| blob | d3b1c4a9ce7c3864edb71470fc2122c981442835 |
1 /* shred.c - overwrite files and devices to make it harder to recover data
3 Copyright (C) 1999-2006 Free Software Foundation, Inc.
4 Copyright (C) 1997, 1998, 1999 Colin Plumb.
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2, or (at your option)
9 any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software Foundation,
18 Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 Written by Colin Plumb. */
22 /* TODO:
23 - use consistent non-capitalization in error messages
24 - add standard GNU copyleft comment
26 - Add -r/-R/--recursive
27 - Add -i/--interactive
28 - Reserve -d
29 - Add -L
30 - Add an unlink-all option to emulate rm.
31 */
33 /*
34 * Do a more secure overwrite of given files or devices, to make it harder
35 * for even very expensive hardware probing to recover the data.
36 *
37 * Although this process is also known as "wiping", I prefer the longer
38 * name both because I think it is more evocative of what is happening and
39 * because a longer name conveys a more appropriate sense of deliberateness.
40 *
41 * For the theory behind this, see "Secure Deletion of Data from Magnetic
42 * and Solid-State Memory", on line at
43 * http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
44 *
45 * Just for the record, reversing one or two passes of disk overwrite
46 * is not terribly difficult with hardware help. Hook up a good-quality
47 * digitizing oscilloscope to the output of the head preamplifier and copy
48 * the high-res digitized data to a computer for some off-line analysis.
49 * Read the "current" data and average all the pulses together to get an
50 * "average" pulse on the disk. Subtract this average pulse from all of
51 * the actual pulses and you can clearly see the "echo" of the previous
52 * data on the disk.
53 *
54 * Real hard drives have to balance the cost of the media, the head,
55 * and the read circuitry. They use better-quality media than absolutely
56 * necessary to limit the cost of the read circuitry. By throwing that
57 * assumption out, and the assumption that you want the data processed
58 * as fast as the hard drive can spin, you can do better.
59 *
60 * If asked to wipe a file, this also unlinks it, renaming it to in a
61 * clever way to try to leave no trace of the original filename.
62 *
63 * This was inspired by a desire to improve on some code titled:
64 * Wipe V1.0-- Overwrite and delete files. S. 2/3/96
65 * but I've rewritten everything here so completely that no trace of
66 * the original remains.
67 *
68 * Thanks to:
69 * Bob Jenkins, for his good RNG work and patience with the FSF copyright
70 * paperwork.
71 * Jim Meyering, for his work merging this into the GNU fileutils while
72 * still letting me feel a sense of ownership and pride. Getting me to
73 * tolerate the GNU brace style was quite a feat of diplomacy.
74 * Paul Eggert, for lots of useful discussion and code. I disagree with
75 * an awful lot of his suggestions, but they're disagreements worth having.
76 *
77 * Things to think about:
78 * - Security: Is there any risk to the race
79 * between overwriting and unlinking a file? Will it do anything
80 * drastically bad if told to attack a named pipe or socket?
81 */
83 /* The official name of this program (e.g., no `g' prefix). */
88 #include <config.h>
90 #include <getopt.h>
91 #include <stdio.h>
92 #include <assert.h>
93 #include <setjmp.h>
94 #include <sys/types.h>
108 /* Default number of times to overwrite. */
111 /* How many seconds to wait before checking whether to output another
112 verbose output line. */
115 /* Sector size and corresponding mask, for recovering after write failures.
116 The size must be a power of 2. */
121 struct Options
122 {
130 };
132 /* For long options that have no equivalent short option, use a
133 non-character as a pseudo short option, starting with CHAR_MAX + 1. */
134 enum
135 {
137 };
140 {
152 };
154 /* Global variable for error printing purposes */
157 void
159 {
162 program_name);
163 else
164 {
236 }
238 }
241 /*
242 * Fill a buffer with a fixed pattern.
243 *
244 * The buffer must be at least 3 bytes long, even if
245 * size is less. Larger sizes are filled exactly.
246 */
247 static void
249 {
262 /* Invert the first bit of every sector. */
266 }
268 /*
269 * Generate a 6-character (+ nul) pass name string
270 * FIXME: allow translation of "random".
271 */
272 #define PASS_NAME_SIZE 7
273 static void
275 {
278 else
280 }
282 /* Request that all data for FD be transferred to the corresponding
283 storage device. QNAME is the file name (quoted for colons).
284 Report any errors found. Return 0 on success, -1
285 (setting errno) on failure. It is not an error if fdatasync and/or
286 fsync is not supported for this file, or if the file is not a
287 writable file descriptor. */
288 static int
290 {
293 #if HAVE_FDATASYNC
298 {
302 }
303 #endif
309 {
313 }
317 }
319 /* Turn on or off direct I/O mode for file descriptor FD, if possible.
320 Try to turn it on if ENABLE is true. Otherwise, try to turn it off. */
321 static void
323 {
325 {
328 {
334 }
335 }
337 #if HAVE_DIRECTIO && defined DIRECTIO_ON && defined DIRECTIO_OFF
338 /* This is Solaris-specific. See the following for details:
339 http://docs.sun.com/db/doc/816-0213/6m6ne37so?q=directio&a=view */
341 #endif
342 }
344 /*
345 * Do pass number k of n, writing "size" bytes of the given pattern "type"
346 * to the file descriptor fd. Qname, k and n are passed in only for verbose
347 * progress message purposes. If n == 0, no progress messages are printed.
348 *
349 * If *sizep == -1, the size is unknown, and it will be filled in as soon
350 * as writing fails.
351 *
352 * Return 1 on write error, -1 on other error, 0 on success.
353 */
354 static int
357 {
366 /* Fill pattern buffer. Aligning it to a 32-bit boundary speeds up randread
367 in some cases. */
369 union
370 {
371 fill_pattern_buffer buffer;
381 /* Printable previous offset into the file */
386 {
389 }
391 /* Constant fill patterns need only be set up once. */
393 {
397 }
398 else
399 {
401 }
403 /* Set position if first status update */
405 {
409 }
413 {
414 /* How much to write this time? */
417 {
423 }
426 /* Loop to retry partial writes. */
428 {
431 {
433 {
434 /* Ah, we have found the end of the file */
437 }
438 else
439 {
443 /* If the first write of the first pass for a given file
444 has just failed with EINVAL, turn off direct mode I/O
445 and try again. This works around a bug in linux-2.4
446 whereby opening with O_DIRECT would succeed for some
447 file system types (e.g., ext3), but any attempt to
448 access a file through the resulting descriptor would
449 fail with EINVAL. */
451 {
455 }
459 /* 'shred' is often used on bad media, before throwing it
460 out. Thus, it shouldn't give up on bad blocks. This
461 code works because lim is always a multiple of
462 SECTOR_SIZE, except at the end. */
465 {
468 {
469 /* Arrange to skip this block. */
473 }
475 }
477 }
478 }
479 }
481 /* Okay, we have written "soff" bytes. */
484 {
487 }
491 /* Time to print progress? */
495 {
506 {
510 else
511 {
526 percent);
527 }
533 /*
534 * Force periodic syncs to keep displayed progress accurate
535 * FIXME: Should these be present even if -v is not enabled,
536 * to keep the buffer cache from filling with dirty pages?
537 * It's a common problem with programs that do lots of writes,
538 * like mkfs.
539 */
541 {
545 }
546 }
547 }
548 }
550 /* Force what we just wrote to hit the media. */
552 {
556 }
559 }
561 /*
562 * The passes start and end with a random pass, and the passes in between
563 * are done in random order. The idea is to deprive someone trying to
564 * reverse the process of knowledge of the overwrite patterns, so they
565 * have the additional step of figuring out what was done to the disk
566 * before they can try to reverse or cancel it.
567 *
568 * First, all possible 1-bit patterns. There are two of them.
569 * Then, all possible 2-bit patterns. There are four, but the two
570 * which are also 1-bit patterns can be omitted.
571 * Then, all possible 3-bit patterns. Likewise, 8-2 = 6.
572 * Then, all possible 4-bit patterns. 16-4 = 12.
573 *
574 * The basic passes are:
575 * 1-bit: 0x000, 0xFFF
576 * 2-bit: 0x555, 0xAAA
577 * 3-bit: 0x249, 0x492, 0x924, 0x6DB, 0xB6D, 0xDB6 (+ 1-bit)
578 * 100100100100 110110110110
579 * 9 2 4 D B 6
580 * 4-bit: 0x111, 0x222, 0x333, 0x444, 0x666, 0x777,
581 * 0x888, 0x999, 0xBBB, 0xCCC, 0xDDD, 0xEEE (+ 1-bit, 2-bit)
582 * Adding three random passes at the beginning, middle and end
583 * produces the default 25-pass structure.
584 *
585 * The next extension would be to 5-bit and 6-bit patterns.
586 * There are 30 uncovered 5-bit patterns and 64-8-2 = 46 uncovered
587 * 6-bit patterns, so they would increase the time required
588 * significantly. 4-bit patterns are enough for most purposes.
589 *
590 * The main gotcha is that this would require a trickier encoding,
591 * since lcm(2,3,4) = 12 bits is easy to fit into an int, but
592 * lcm(2,3,4,5) = 60 bits is not.
593 *
594 * One extension that is included is to complement the first bit in each
595 * 512-byte block, to alter the phase of the encoded data in the more
596 * complex encodings. This doesn't apply to MFM, so the 1-bit patterns
597 * are considered part of the 3-bit ones and the 2-bit patterns are
598 * considered part of the 4-bit patterns.
599 *
600 *
601 * How does the generalization to variable numbers of passes work?
602 *
603 * Here's how...
604 * Have an ordered list of groups of passes. Each group is a set.
605 * Take as many groups as will fit, plus a random subset of the
606 * last partial group, and place them into the passes list.
607 * Then shuffle the passes list into random order and use that.
608 *
609 * One extra detail: if we can't include a large enough fraction of the
610 * last group to be interesting, then just substitute random passes.
611 *
612 * If you want more passes than the entire list of groups can
613 * provide, just start repeating from the beginning of the list.
614 */
615 static int const
616 patterns[] =
617 {
626 /* The following patterns have the frst bit per block flipped */
632 };
634 /*
635 * Generate a random wiping pass pattern with num passes.
636 * This is a two-stage process. First, the passes to include
637 * are chosen, and then they are shuffled into the desired
638 * order.
639 */
640 static void
642 {
653 /* Stage 1: choose the passes to use */
660 {
665 }
670 {
674 }
677 }
684 }
689 }
690 else
692 do
693 {
695 {
697 n--;
698 }
699 p++;
700 }
703 }
704 }
706 /* assert (d == dest+top); */
708 /*
709 * We now have fixed patterns in the dest buffer up to
710 * "top", and we need to scramble them, with "randpasses"
711 * random passes evenly spaced among them.
712 *
713 * We want one at the beginning, one at the end, and
714 * evenly spaced in between. To do this, we basically
715 * use Bresenham's line draw (a.k.a DDA) algorithm
716 * to draw a line with slope (randpasses-1)/(num-1).
717 * (We use a positive accumulator and count down to
718 * do this.)
719 *
720 * So for each desired output value, we do the following:
721 * - If it should be a random pass, copy the pass type
722 * to top++, out of the way of the other passes, and
723 * set the current pass to -1 (random).
724 * - If it should be a normal pattern pass, choose an
725 * entry at random between here and top-1 (inclusive)
726 * and swap the current entry with that one.
727 */
731 {
733 {
737 }
738 else
739 {
744 }
746 }
747 /* assert (top == num); */
748 }
750 /*
751 * The core routine to actually do the work. This overwrites the first
752 * size bytes of the given fd. Return true if successful.
753 */
754 static bool
757 {
771 {
774 }
776 /* If we know that we can't possibly shred the file, give up now.
777 Otherwise, we may go into a infinite loop writing data before we
778 find that we can't rewind the device. */
782 {
785 }
789 /* Allocate pass array */
794 {
795 /* Accept a length of zero only if it's a regular file.
796 For any other type of file, try to get the size another way. */
798 {
801 {
804 }
805 }
806 else
807 {
810 {
811 /* We are unable to determine the length, up front.
812 Let dopass do that as part of its first iteration. */
814 }
815 }
817 /* Allow `rounding up' only for regular files. */
819 {
822 /* If in rounding up, we've just overflowed, use the maximum. */
825 }
826 }
828 /* Schedule the passes in random order. */
833 /* Do the work */
835 {
838 {
840 {
844 }
846 }
847 }
853 {
856 {
860 }
861 }
863 /* Okay, now deallocate the data. The effect of ftruncate on
864 non-regular files is unspecified, so don't worry about any
865 errors reported for them. */
868 {
871 }
874 }
876 /* A wrapper with a little more checking for fds on the command line */
877 static bool
880 {
884 {
887 }
889 {
892 }
894 }
896 /* --- Name-wiping code --- */
898 /* Characters allowed in a file name - a safe universal set. */
902 /* Increment NAME (with LEN bytes). NAME must be a big-endian base N
903 number with the digits taken from nameset. Return true if
904 successful if not (because NAME already has the greatest possible
905 value. */
907 static bool
909 {
911 {
914 /* If this character has a successor, use it. */
916 {
919 }
921 /* Otherwise, set this digit to 0 and increment the prefix. */
923 }
926 }
928 /*
929 * Repeatedly rename a file with shorter and shorter names,
930 * to obliterate all traces of the file name on any system that
931 * adds a trailing delimiter to on-disk file names and reuses
932 * the same directory slot. Finally, unlink it.
933 * The passed-in filename is modified in place to the new filename.
934 * (Which is unlinked if this function succeeds, but is still present if
935 * it fails for some reason.)
936 *
937 * The main loop is written carefully to not get stuck if all possible
938 * names of a given length are occupied. It counts down the length from
939 * the original to 0. While the length is non-zero, it tries to find an
940 * unused file name of the given length. It continues until either the
941 * name is available and the rename succeeds, or it runs out of names
942 * to try (incname wraps and returns 1). Finally, it unlinks the file.
943 *
944 * The unlink is Unix-specific, as ANSI-standard remove has more
945 * portability problems with C libraries making it "safe". rename
946 * is ANSI-standard.
947 *
948 * To force the directory data out, we try to open the directory and
949 * invoke fdatasync and/or fsync on it. This is non-standard, so don't
950 * insist that it works: just fall back to a global sync in that case.
951 * This is fairly significantly Unix-specific. Of course, on any
952 * file system with synchronous metadata updates, this is unnecessary.
953 */
954 static bool
956 {
971 {
974 do
975 {
978 {
980 {
984 {
985 /*
986 * People seem to understand this better than talking
987 * about renaming oldname. newname doesn't need
988 * quoting because we picked it. oldname needs to
989 * be quoted only the first time.
990 */
994 }
997 }
998 else
999 {
1000 /* The rename failed: give up on this length. */
1002 }
1003 }
1004 else
1005 {
1006 /* newname exists, so increment BASE so we use another */
1007 }
1008 }
1010 len--;
1011 }
1013 {
1016 }
1020 {
1024 {
1027 }
1028 }
1033 }
1035 /*
1036 * Finally, the function that actually takes a filename and grinds
1037 * it into hamburger.
1038 *
1039 * FIXME
1040 * Detail to note: since we do not restore errno to EACCES after
1041 * a failed chmod, we end up printing the error code from the chmod.
1042 * This is actually the error that stopped us from proceeding, so
1043 * it's arguably the right one, and in practice it'll be either EACCES
1044 * again or EPERM, which both give similar error messages.
1045 * Does anyone disagree?
1046 */
1047 static bool
1050 {
1060 {
1063 }
1067 {
1070 }
1074 }
1077 /* Buffers for random data. */
1080 /* Just on general principles, wipe buffers containing information
1081 that may be related to the possibly-pseudorandom values used during
1082 shredding. */
1083 static void
1085 {
1087 }
1090 int
1092 {
1115 {
1117 {
1123 {
1127 {
1130 }
1132 }
1146 {
1150 {
1153 }
1155 }
1170 case_GETOPT_HELP_CHAR;
1176 }
1177 }
1183 {
1186 }
1194 {
1197 {
1199 }
1200 else
1201 {
1202 /* Plain filename - Note that this overwrites *argv! */
1204 }
1206 }
1209 }
1210 /*
1211 * vim:sw=2:sts=2:
1212 */