 return RM_OK; \
1033 if (ignorable_missing (X, errno)) \
1034 return RM_OK; \
1036 if (errno == ENOTEMPTY || errno == EEXIST) \
1037 return RM_NONEMPTY_DIR; \
1039 while (0)
1041 /* When a function like unlink, rmdir, or fstatat fails with an errno
1042 value of ERRNUM, return true if the specified file system object
1043 is guaranteed not to exist; otherwise, return false. */
1044 static inline bool
1045 nonexistent_file_errno (int errnum)
1047 /* Do not include ELOOP here, since the specified file may indeed
1048 exist, but be (in)accessible only via too long a symlink chain.
1049 Likewise for ENAMETOOLONG, since rm -f ./././.../foo may fail
1050 if the "..." part expands to a long enough sequence of "./"s,
1051 even though ./foo does indeed exist. */
1053 switch (errnum)
1055 case ENOENT:
1056 case ENOTDIR:
1057 return true;
1058 default:
1059 return false;
1063 /* Encapsulate the test for whether the errno value, ERRNUM, is ignorable. */
1064 static inline bool
1065 ignorable_missing (struct rm_options const *x, int errnum)
1067 return x->ignore_missing_files && nonexistent_file_errno (errnum);
1070 /* Remove the file or directory specified by FILENAME.
1071 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not.
1072 But if FILENAME specifies a non-empty directory, return RM_NONEMPTY_DIR. */
1074 static enum RM_status
1075 remove_entry (int fd_cwd, Dirstack_state const *ds, char const *filename,
1076 int dirent_type_arg, struct stat *st,
1077 struct rm_options const *x)
1079 Ternary is_empty_directory;
1080 enum RM_status s = prompt (fd_cwd, ds, filename, &dirent_type_arg, st, x,
1081 PA_DESCEND_INTO_DIR,
1082 &is_empty_directory);
1083 int dirent_type = dirent_type_arg;
1084 if (s != RM_OK)
1085 return s;
1087 /* Why bother with the following if/else block? Because on systems with
1088 an unlink function that *can* unlink directories, we must determine the
1089 type of each entry before removing it. Otherwise, we'd risk unlinking
1090 an entire directory tree simply by unlinking a single directory; then
1091 all the storage associated with that hierarchy would not be freed until
1092 the next fsck. Not nice. To avoid that, on such slightly losing
1093 systems, we need to call lstat to determine the type of each entry,
1094 and that represents extra overhead that -- it turns out -- we can
1095 avoid on non-losing systems, since there, unlink will never remove
1096 a directory. Also, on systems where unlink may unlink directories,
1097 we're forced to allow a race condition: we lstat a non-directory, then
1098 go to unlink it, but in the mean time, a malicious someone could have
1099 replaced it with a directory. */
1101 if (cannot_unlink_dir ())
1103 if (dirent_type == DT_DIR && ! x->recursive)
1105 error (0, EISDIR, _("cannot remove %s"),
1106 quote (full_filename (filename)));
1107 return RM_ERROR;
1110 /* is_empty_directory is set iff it's ok to use rmdir.
1111 Note that it's set only in interactive mode -- in which case it's
1112 an optimization that arranges so that the user is asked just
1113 once whether to remove the directory. */
1114 if (is_empty_directory == T_YES)
1115 DO_RMDIR (fd_cwd, filename, x);
1117 /* If we happen to know that FILENAME is a directory, return now
1118 and let the caller remove it -- this saves the overhead of a failed
1119 unlink call. If FILENAME is a command-line argument, then
1120 DIRENT_TYPE is DT_UNKNOWN so we'll first try to unlink it.
1121 Using unlink here is ok, because it cannot remove a
1122 directory. */
1123 if (dirent_type == DT_DIR)
1124 return RM_NONEMPTY_DIR;
1126 DO_UNLINK (fd_cwd, filename, x);
1128 /* Upon a failed attempt to unlink a directory, most non GNU/Linux
1129 systems set errno to the POSIX-required value EPERM. In that case,
1130 change errno to EISDIR so that we emit a better diagnostic. */
1131 if (! x->recursive && errno == EPERM && is_dir_lstat (fd_cwd,
1132 filename, st))
1133 errno = EISDIR;
1135 if (! x->recursive
1136 || (cache_stat_ok (st) && !S_ISDIR (st->st_mode))
1137 || ((errno == EACCES || errno == EPERM)
1138 && is_nondir_lstat (fd_cwd, filename, st))
1141 if (ignorable_missing (x, errno))
1142 return RM_OK;
1144 /* Either --recursive is not in effect, or the file cannot be a
1145 directory. Report the unlink problem and fail. */
1146 error (0, errno, _("cannot remove %s"),
1147 quote (full_filename (filename)));
1148 return RM_ERROR;
1150 assert (!cache_stat_ok (st) || S_ISDIR (st->st_mode));
1152 else
1154 /* If we don't already know whether FILENAME is a directory,
1155 find out now. Then, if it's a non-directory, we can use
1156 unlink on it. */
1158 if (dirent_type == DT_UNKNOWN)
1160 if (fstatat (fd_cwd, filename, st, AT_SYMLINK_NOFOLLOW))
1162 if (ignorable_missing (x, errno))
1163 return RM_OK;
1165 error (0, errno, _("cannot remove %s"),
1166 quote (full_filename (filename)));
1167 return RM_ERROR;
1170 if (S_ISDIR (st->st_mode))
1171 dirent_type = DT_DIR;
1174 if (dirent_type != DT_DIR)
1176 /* At this point, barring race conditions, FILENAME is known
1177 to be a non-directory, so it's ok to try to unlink it. */
1178 DO_UNLINK (fd_cwd, filename, x);
1180 /* unlink failed with some other error code. report it. */
1181 error (0, errno, _("cannot remove %s"),
1182 quote (full_filename (filename)));
1183 return RM_ERROR;
1186 if (! x->recursive)
1188 error (0, EISDIR, _("cannot remove %s"),
1189 quote (full_filename (filename)));
1190 return RM_ERROR;
1193 if (is_empty_directory == T_YES)
1195 DO_RMDIR (fd_cwd, filename, x);
1196 /* Don't diagnose any failure here.
1197 It'll be detected when the caller tries another way. */
1201 return RM_NONEMPTY_DIR;
1204 /* Given FD_CWD, the file descriptor for an open directory,
1205 open its subdirectory F (F is already `known' to be a directory,
1206 so if it is no longer one, someone is playing games), return a DIR*
1207 pointer for F, and put F's `stat' data in *SUBDIR_SB.
1208 Upon failure give a diagnostic and return NULL.
1209 If PREV_ERRNO is nonzero, it is the errno value from a preceding failed
1210 unlink- or rmdir-like system call -- use that value instead of ENOTDIR
1211 if an opened file turns out not to be a directory. This is important
1212 when the preceding non-dir-unlink failed due to e.g., EPERM or EACCES.
1213 The caller must use a nonnnull CWD_ERRNO the first
1214 time this function is called for each command-line-specified directory.
1215 If CWD_ERRNO is not null, set *CWD_ERRNO to the appropriate error number
1216 if this function fails to restore the initial working directory.
1217 If it is null, report an error and exit if the working directory
1218 isn't restored. */
1219 static DIR *
1220 fd_to_subdirp (int fd_cwd, char const *f,
1221 int prev_errno,
1222 struct stat *subdir_sb,
1223 int *cwd_errno ATTRIBUTE_UNUSED)
1225 int open_flags = O_RDONLY | O_NOCTTY | O_NOFOLLOW | O_NONBLOCK;
1226 int fd_sub = openat_permissive (fd_cwd, f, open_flags, 0, cwd_errno);
1227 int saved_errno;
1229 /* Record dev/ino of F. We may compare them against saved values
1230 to thwart any attempt to subvert the traversal. They are also used
1231 to detect directory cycles. */
1232 if (fd_sub < 0)
1233 return NULL;
1234 else if (fstat (fd_sub, subdir_sb) != 0)
1235 saved_errno = errno;
1236 else if (S_ISDIR (subdir_sb->st_mode))
1238 DIR *subdir_dirp = fdopendir (fd_sub);
1239 if (subdir_dirp)
1240 return subdir_dirp;
1241 saved_errno = errno;
1243 else
1244 saved_errno = (prev_errno ? prev_errno : ENOTDIR);
1246 close (fd_sub);
1247 errno = saved_errno;
1248 return NULL;
1251 struct readdir_data
1253 ino_t ino;
1254 char name[FLEXIBLE_ARRAY_MEMBER];
1257 #if HAVE_STRUCT_DIRENT_D_TYPE
1258 /* A comparison function to sort on increasing inode number. */
1259 static int
1260 compare_ino (void const *av, void const *bv)
1262 struct readdir_data const *const *a = av;
1263 struct readdir_data const *const *b = bv;
1264 return (a[0]->ino < b[0]->ino ? -1
1265 : b[0]->ino < a[0]->ino ? 1 : 0);
1268 /* Return an approximation of the maximum number of dirent entries
1269 in a directory with stat data *ST. */
1270 static size_t
1271 dirent_count (struct stat const *st)
1273 return st->st_size / 16;
1276 #if defined __linux__ \
1277 && HAVE_SYS_VFS_H && HAVE_FSTATFS && HAVE_STRUCT_STATFS_F_TYPE
1278 # include <sys/vfs.h>
1279 # include "fs.h"
1281 /* Return false if it is easy to determine the file system type of
1282 the directory on which DIR_FD is open, and sorting dirents on
1283 inode numbers is known not to improve traversal performance with
1284 that type of file system. Otherwise, return true. */
1285 static bool
1286 dirent_inode_sort_may_be_useful (int dir_fd)
1288 /* Skip the sort only if we can determine efficiently
1289 that skipping it is the right thing to do.
1290 The cost of performing an unnecessary sort is negligible,
1291 while the cost of *not* performing it can be O(N^2) with
1292 a very large constant. */
1293 struct statfs fs_buf;
1295 /* If fstatfs fails, assume sorting would be useful. */
1296 if (fstatfs (dir_fd, &fs_buf) != 0)
1297 return true;
1299 /* FIXME: what about when f_type is not an integral type?
1300 deal with that if/when it's encountered. */
1301 switch (fs_buf.f_type)
1303 case S_MAGIC_TMPFS:
1304 case S_MAGIC_NFS:
1305 /* On a file system of any of these types, sorting
1306 is unnecessary, and hence wasteful. */
1307 return false;
1309 default:
1310 return true;
1313 # else /* !HAVE_STRUCT_STATFS_F_TYPE */
1314 static bool dirent_inode_sort_may_be_useful (int dir_fd) { return true; }
1315 # endif /* !HAVE_STRUCT_STATFS_F_TYPE */
1316 #endif /* HAVE_STRUCT_DIRENT_D_TYPE */
1318 /* When a directory contains very many entries, operating on N entries in
1319 readdir order can be very seek-intensive (be it to unlink or even to
1320 merely stat each entry), to the point that it results in O(N^2) work.
1321 This is file-system-specific: ext3 and ext4 (as of 2008) are susceptible,
1322 but tmpfs is not. The general solution is to process entries in inode
1323 order. That means reading all entries, and sorting them before operating
1324 on any. As such, it is useful only on systems with useful dirent.d_ino.
1325 Since 'rm -r's removal process must traverse into directories and since
1326 this preprocessing phase can allocate O(N) storage, here we store and
1327 sort only non-directory entries, and then remove all of those, so that we
1328 can free all allocated storage before traversing into any subdirectory.
1329 Perform this optimization only when not interactive and not in verbose
1330 mode, to keep the implementation simple and to minimize duplication.
1331 Upon failure, simply free any resources and return. */
1332 static void
1333 preprocess_dir (DIR **dirp, struct rm_options const *x)
1335 #if HAVE_STRUCT_DIRENT_D_TYPE
1337 struct stat st;
1338 /* There are many reasons to return right away, skipping this
1339 optimization. The penalty for being wrong is that we will
1340 perform a small amount of extra work.
1342 Skip this optimization if... */
1344 int dir_fd = dirfd (*dirp);
1345 if (/* - there is a chance of interactivity */
1346 x->interactive != RMI_NEVER
1348 /* - we're in verbose mode */
1349 || x->verbose
1351 /* - privileged users can unlink nonempty directories.
1352 Otherwise, there'd be a race condition between the readdir
1353 call (in which we learn dirent.d_type) and the unlink, by
1354 which time the non-directory may be replaced with a directory. */
1355 || ! cannot_unlink_dir ()
1357 /* - we can't fstat the file descriptor */
1358 || fstat (dir_fd, &st) != 0
1360 /* - the directory is smaller than some threshold.
1361 Estimate the number of inodes with a heuristic.
1362 There's no significant benefit to sorting if there are
1363 too few inodes. */
1364 || dirent_count (&st) < INODE_SORT_DIR_ENTRIES_THRESHOLD
1366 /* Sort only if it might help. */
1367 || ! dirent_inode_sort_may_be_useful (dir_fd))
1368 return;
1370 /* FIXME: maybe test file system type, too; skip if it's tmpfs: see fts.c */
1372 struct obstack o_readdir_data; /* readdir data: inode,name pairs */
1373 struct obstack o_p; /* an array of pointers to each inode,name pair */
1375 /* Arrange to longjmp upon obstack allocation failure. */
1376 jmp_buf readdir_jumpbuf;
1377 if (setjmp (readdir_jumpbuf))
1378 goto cleanup;
1380 obstack_init_minimal (&o_readdir_data);
1381 obstack_init_minimal (&o_p);
1383 obstack_specify_allocation_with_arg (&o_readdir_data, 0, 0,
1384 rm_malloc, rm_free, &readdir_jumpbuf);
1385 obstack_specify_allocation_with_arg (&o_p, 0, 0,
1386 rm_malloc, rm_free, &readdir_jumpbuf);
1388 /* Read all entries, storing <d_ino, d_name> for each non-dir one.
1389 Maintain a parallel list of pointers into the primary buffer. */
1390 while (1)
1392 struct dirent const *dp;
1393 dp = readdir_ignoring_dot_and_dotdot (*dirp);
1394 /* no need to distinguish EOF from failure */
1395 if (dp == NULL)
1396 break;
1398 /* Skip known-directory and type-unknown entries. */
1399 if (D_TYPE (dp) == DT_UNKNOWN || D_TYPE (dp) == DT_DIR)
1400 break;
1402 size_t name_len = strlen (dp->d_name);
1403 size_t ent_len = offsetof (struct readdir_data, name) + name_len + 1;
1404 struct readdir_data *v = obstack_alloc (&o_readdir_data, ent_len);
1405 v->ino = D_INO (dp);
1406 memcpy (v->name, dp->d_name, name_len + 1);
1408 /* Append V to the list of pointers. */
1409 obstack_ptr_grow (&o_p, v);
1412 /* Compute size and finalize VV. */
1413 size_t n = obstack_object_size (&o_p) / sizeof (void *);
1414 struct readdir_data **vv = obstack_finish (&o_p);
1416 /* Sort on inode number. */
1417 qsort(vv, n, sizeof *vv, compare_ino);
1419 /* Iterate through those pointers, unlinking each name. */
1420 for (size_t i = 0; i < n; i++)
1422 /* ignore failure */
1423 unlinkat (dir_fd, vv[i]->name, 0);
1426 cleanup:
1427 obstack_free (&o_readdir_data, NULL);
1428 obstack_free (&o_p, NULL);
1429 rewinddir (*dirp);
1430 #endif
1433 /* Remove entries in the directory open on DIRP
1434 Upon finding a directory that is both non-empty and that can be chdir'd
1435 into, return RM_OK and set *SUBDIR and fill in SUBDIR_SB, where
1436 SUBDIR is the malloc'd name of the subdirectory if the chdir succeeded,
1437 NULL otherwise (e.g., if opendir failed or if there was no subdirectory).
1438 Likewise, SUBDIR_SB is the result of calling lstat on SUBDIR.
1439 Return RM_OK if all entries are removed. Return RM_ERROR if any
1440 entry cannot be removed. Otherwise, return RM_USER_DECLINED if
1441 the user declines to remove at least one entry. Remove as much as
1442 possible, continuing even if we fail to remove some entries. */
1443 static enum RM_status
1444 remove_cwd_entries (DIR **dirp,
1445 Dirstack_state *ds, char **subdir, struct stat *subdir_sb,
1446 struct rm_options const *x)
1448 struct AD_ent *top = AD_stack_top (ds);
1449 enum RM_status status = top->status;
1450 size_t n_unlinked_since_opendir_or_last_rewind = 0;
1452 assert (VALID_STATUS (status));
1453 *subdir = NULL;
1455 /* This is just an optimization.
1456 It's not a fatal problem if it fails. */
1457 preprocess_dir (dirp, x);
1459 while (1)
1461 struct dirent const *dp;
1462 enum RM_status tmp_status;
1463 const char *f;
1465 /* Set errno to zero so we can distinguish between a readdir failure
1466 and when readdir simply finds that there are no more entries. */
1467 errno = 0;
1468 dp = readdir_ignoring_dot_and_dotdot (*dirp);
1469 if (dp == NULL)
1471 if (errno)
1473 /* fall through */
1475 else if (NEED_REWIND (n_unlinked_since_opendir_or_last_rewind))
1477 /* Call rewinddir if we've called unlink or rmdir so many times
1478 (since the opendir or the previous rewinddir) that this
1479 NULL-return may be the symptom of a buggy readdir. */
1480 rewinddir (*dirp);
1481 n_unlinked_since_opendir_or_last_rewind = 0;
1482 continue;
1484 break;
1487 f = dp->d_name;
1489 /* Skip files we've already tried/failed to remove. */
1490 if ( ! AD_is_removable (ds, f))
1491 continue;
1493 /* Pass dp->d_type info to remove_entry so the non-glibc
1494 case can decide whether to use unlink or chdir.
1495 Systems without the d_type member will have to endure
1496 the performance hit of first calling lstat F. */
1497 cache_stat_init (subdir_sb);
1498 tmp_status = remove_entry (dirfd (*dirp), ds, f,
1499 D_TYPE (dp), subdir_sb, x);
1500 switch (tmp_status)
1502 case RM_OK:
1503 /* Count how many files we've unlinked since the initial
1504 opendir or the last rewinddir. On buggy systems, if you
1505 remove too many, readdir returns NULL even though there
1506 remain unprocessed directory entries. */
1507 ++n_unlinked_since_opendir_or_last_rewind;
1508 break;
1510 case RM_ERROR:
1511 case RM_USER_DECLINED:
1512 AD_mark_as_unremovable (ds, f);
1513 UPDATE_STATUS (status, tmp_status);
1514 break;
1516 case RM_NONEMPTY_DIR:
1518 DIR *subdir_dirp = fd_to_subdirp (dirfd (*dirp), f,
1519 errno, subdir_sb, NULL);
1520 if (subdir_dirp == NULL)
1522 status = RM_ERROR;
1524 /* CAUTION: this test and diagnostic are identical to
1525 those following the other use of fd_to_subdirp. */
1526 if (ignorable_missing (x, errno))
1528 /* With -f, don't report "file not found". */
1530 else
1532 /* Upon fd_to_subdirp failure, try to remove F directly,
1533 in case it's just an empty directory. */
1534 int saved_errno = errno;
1535 if (unlinkat (dirfd (*dirp), f, AT_REMOVEDIR) == 0)
1536 status = RM_OK;
1537 else
1538 error (0, saved_errno,
1539 _("cannot remove %s"), quote (full_filename (f)));
1542 if (status == RM_ERROR)
1543 AD_mark_as_unremovable (ds, f);
1544 break;
1547 *subdir = xstrdup (f);
1548 if (closedir (*dirp) != 0)
1550 error (0, 0, _("failed to close directory %s"),
1551 quote (full_filename (".")));
1552 status = RM_ERROR;
1554 *dirp = subdir_dirp;
1556 break;
1560 /* Record status for this directory. */
1561 UPDATE_STATUS (top->status, status);
1563 if (*subdir)
1564 break;
1567 /* Ensure that *dirp is not NULL and that its file descriptor is valid. */
1568 assert (*dirp != NULL);
1569 assert (0 <= fcntl (dirfd (*dirp), F_GETFD));
1571 return status;
1574 /* Do this after each call to AD_push or AD_push_initial.
1575 Because the status = RM_OK bit is too remove-specific to
1576 go into the general-purpose AD_* package. */
1577 #define AD_INIT_OTHER_MEMBERS() \
1578 do \
1580 AD_stack_top(ds)->status = RM_OK; \
1582 while (0)
1584 /* Remove the hierarchy rooted at DIR.
1585 Do that by changing into DIR, then removing its contents, then
1586 returning to the original working directory and removing DIR itself.
1587 Don't use recursion. Be careful when using chdir ".." that we
1588 return to the same directory from which we came, if necessary.
1589 Return an RM_status value to indicate success or failure. */
1591 static enum RM_status
1592 remove_dir (int fd_cwd, Dirstack_state *ds, char const *dir,
1593 struct stat *dir_st,
1594 struct rm_options const *x, int *cwd_errno)
1596 enum RM_status status;
1597 dev_t current_dev = dir_st->st_dev;
1599 /* There is a race condition in that an attacker could replace the nonempty
1600 directory, DIR, with a symlink between the preceding call to rmdir
1601 (unlinkat, in our caller) and fd_to_subdirp's openat call. But on most
1602 systems, even those without openat, this isn't a problem, since we ensure
1603 that opening a symlink will fail, when that is possible. Otherwise,
1604 fd_to_subdirp's fstat, along with the `fstat' and the dev/ino
1605 comparison in AD_push ensure that we detect it and fail. */
1607 DIR *dirp = fd_to_subdirp (fd_cwd, dir, 0, dir_st, cwd_errno);
1609 if (dirp == NULL)
1611 /* CAUTION: this test and diagnostic are identical to
1612 those following the other use of fd_to_subdirp. */
1613 if (ignorable_missing (x, errno))
1615 /* With -f, don't report "file not found". */
1617 else
1619 /* Upon fd_to_subdirp failure, try to remove DIR directly,
1620 in case it's just an empty directory. */
1621 int saved_errno = errno;
1622 if (unlinkat (fd_cwd, dir, AT_REMOVEDIR) == 0)
1623 return RM_OK;
1625 error (0, saved_errno,
1626 _("cannot remove %s"), quote (full_filename (dir)));
1629 return RM_ERROR;
1632 if (ROOT_DEV_INO_CHECK (x->root_dev_ino, dir_st))
1634 ROOT_DEV_INO_WARN (full_filename (dir));
1635 status = RM_ERROR;
1636 goto closedir_and_return;
1639 AD_push (dirfd (dirp), ds, dir, dir_st);
1640 AD_INIT_OTHER_MEMBERS ();
1642 status = RM_OK;
1644 while (1)
1646 char *subdir = NULL;
1647 struct stat subdir_sb;
1648 enum RM_status tmp_status;
1650 tmp_status = remove_cwd_entries (&dirp, ds, &subdir, &subdir_sb, x);
1652 if (tmp_status != RM_OK)
1654 UPDATE_STATUS (status, tmp_status);
1655 AD_mark_current_as_unremovable (ds);
1657 if (subdir)
1659 if ( ! x->one_file_system
1660 || subdir_sb.st_dev == current_dev)
1662 AD_push (dirfd (dirp), ds, subdir, &subdir_sb);
1663 AD_INIT_OTHER_MEMBERS ();
1664 free (subdir);
1665 continue;
1668 /* Here, --one-file-system is in effect, and with remove_cwd_entries'
1669 traversal into the current directory, (known as SUBDIR, from ..),
1670 DIRP's device number is different from CURRENT_DEV. Arrange not
1671 to do anything more with this hierarchy. */
1672 error (0, 0, _("skipping %s, since it's on a different device"),
1673 quote (full_filename (subdir)));
1674 free (subdir);
1675 AD_mark_current_as_unremovable (ds);
1676 tmp_status = RM_ERROR;
1677 UPDATE_STATUS (status, tmp_status);
1680 /* Execution reaches this point when we've removed the last
1681 removable entry from the current directory -- or, with
1682 --one-file-system, when the current directory is on a
1683 different file system. */
1685 int fd;
1686 /* The name of the directory that we have just processed,
1687 nominally removing all of its contents. */
1688 char *empty_dir = AD_pop_and_chdir (dirp, &fd, ds);
1689 dirp = NULL;
1690 assert (fd != AT_FDCWD || AD_stack_height (ds) == 1);
1692 /* Try to remove EMPTY_DIR only if remove_cwd_entries succeeded. */
1693 if (tmp_status == RM_OK)
1695 struct stat empty_st;
1696 Ternary is_empty;
1697 int dirent_type = DT_DIR;
1698 enum RM_status s = prompt (fd, ds, empty_dir, &dirent_type,
1699 cache_stat_init (&empty_st), x,
1700 PA_REMOVE_DIR, &is_empty);
1702 if (s != RM_OK)
1704 free (empty_dir);
1705 status = s;
1706 if (fd != AT_FDCWD)
1707 close (fd);
1708 goto closedir_and_return;
1711 if (unlinkat (fd, empty_dir, AT_REMOVEDIR) == 0)
1713 if (x->verbose)
1714 printf (_("removed directory: %s\n"),
1715 quote (full_filename (empty_dir)));
1717 else
1719 error (0, errno, _("cannot remove directory %s"),
1720 quote (full_filename (empty_dir)));
1721 AD_mark_as_unremovable (ds, empty_dir);
1722 status = RM_ERROR;
1723 UPDATE_STATUS (AD_stack_top(ds)->status, status);
1727 free (empty_dir);
1729 if (fd == AT_FDCWD)
1730 break;
1732 dirp = fdopendir (fd);
1733 if (dirp == NULL)
1735 error (0, errno, _("FATAL: cannot return to .. from %s"),
1736 quote (full_filename (".")));
1737 close (fd);
1738 longjmp (ds->current_arg_jumpbuf, 1);
1743 /* If the first/final hash table of unremovable entries was used,
1744 free it here. */
1745 AD_stack_pop (ds);
1747 closedir_and_return:;
1748 if (dirp != NULL && closedir (dirp) != 0)
1750 error (0, 0, _("failed to close directory %s"),
1751 quote (full_filename (".")));
1752 status = RM_ERROR;
1755 return status;
1758 /* Remove the file or directory specified by FILENAME.
1759 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not. */
1761 static enum RM_status
1762 rm_1 (Dirstack_state *ds, char const *filename,
1763 struct rm_options const *x, int *cwd_errno)
1765 char const *base = last_component (filename);
1766 if (dot_or_dotdot (base))
1768 error (0, 0, _(base == filename
1769 ? N_("cannot remove directory %s")
1770 : N_("cannot remove %s directory %s")),
1771 quote_n (0, base), quote_n (1, filename));
1772 return RM_ERROR;
1775 struct stat st;
1776 cache_stat_init (&st);
1777 cycle_check_init (&ds->cycle_check_state);
1778 if (x->root_dev_ino)
1780 if (cache_fstatat (AT_FDCWD, filename, &st, AT_SYMLINK_NOFOLLOW) != 0)
1782 if (ignorable_missing (x, errno))
1783 return RM_OK;
1784 error (0, errno, _("cannot remove %s"), quote (filename));
1785 return RM_ERROR;
1787 if (SAME_INODE (st, *(x->root_dev_ino)))
1789 error (0, 0, _("cannot remove root directory %s"), quote (filename));
1790 return RM_ERROR;
1794 AD_push_initial (ds);
1795 AD_INIT_OTHER_MEMBERS ();
1797 enum RM_status status = remove_entry (AT_FDCWD, ds, filename,
1798 DT_UNKNOWN, &st, x);
1799 if (status == RM_NONEMPTY_DIR)
1801 /* In the event that remove_dir->remove_cwd_entries detects
1802 a directory cycle, arrange to fail, give up on this FILE, but
1803 continue on with any other arguments. */
1804 if (setjmp (ds->current_arg_jumpbuf))
1805 status = RM_ERROR;
1806 else
1807 status = remove_dir (AT_FDCWD, ds, filename, &st, x, cwd_errno);
1809 AD_stack_clear (ds);
1812 ds_clear (ds);
1813 return status;
1816 /* Remove all files and/or directories specified by N_FILES and FILE.
1817 Apply the options in X. */
1818 extern enum RM_status
1819 rm (size_t n_files, char const *const *file, struct rm_options const *x)
1821 enum RM_status status = RM_OK;
1822 Dirstack_state ds;
1823 int cwd_errno = 0;
1824 size_t i;
1826 /* Arrange for obstack allocation failure to longjmp. */
1827 if (setjmp (ds.current_arg_jumpbuf))
1829 status = RM_ERROR;
1830 goto cleanup;
1833 ds_init (&ds);
1835 for (i = 0; i < n_files; i++)
1837 if (cwd_errno && IS_RELATIVE_FILE_NAME (file[i]))
1839 error (0, 0, _("cannot remove relative-named %s"), quote (file[i]));
1840 status = RM_ERROR;
1842 else
1844 enum RM_status s = rm_1 (&ds, file[i], x, &cwd_errno);
1845 assert (VALID_STATUS (s));
1846 UPDATE_STATUS (status, s);
1850 if (x->require_restore_cwd && cwd_errno)
1852 error (0, cwd_errno,
1853 _("cannot restore current working directory"));
1854 status = RM_ERROR;
1857 cleanup:;
1858 ds_free (&ds);
1860 return status;