| blob | 6b7d9016750ec62e306a195b8f6fd592383b3712 |
1 /* shred.c - overwrite files and devices to make it harder to recover data
3 Copyright (C) 1999-2008 Free Software Foundation, Inc.
4 Copyright (C) 1997, 1998, 1999 Colin Plumb.
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 Written by Colin Plumb. */
21 /* TODO:
22 - use consistent non-capitalization in error messages
23 - add standard GNU copyleft comment
25 - Add -r/-R/--recursive
26 - Add -i/--interactive
27 - Reserve -d
28 - Add -L
29 - Add an unlink-all option to emulate rm.
30 */
32 /*
33 * Do a more secure overwrite of given files or devices, to make it harder
34 * for even very expensive hardware probing to recover the data.
35 *
36 * Although this process is also known as "wiping", I prefer the longer
37 * name both because I think it is more evocative of what is happening and
38 * because a longer name conveys a more appropriate sense of deliberateness.
39 *
40 * For the theory behind this, see "Secure Deletion of Data from Magnetic
41 * and Solid-State Memory", on line at
42 * http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
43 *
44 * Just for the record, reversing one or two passes of disk overwrite
45 * is not terribly difficult with hardware help. Hook up a good-quality
46 * digitizing oscilloscope to the output of the head preamplifier and copy
47 * the high-res digitized data to a computer for some off-line analysis.
48 * Read the "current" data and average all the pulses together to get an
49 * "average" pulse on the disk. Subtract this average pulse from all of
50 * the actual pulses and you can clearly see the "echo" of the previous
51 * data on the disk.
52 *
53 * Real hard drives have to balance the cost of the media, the head,
54 * and the read circuitry. They use better-quality media than absolutely
55 * necessary to limit the cost of the read circuitry. By throwing that
56 * assumption out, and the assumption that you want the data processed
57 * as fast as the hard drive can spin, you can do better.
58 *
59 * If asked to wipe a file, this also unlinks it, renaming it to in a
60 * clever way to try to leave no trace of the original filename.
61 *
62 * This was inspired by a desire to improve on some code titled:
63 * Wipe V1.0-- Overwrite and delete files. S. 2/3/96
64 * but I've rewritten everything here so completely that no trace of
65 * the original remains.
66 *
67 * Thanks to:
68 * Bob Jenkins, for his good RNG work and patience with the FSF copyright
69 * paperwork.
70 * Jim Meyering, for his work merging this into the GNU fileutils while
71 * still letting me feel a sense of ownership and pride. Getting me to
72 * tolerate the GNU brace style was quite a feat of diplomacy.
73 * Paul Eggert, for lots of useful discussion and code. I disagree with
74 * an awful lot of his suggestions, but they're disagreements worth having.
75 *
76 * Things to think about:
77 * - Security: Is there any risk to the race
78 * between overwriting and unlinking a file? Will it do anything
79 * drastically bad if told to attack a named pipe or socket?
80 */
82 /* The official name of this program (e.g., no `g' prefix). */
87 #include <config.h>
89 #include <getopt.h>
90 #include <stdio.h>
91 #include <assert.h>
92 #include <setjmp.h>
93 #include <sys/types.h>
104 /* Default number of times to overwrite. */
107 /* How many seconds to wait before checking whether to output another
108 verbose output line. */
111 /* Sector size and corresponding mask, for recovering after write failures.
112 The size must be a power of 2. */
117 struct Options
118 {
126 };
128 /* For long options that have no equivalent short option, use a
129 non-character as a pseudo short option, starting with CHAR_MAX + 1. */
130 enum
131 {
133 };
136 {
148 };
150 void
152 {
155 program_name);
156 else
157 {
233 }
235 }
238 /*
239 * Fill a buffer with a fixed pattern.
240 *
241 * The buffer must be at least 3 bytes long, even if
242 * size is less. Larger sizes are filled exactly.
243 */
244 static void
246 {
259 /* Invert the first bit of every sector. */
263 }
265 /*
266 * Generate a 6-character (+ nul) pass name string
267 * FIXME: allow translation of "random".
268 */
269 #define PASS_NAME_SIZE 7
270 static void
272 {
275 else
277 }
279 /* Return true when it's ok to ignore an fsync or fdatasync
280 failure that set errno to ERRNO_VAL. */
281 static bool
283 {
286 /* HP-UX does this */
288 }
290 /* Request that all data for FD be transferred to the corresponding
291 storage device. QNAME is the file name (quoted for colons).
292 Report any errors found. Return 0 on success, -1
293 (setting errno) on failure. It is not an error if fdatasync and/or
294 fsync is not supported for this file, or if the file is not a
295 writable file descriptor. */
296 static int
298 {
301 #if HAVE_FDATASYNC
306 {
310 }
311 #endif
317 {
321 }
325 }
327 /* Turn on or off direct I/O mode for file descriptor FD, if possible.
328 Try to turn it on if ENABLE is true. Otherwise, try to turn it off. */
329 static void
331 {
333 {
336 {
342 }
343 }
345 #if HAVE_DIRECTIO && defined DIRECTIO_ON && defined DIRECTIO_OFF
346 /* This is Solaris-specific. See the following for details:
347 http://docs.sun.com/db/doc/816-0213/6m6ne37so?q=directio&a=view */
349 #endif
350 }
352 /*
353 * Do pass number k of n, writing "size" bytes of the given pattern "type"
354 * to the file descriptor fd. Qname, k and n are passed in only for verbose
355 * progress message purposes. If n == 0, no progress messages are printed.
356 *
357 * If *sizep == -1, the size is unknown, and it will be filled in as soon
358 * as writing fails.
359 *
360 * Return 1 on write error, -1 on other error, 0 on success.
361 */
362 static int
365 {
374 /* Fill pattern buffer. Aligning it to a 32-bit boundary speeds up randread
375 in some cases. */
377 union
378 {
379 fill_pattern_buffer buffer;
389 /* Printable previous offset into the file */
394 {
397 }
399 /* Constant fill patterns need only be set up once. */
401 {
405 }
406 else
407 {
409 }
411 /* Set position if first status update */
413 {
417 }
421 {
422 /* How much to write this time? */
425 {
431 }
434 /* Loop to retry partial writes. */
436 {
439 {
441 {
442 /* Ah, we have found the end of the file */
445 }
446 else
447 {
451 /* If the first write of the first pass for a given file
452 has just failed with EINVAL, turn off direct mode I/O
453 and try again. This works around a bug in linux-2.4
454 whereby opening with O_DIRECT would succeed for some
455 file system types (e.g., ext3), but any attempt to
456 access a file through the resulting descriptor would
457 fail with EINVAL. */
459 {
463 }
467 /* 'shred' is often used on bad media, before throwing it
468 out. Thus, it shouldn't give up on bad blocks. This
469 code works because lim is always a multiple of
470 SECTOR_SIZE, except at the end. */
473 {
476 {
477 /* Arrange to skip this block. */
481 }
483 }
485 }
486 }
487 }
489 /* Okay, we have written "soff" bytes. */
492 {
495 }
499 /* Time to print progress? */
503 {
514 {
518 else
519 {
534 percent);
535 }
541 /*
542 * Force periodic syncs to keep displayed progress accurate
543 * FIXME: Should these be present even if -v is not enabled,
544 * to keep the buffer cache from filling with dirty pages?
545 * It's a common problem with programs that do lots of writes,
546 * like mkfs.
547 */
549 {
553 }
554 }
555 }
556 }
558 /* Force what we just wrote to hit the media. */
560 {
564 }
567 }
569 /*
570 * The passes start and end with a random pass, and the passes in between
571 * are done in random order. The idea is to deprive someone trying to
572 * reverse the process of knowledge of the overwrite patterns, so they
573 * have the additional step of figuring out what was done to the disk
574 * before they can try to reverse or cancel it.
575 *
576 * First, all possible 1-bit patterns. There are two of them.
577 * Then, all possible 2-bit patterns. There are four, but the two
578 * which are also 1-bit patterns can be omitted.
579 * Then, all possible 3-bit patterns. Likewise, 8-2 = 6.
580 * Then, all possible 4-bit patterns. 16-4 = 12.
581 *
582 * The basic passes are:
583 * 1-bit: 0x000, 0xFFF
584 * 2-bit: 0x555, 0xAAA
585 * 3-bit: 0x249, 0x492, 0x924, 0x6DB, 0xB6D, 0xDB6 (+ 1-bit)
586 * 100100100100 110110110110
587 * 9 2 4 D B 6
588 * 4-bit: 0x111, 0x222, 0x333, 0x444, 0x666, 0x777,
589 * 0x888, 0x999, 0xBBB, 0xCCC, 0xDDD, 0xEEE (+ 1-bit, 2-bit)
590 * Adding three random passes at the beginning, middle and end
591 * produces the default 25-pass structure.
592 *
593 * The next extension would be to 5-bit and 6-bit patterns.
594 * There are 30 uncovered 5-bit patterns and 64-8-2 = 46 uncovered
595 * 6-bit patterns, so they would increase the time required
596 * significantly. 4-bit patterns are enough for most purposes.
597 *
598 * The main gotcha is that this would require a trickier encoding,
599 * since lcm(2,3,4) = 12 bits is easy to fit into an int, but
600 * lcm(2,3,4,5) = 60 bits is not.
601 *
602 * One extension that is included is to complement the first bit in each
603 * 512-byte block, to alter the phase of the encoded data in the more
604 * complex encodings. This doesn't apply to MFM, so the 1-bit patterns
605 * are considered part of the 3-bit ones and the 2-bit patterns are
606 * considered part of the 4-bit patterns.
607 *
608 *
609 * How does the generalization to variable numbers of passes work?
610 *
611 * Here's how...
612 * Have an ordered list of groups of passes. Each group is a set.
613 * Take as many groups as will fit, plus a random subset of the
614 * last partial group, and place them into the passes list.
615 * Then shuffle the passes list into random order and use that.
616 *
617 * One extra detail: if we can't include a large enough fraction of the
618 * last group to be interesting, then just substitute random passes.
619 *
620 * If you want more passes than the entire list of groups can
621 * provide, just start repeating from the beginning of the list.
622 */
623 static int const
624 patterns[] =
625 {
634 /* The following patterns have the frst bit per block flipped */
640 };
642 /*
643 * Generate a random wiping pass pattern with num passes.
644 * This is a two-stage process. First, the passes to include
645 * are chosen, and then they are shuffled into the desired
646 * order.
647 */
648 static void
650 {
661 /* Stage 1: choose the passes to use */
668 {
673 }
678 {
682 }
685 }
692 }
697 }
698 else
700 do
701 {
703 {
705 n--;
706 }
707 p++;
708 }
711 }
712 }
714 /* assert (d == dest+top); */
716 /*
717 * We now have fixed patterns in the dest buffer up to
718 * "top", and we need to scramble them, with "randpasses"
719 * random passes evenly spaced among them.
720 *
721 * We want one at the beginning, one at the end, and
722 * evenly spaced in between. To do this, we basically
723 * use Bresenham's line draw (a.k.a DDA) algorithm
724 * to draw a line with slope (randpasses-1)/(num-1).
725 * (We use a positive accumulator and count down to
726 * do this.)
727 *
728 * So for each desired output value, we do the following:
729 * - If it should be a random pass, copy the pass type
730 * to top++, out of the way of the other passes, and
731 * set the current pass to -1 (random).
732 * - If it should be a normal pattern pass, choose an
733 * entry at random between here and top-1 (inclusive)
734 * and swap the current entry with that one.
735 */
739 {
741 {
745 }
746 else
747 {
752 }
754 }
755 /* assert (top == num); */
756 }
758 /*
759 * The core routine to actually do the work. This overwrites the first
760 * size bytes of the given fd. Return true if successful.
761 */
762 static bool
765 {
779 {
782 }
784 /* If we know that we can't possibly shred the file, give up now.
785 Otherwise, we may go into a infinite loop writing data before we
786 find that we can't rewind the device. */
790 {
793 }
797 /* Allocate pass array */
802 {
803 /* Accept a length of zero only if it's a regular file.
804 For any other type of file, try to get the size another way. */
806 {
809 {
812 }
813 }
814 else
815 {
818 {
819 /* We are unable to determine the length, up front.
820 Let dopass do that as part of its first iteration. */
822 }
823 }
825 /* Allow `rounding up' only for regular files. */
827 {
830 /* If in rounding up, we've just overflowed, use the maximum. */
833 }
834 }
836 /* Schedule the passes in random order. */
841 /* Do the work */
843 {
846 {
848 {
852 }
854 }
855 }
861 {
864 {
868 }
869 }
871 /* Okay, now deallocate the data. The effect of ftruncate on
872 non-regular files is unspecified, so don't worry about any
873 errors reported for them. */
876 {
879 }
882 }
884 /* A wrapper with a little more checking for fds on the command line */
885 static bool
888 {
892 {
895 }
897 {
900 }
902 }
904 /* --- Name-wiping code --- */
906 /* Characters allowed in a file name - a safe universal set. */
910 /* Increment NAME (with LEN bytes). NAME must be a big-endian base N
911 number with the digits taken from nameset. Return true if
912 successful if not (because NAME already has the greatest possible
913 value. */
915 static bool
917 {
919 {
922 /* If this character has a successor, use it. */
924 {
927 }
929 /* Otherwise, set this digit to 0 and increment the prefix. */
931 }
934 }
936 /*
937 * Repeatedly rename a file with shorter and shorter names,
938 * to obliterate all traces of the file name on any system that
939 * adds a trailing delimiter to on-disk file names and reuses
940 * the same directory slot. Finally, unlink it.
941 * The passed-in filename is modified in place to the new filename.
942 * (Which is unlinked if this function succeeds, but is still present if
943 * it fails for some reason.)
944 *
945 * The main loop is written carefully to not get stuck if all possible
946 * names of a given length are occupied. It counts down the length from
947 * the original to 0. While the length is non-zero, it tries to find an
948 * unused file name of the given length. It continues until either the
949 * name is available and the rename succeeds, or it runs out of names
950 * to try (incname wraps and returns 1). Finally, it unlinks the file.
951 *
952 * The unlink is Unix-specific, as ANSI-standard remove has more
953 * portability problems with C libraries making it "safe". rename
954 * is ANSI-standard.
955 *
956 * To force the directory data out, we try to open the directory and
957 * invoke fdatasync and/or fsync on it. This is non-standard, so don't
958 * insist that it works: just fall back to a global sync in that case.
959 * This is fairly significantly Unix-specific. Of course, on any
960 * file system with synchronous metadata updates, this is unnecessary.
961 */
962 static bool
964 {
979 {
982 do
983 {
986 {
988 {
992 {
993 /*
994 * People seem to understand this better than talking
995 * about renaming oldname. newname doesn't need
996 * quoting because we picked it. oldname needs to
997 * be quoted only the first time.
998 */
1002 }
1005 }
1006 else
1007 {
1008 /* The rename failed: give up on this length. */
1010 }
1011 }
1012 else
1013 {
1014 /* newname exists, so increment BASE so we use another */
1015 }
1016 }
1018 len--;
1019 }
1021 {
1024 }
1028 {
1032 {
1035 }
1036 }
1041 }
1043 /*
1044 * Finally, the function that actually takes a filename and grinds
1045 * it into hamburger.
1046 *
1047 * FIXME
1048 * Detail to note: since we do not restore errno to EACCES after
1049 * a failed chmod, we end up printing the error code from the chmod.
1050 * This is actually the error that stopped us from proceeding, so
1051 * it's arguably the right one, and in practice it'll be either EACCES
1052 * again or EPERM, which both give similar error messages.
1053 * Does anyone disagree?
1054 */
1055 static bool
1058 {
1068 {
1071 }
1075 {
1078 }
1082 }
1085 /* Buffers for random data. */
1088 /* Just on general principles, wipe buffers containing information
1089 that may be related to the possibly-pseudorandom values used during
1090 shredding. */
1091 static void
1093 {
1095 }
1098 int
1100 {
1121 {
1123 {
1129 {
1133 {
1136 }
1138 }
1152 {
1156 {
1159 }
1161 }
1176 case_GETOPT_HELP_CHAR;
1182 }
1183 }
1189 {
1192 }
1200 {
1203 {
1205 }
1206 else
1207 {
1208 /* Plain filename - Note that this overwrites *argv! */
1210 }
1212 }
1215 }
1216 /*
1217 * vim:sw=2:sts=2:
1218 */