| blob | 1c6166d5ec47511b271e3cc88370efa84e04265c |
1 /* remove.c -- core functions for removing files and directories
2 Copyright (C) 88, 90, 91, 1994-2007 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>. */
17 /* Extracted from rm.c and librarified, then rewritten by Jim Meyering. */
19 #include <config.h>
20 #include <stdio.h>
21 #include <sys/types.h>
22 #include <setjmp.h>
23 #include <assert.h>
44 /* Avoid shadowing warnings because these are functions declared
45 in dirname.h as well as locals used below. */
46 #define dir_name rm_dir_name
47 #define dir_len rm_dir_len
49 #define obstack_chunk_alloc malloc
50 #define obstack_chunk_free free
52 /* This is the maximum number of consecutive readdir/unlink calls that
53 can be made (with no intervening rewinddir or closedir/opendir) before
54 triggering a bug that makes readdir return NULL even though some
55 directory entries have not been processed. The bug afflicts SunOS's
56 readdir when applied to ufs file systems and Darwin 6.5's (and OSX
57 v.10.3.8's) HFS+. This maximum is conservative in that demonstrating
58 the problem requires a directory containing at least 16 deletable
59 entries (which doesn't count . and ..).
60 This problem also affects Darwin 7.9.0 (aka MacOS X 10.3.9) on HFS+
61 and NFS-mounted file systems, but not vfat ones. */
62 enum
63 {
65 };
67 /* FIXME: in 2009, or whenever Darwin 7.9.0 (aka MacOS X 10.3.9) is no
68 longer relevant, remove this work-around code. Then, there will be
69 no need to perform the extra rewinddir call, ever. */
70 #define NEED_REWIND(readdir_unlink_count) \
71 (CONSECUTIVE_READDIR_UNLINK_THRESHOLD <= (readdir_unlink_count))
73 enum Ternary
74 {
76 T_NO,
77 T_YES
78 };
81 /* The prompt function may be called twice for a given directory.
82 The first time, we ask whether to descend into it, and the
83 second time, we ask whether to remove it. */
84 enum Prompt_action
85 {
87 PA_REMOVE_DIR
88 };
90 /* Initial capacity of per-directory hash table of entries that have
91 been processed but not been deleted. */
94 /* An entry in the active directory stack.
95 Each entry corresponds to an `active' directory. */
96 struct AD_ent
97 {
98 /* For a given active directory, this is the set of names of
99 entries in that directory that could/should not be removed.
100 For example, `.' and `..', as well as files/dirs for which
101 unlink/rmdir failed e.g., due to access restrictions. */
104 /* Record the status for a given active directory; we need to know
105 whether an entry was not removed, either because of an error or
106 because the user declined. */
109 /* The directory's dev/ino. Used to ensure that a malicious user does
110 not replace a directory we're about to process with a symlink to
111 some other directory. */
113 };
115 /* D_TYPE(D) is the type of directory entry D if known, DT_UNKNOWN
116 otherwise. */
117 #if HAVE_STRUCT_DIRENT_D_TYPE
118 # define D_TYPE(d) ((d)->d_type)
119 #else
120 # define D_TYPE(d) DT_UNKNOWN
122 /* Any int values will do here, so long as they're distinct.
123 Undef any existing macros out of the way. */
124 # undef DT_UNKNOWN
125 # undef DT_DIR
126 # undef DT_LNK
127 # define DT_UNKNOWN 0
128 # define DT_DIR 1
129 # define DT_LNK 2
130 #endif
134 struct dirstack_state
135 {
136 /* The name of the directory (starting with and relative to a command
137 line argument) being processed. When a subdirectory is entered, a new
138 component is appended (pushed). Remove (pop) the top component
139 upon chdir'ing out of a directory. This is used to form the full
140 name of the current directory or a file therein, when necessary. */
143 /* Stack of lengths of directory names (including trailing slash)
144 appended to dir_stack. We have to have a separate stack of lengths
145 (rather than just popping back to previous slash) because the first
146 element pushed onto the dir stack may contain slashes. */
149 /* Stack of active directory entries.
150 The first `active' directory is the initial working directory.
151 Additional active dirs are pushed onto the stack as we `chdir'
152 into each directory to be processed. When finished with the
153 hierarchy under a directory, pop the active dir stack. */
156 /* Used to detect cycles. */
159 /* Target of a longjmp in case rm has to stop processing the current
160 command-line argument. This happens 1) when rm detects a directory
161 cycle or 2) when it has processed one or more directories, but then
162 is unable to return to the initial working directory to process
163 additional `.'-relative command-line arguments. */
165 };
168 /* A static buffer and its allocated size, these variables are used by
169 xfull_filename and full_filename to form full, relative file names. */
173 /* Like fstatat, but cache the result. If ST->st_size is -1, the
174 status has not been gotten yet. If less than -1, fstatat failed
175 with errno == -1 - ST->st_size. Otherwise, the status has already
176 been gotten, so return 0. */
177 static int
179 {
186 }
188 /* Initialize a fstatat cache *ST. Return ST for convenience. */
191 {
194 }
196 /* Return true if *ST has been statted. */
199 {
201 }
203 /* Return true if *ST has been statted successfully. */
206 {
208 }
211 static void
213 {
215 }
217 static bool
219 {
221 }
225 {
228 /* Don't copy trailing slashes. */
232 /* Append the string onto the stack. */
235 /* Append a trailing slash. */
238 /* Add one for the slash. */
241 /* Push the length (including slash) onto its stack. */
243 }
245 /* Return the entry name of the directory on the top of the stack
246 in malloc'd storage. */
249 {
258 }
262 {
270 /* Pop the specified length of file name. */
274 /* Pop the length stack, too. */
277 }
279 /* Copy the SRC_LEN bytes of data beginning at SRC into the DST_LEN-byte
280 buffer, DST, so that the last source byte is at the end of the destination
281 buffer. If SRC_LEN is longer than DST_LEN, then set *TRUNCATED.
282 Set *RESULT to point to the beginning of (the portion of) the source data
283 in DST. Return the number of bytes remaining in the destination buffer. */
285 static size_t
288 {
293 {
297 }
298 else
299 {
304 }
308 }
310 /* Using the global directory name obstack, create the full name of FILENAME.
311 Return it in sometimes-realloc'd space that should not be freed by the
312 caller. Realloc as necessary. If realloc fails, return NULL. */
316 {
323 {
330 }
333 {
334 /* FILENAME is just `.' and dir_len is nonzero.
335 Copy the directory part, omitting the trailing slash,
336 and append a trailing zero byte. */
339 }
340 else
341 {
342 /* Copy the directory part, including trailing slash, and then
343 append the filename part, including a trailing zero byte. */
346 }
349 }
351 /* Using the global directory name obstack, create the full name of FILENAME.
352 Return it in sometimes-realloc'd space that should not be freed by the
353 caller. Realloc as necessary. If realloc fails, die. */
357 {
362 }
364 /* Using the global directory name obstack, create the full name FILENAME.
365 Return it in sometimes-realloc'd space that should not be freed by the
366 caller. Realloc as necessary. If realloc fails, use a static buffer
367 and put as long a suffix in that buffer as possible. Be careful not
368 to change errno. */
370 #define full_filename(Filename) full_filename_ (ds, Filename)
373 {
377 {
380 }
382 {
383 #define SBUF_SIZE 512
400 {
403 }
406 }
407 }
411 {
413 }
417 {
420 }
422 static void
424 {
427 /* operate on Active_dir. pop and free top entry */
432 }
434 static void
436 {
438 {
440 }
441 }
445 {
451 }
453 static void
455 {
461 }
463 static void
465 {
470 }
472 /* Pop the active directory (AD) stack and prepare to move `up' one level,
473 safely. Moving `up' usually means opening `..', but when we've just
474 finished recursively processing a command-line directory argument,
475 there's nothing left on the stack, so set *FDP to AT_FDCWD in that case.
476 The idea is to return with *FDP opened on the parent directory,
477 assuming there are entries in that directory that we need to remove.
479 Note that we must not call opendir (or fdopendir) just yet, since
480 the caller must first remove the directory we're coming from.
481 That is because some file system implementations cache readdir
482 results at opendir time; so calling opendir, rmdir, readdir would
483 return an entry for the just-removed directory.
485 Whenever using chdir '..' (virtually, now, via openat), verify
486 that the post-chdir dev/ino numbers for `.' match the saved ones.
487 If any system call fails or if dev/ino don't match, then give a
488 diagnostic and longjump out.
489 Return the name (in malloc'd storage) of the
490 directory (usually now empty) from which we're coming, and which
491 corresponds to the input value of DIRP.
493 Finally, note that while this function's name is no longer as
494 accurate as it once was (it no longer calls chdir), it does open
495 the destination directory. */
498 {
504 /* Get the name of the current (but soon to be `previous') directory
505 from the top of the stack. */
512 /* If the directory we're about to leave (and try to rmdir)
513 is the one whose dev_ino is being used to detect a cycle,
514 reset cycle_check_state.dev_ino to that of the parent.
515 Otherwise, once that directory is removed, its dev_ino
516 could be reused in the creation (by some other process)
517 of a directory that this rm process would encounter,
518 which would result in a false-positive cycle indication. */
522 /* Propagate any failure to parent. */
528 {
532 {
536 }
538 /* The above fails with EACCES when DIRP is readable but not
539 searchable, when using Solaris' openat. Without this openat
540 call, tests/rm2 would fail to remove directories a/2 and a/3. */
545 {
549 }
552 {
557 }
559 /* Ensure that post-chdir dev/ino match the stored ones. */
561 {
564 close_and_next:;
567 next_cmdline_arg:;
570 }
572 }
573 else
574 {
576 {
580 }
582 }
585 }
587 /* Initialize *HT if it is NULL. Return *HT. */
590 {
592 {
597 }
600 }
602 /* Initialize *HT if it is NULL.
603 Insert FILENAME into HT. */
604 static void
606 {
610 else
611 {
614 }
615 }
617 /* Mark FILENAME (in current directory) as unremovable. */
618 static void
620 {
622 }
624 /* Mark the current directory as unremovable. I.e., mark the entry
625 in the parent directory corresponding to `.'.
626 This happens e.g., when an opendir fails and the only name
627 the caller has conveniently at hand is `.'. */
628 static void
630 {
638 }
640 /* Push an initial dummy entry onto the stack.
641 This will always be the bottommost entry on the stack. */
642 static void
644 {
647 /* Extend the stack. */
650 /* Fill in the new values. */
654 /* These should never be used.
655 Give them values that might look suspicious
656 in a debugger or in a diagnostic. */
659 }
661 /* Push info about the current working directory (".") onto the
662 active directory stack. DIR is the ./-relative name through
663 which we've just `chdir'd to this directory. DIR_SB_FROM_PARENT
664 is the result of calling lstat on DIR from the parent of DIR.
665 Longjump out (skipping the entire command line argument we're
666 dealing with) if `fstat (FD_CWD, ...' fails or if someone has
667 replaced DIR with e.g., a symlink to some other directory. */
668 static void
671 {
676 /* If our uses of openat are guaranteed not to
677 follow a symlink, then we can skip this check. */
679 {
682 {
686 }
689 {
694 }
695 }
698 {
706 }
708 /* Extend the stack. */
711 /* The active directory stack must be one larger than the length stack. */
715 /* Fill in the new values. */
720 }
724 {
727 }
729 /* Return true if DIR is determined to be an empty directory. */
730 static bool
732 {
745 {
748 }
757 }
759 /* Return -1 if FILE is an unwritable non-symlink,
760 0 if it is writable or some other type of file,
761 a positive error number if there is some problem in determining the answer.
762 Set *BUF to the file status.
763 This is to avoid calling euidaccess when FILE is a symlink. */
764 static int
769 {
776 /* Here, we know FILE is not a symbolic link. */
778 /* In order to be reentrant -- i.e., to avoid changing the working
779 directory, and at the same time to be able to deal with alternate
780 access control mechanisms (ACLs, xattr-style attributes) and
781 arbitrarily deep trees -- we need a function like eaccessat, i.e.,
782 like Solaris' eaccess, but fd-relative, in the spirit of openat. */
784 /* In the absence of a native eaccessat function, here are some of
785 the implementation choices [#4 and #5 were suggested by Paul Eggert]:
786 1) call openat with O_WRONLY|O_NOCTTY
787 Disadvantage: may create the file and doesn't work for directory,
788 may mistakenly report `unwritable' for EROFS or ACLs even though
789 perm bits say the file is writable.
791 2) fake eaccessat (save_cwd, fchdir, call euidaccess, restore_cwd)
792 Disadvantage: changes working directory (not reentrant) and can't
793 work if save_cwd fails.
795 3) if (euidaccess (xfull_filename (file), W_OK) == 0)
796 Disadvantage: doesn't work if xfull_filename is too long.
797 Inefficient for very deep trees (O(Depth^2)).
799 4) If the full pathname is sufficiently short (say, less than
800 PATH_MAX or 8192 bytes, whichever is shorter):
801 use method (3) (i.e., euidaccess (xfull_filename (file), W_OK));
802 Otherwise: vfork, fchdir in the child, run euidaccess in the
803 child, then the child exits with a status that tells the parent
804 whether euidaccess succeeded.
806 This avoids the O(N**2) algorithm of method (3), and it also avoids
807 the failure-due-to-too-long-file-names of method (3), but it's fast
808 in the normal shallow case. It also avoids the lack-of-reentrancy
809 and the save_cwd problems.
810 Disadvantage; it uses a process slot for very-long file names,
811 and would be very slow for hierarchies with many such files.
813 5) If the full file name is sufficiently short (say, less than
814 PATH_MAX or 8192 bytes, whichever is shorter):
815 use method (3) (i.e., euidaccess (xfull_filename (file), W_OK));
816 Otherwise: look just at the file bits. Perhaps issue a warning
817 the first time this occurs.
819 This is like (4), except for the "Otherwise" case where it isn't as
820 "perfect" as (4) but is considerably faster. It conforms to current
821 POSIX, and is uniformly better than what Solaris and FreeBSD do (they
822 mess up with long file names). */
824 {
825 /* This implements #5: */
826 size_t file_name_len
836 /* Perhaps some other process has removed the file, or perhaps this
837 is a buggy NFS client. */
839 }
840 }
842 /* Prompt whether to remove FILENAME, if required via a combination of
843 the options specified by X and/or file attributes. If the file may
844 be removed, return RM_OK. If the user declines to remove the file,
845 return RM_USER_DECLINED. If not ignoring missing files and we
846 cannot lstat FILENAME, then return RM_ERROR.
848 *PDIRENT_TYPE is the type of the directory entry; update it to DT_DIR
849 or DT_LNK as needed. *SBUF is the file's status.
851 Depending on MODE, ask whether to `descend into' or to `remove' the
852 directory FILENAME. MODE is ignored when FILENAME is not a directory.
853 Set *IS_EMPTY to T_YES if FILENAME is an empty directory, and it is
854 appropriate to try to remove it with rmdir (e.g. recursive mode).
855 Don't even try to set *IS_EMPTY when MODE == PA_REMOVE_DIR. */
856 static enum RM_status
861 {
876 {
878 {
880 {
885 /* Otherwise it doesn't matter, so leave it DT_UNKNOWN. */
887 }
888 else
889 {
890 /* This happens, e.g., with `rm '''. */
892 }
893 }
897 {
899 /* Using permissions doesn't make sense for symlinks. */
908 }
913 {
916 }
918 /* Issue the prompt. */
919 /* FIXME: use a variant of error (instead of fprintf) that doesn't
920 append a newline. Then we won't have to declare program_name in
921 this file. */
927 (write_protected
931 else
932 {
934 {
937 }
939 /* TRANSLATORS: You may find it more convenient to translate
940 the equivalent of _("%s: remove %s (write-protected) %s? ").
941 It should avoid grammatical problems with the output
942 of file_type. */
944 (write_protected
948 }
952 }
954 }
956 /* Return true if FILENAME is a directory (and not a symlink to a directory).
957 Otherwise, including the case in which lstat fails, return false.
958 *ST is FILENAME's tstatus.
959 Do not modify errno. */
962 {
969 }
971 /* Return true if FILENAME is a non-directory.
972 Otherwise, including the case in which lstat fails, return false.
973 *ST is FILENAME's tstatus.
974 Do not modify errno. */
977 {
984 }
986 #define DO_UNLINK(Fd_cwd, Filename, X) \
987 do \
988 { \
989 if (unlinkat (Fd_cwd, Filename, 0) == 0) \
990 { \
991 if ((X)->verbose) \
993 return RM_OK; \
994 } \
995 \
996 if (ignorable_missing (X, errno)) \
997 return RM_OK; \
998 } \
999 while (0)
1001 #define DO_RMDIR(Fd_cwd, Filename, X) \
1002 do \
1003 { \
1005 { \
1006 if ((X)->verbose) \
1008 quote (full_filename (Filename))); \
1009 return RM_OK; \
1010 } \
1011 \
1012 if (ignorable_missing (X, errno)) \
1013 return RM_OK; \
1014 \
1015 if (errno == ENOTEMPTY || errno == EEXIST) \
1016 return RM_NONEMPTY_DIR; \
1017 } \
1018 while (0)
1020 /* When a function like unlink, rmdir, or fstatat fails with an errno
1021 value of ERRNUM, return true if the specified file system object
1022 is guaranteed not to exist; otherwise, return false. */
1025 {
1026 /* Do not include ELOOP here, since the specified file may indeed
1027 exist, but be (in)accessible only via too long a symlink chain.
1028 Likewise for ENAMETOOLONG, since rm -f ./././.../foo may fail
1029 if the "..." part expands to a long enough sequence of "./"s,
1030 even though ./foo does indeed exist. */
1033 {
1039 }
1040 }
1042 /* Encapsulate the test for whether the errno value, ERRNUM, is ignorable. */
1045 {
1047 }
1049 /* Remove the file or directory specified by FILENAME.
1050 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not.
1051 But if FILENAME specifies a non-empty directory, return RM_NONEMPTY_DIR. */
1053 static enum RM_status
1057 {
1058 Ternary is_empty_directory;
1060 PA_DESCEND_INTO_DIR,
1066 /* Why bother with the following if/else block? Because on systems with
1067 an unlink function that *can* unlink directories, we must determine the
1068 type of each entry before removing it. Otherwise, we'd risk unlinking
1069 an entire directory tree simply by unlinking a single directory; then
1070 all the storage associated with that hierarchy would not be freed until
1071 the next fsck. Not nice. To avoid that, on such slightly losing
1072 systems, we need to call lstat to determine the type of each entry,
1073 and that represents extra overhead that -- it turns out -- we can
1074 avoid on non-losing systems, since there, unlink will never remove
1075 a directory. Also, on systems where unlink may unlink directories,
1076 we're forced to allow a race condition: we lstat a non-directory, then
1077 go to unlink it, but in the mean time, a malicious someone could have
1078 replaced it with a directory. */
1081 {
1083 {
1087 }
1089 /* is_empty_directory is set iff it's ok to use rmdir.
1090 Note that it's set only in interactive mode -- in which case it's
1091 an optimization that arranges so that the user is asked just
1092 once whether to remove the directory. */
1096 /* If we happen to know that FILENAME is a directory, return now
1097 and let the caller remove it -- this saves the overhead of a failed
1098 unlink call. If FILENAME is a command-line argument, then
1099 DIRENT_TYPE is DT_UNKNOWN so we'll first try to unlink it.
1100 Using unlink here is ok, because it cannot remove a
1101 directory. */
1107 /* Upon a failed attempt to unlink a directory, most non-Linux systems
1108 set errno to the POSIX-required value EPERM. In that case, change
1109 errno to EISDIR so that we emit a better diagnostic. */
1118 )
1119 {
1123 /* Either --recursive is not in effect, or the file cannot be a
1124 directory. Report the unlink problem and fail. */
1128 }
1130 }
1131 else
1132 {
1133 /* If we don't already know whether FILENAME is a directory,
1134 find out now. Then, if it's a non-directory, we can use
1135 unlink on it. */
1138 {
1140 {
1147 }
1151 }
1154 {
1155 /* At this point, barring race conditions, FILENAME is known
1156 to be a non-directory, so it's ok to try to unlink it. */
1159 /* unlink failed with some other error code. report it. */
1163 }
1166 {
1170 }
1173 {
1175 /* Don't diagnose any failure here.
1176 It'll be detected when the caller tries another way. */
1177 }
1178 }
1181 }
1183 /* Given FD_CWD, the file descriptor for an open directory,
1184 open its subdirectory F (F is already `known' to be a directory,
1185 so if it is no longer one, someone is playing games), return a DIR*
1186 pointer for F, and put F's `stat' data in *SUBDIR_SB.
1187 Upon failure give a diagnostic and return NULL.
1188 If PREV_ERRNO is nonzero, it is the errno value from a preceding failed
1189 unlink- or rmdir-like system call -- use that value instead of ENOTDIR
1190 if an opened file turns out not to be a directory. This is important
1191 when the preceding non-dir-unlink failed due to e.g., EPERM or EACCES.
1192 The caller must use a nonnnull CWD_ERRNO the first
1193 time this function is called for each command-line-specified directory.
1194 If CWD_ERRNO is not null, set *CWD_ERRNO to the appropriate error number
1195 if this function fails to restore the initial working directory.
1196 If it is null, report an error and exit if the working directory
1197 isn't restored. */
1203 {
1208 /* Record dev/ino of F. We may compare them against saved values
1209 to thwart any attempt to subvert the traversal. They are also used
1210 to detect directory cycles. */
1216 {
1221 }
1222 else
1228 }
1230 /* Remove entries in the directory open on DIRP
1231 Upon finding a directory that is both non-empty and that can be chdir'd
1232 into, return RM_OK and set *SUBDIR and fill in SUBDIR_SB, where
1233 SUBDIR is the malloc'd name of the subdirectory if the chdir succeeded,
1234 NULL otherwise (e.g., if opendir failed or if there was no subdirectory).
1235 Likewise, SUBDIR_SB is the result of calling lstat on SUBDIR.
1236 Return RM_OK if all entries are removed. Return RM_ERROR if any
1237 entry cannot be removed. Otherwise, return RM_USER_DECLINED if
1238 the user declines to remove at least one entry. Remove as much as
1239 possible, continuing even if we fail to remove some entries. */
1240 static enum RM_status
1244 {
1253 {
1258 /* Set errno to zero so we can distinguish between a readdir failure
1259 and when readdir simply finds that there are no more entries. */
1263 {
1265 {
1266 /* fall through */
1267 }
1269 {
1270 /* Call rewinddir if we've called unlink or rmdir so many times
1271 (since the opendir or the previous rewinddir) that this
1272 NULL-return may be the symptom of a buggy readdir. */
1276 }
1278 }
1282 /* Skip files we've already tried/failed to remove. */
1286 /* Pass dp->d_type info to remove_entry so the non-glibc
1287 case can decide whether to use unlink or chdir.
1288 Systems without the d_type member will have to endure
1289 the performance hit of first calling lstat F. */
1294 {
1296 /* Count how many files we've unlinked since the initial
1297 opendir or the last rewinddir. On buggy systems, if you
1298 remove too many, readdir returns NULL even though there
1299 remain unprocessed directory entries. */
1310 {
1314 {
1317 /* CAUTION: this test and diagnostic are identical to
1318 those following the other use of fd_to_subdirp. */
1320 {
1321 /* With -f, don't report "file not found". */
1322 }
1323 else
1324 {
1325 /* Upon fd_to_subdirp failure, try to remove F directly,
1326 in case it's just an empty directory. */
1330 else
1333 }
1338 }
1342 {
1346 }
1350 }
1351 }
1353 /* Record status for this directory. */
1358 }
1360 /* Ensure that *dirp is not NULL and that its file descriptor is valid. */
1365 }
1367 /* Do this after each call to AD_push or AD_push_initial.
1368 Because the status = RM_OK bit is too remove-specific to
1369 go into the general-purpose AD_* package. */
1370 #define AD_INIT_OTHER_MEMBERS() \
1371 do \
1372 { \
1373 AD_stack_top(ds)->status = RM_OK; \
1374 } \
1375 while (0)
1377 /* Remove the hierarchy rooted at DIR.
1378 Do that by changing into DIR, then removing its contents, then
1379 returning to the original working directory and removing DIR itself.
1380 Don't use recursion. Be careful when using chdir ".." that we
1381 return to the same directory from which we came, if necessary.
1382 Return an RM_status value to indicate success or failure. */
1384 static enum RM_status
1388 {
1392 /* There is a race condition in that an attacker could replace the nonempty
1393 directory, DIR, with a symlink between the preceding call to rmdir
1394 (unlinkat, in our caller) and fd_to_subdirp's openat call. But on most
1395 systems, even those without openat, this isn't a problem, since we ensure
1396 that opening a symlink will fail, when that is possible. Otherwise,
1397 fd_to_subdirp's fstat, along with the `fstat' and the dev/ino
1398 comparison in AD_push ensure that we detect it and fail. */
1403 {
1404 /* CAUTION: this test and diagnostic are identical to
1405 those following the other use of fd_to_subdirp. */
1407 {
1408 /* With -f, don't report "file not found". */
1409 }
1410 else
1411 {
1412 /* Upon fd_to_subdirp failure, try to remove DIR directly,
1413 in case it's just an empty directory. */
1420 }
1423 }
1426 {
1430 }
1438 {
1446 {
1449 }
1451 {
1454 {
1459 }
1461 /* Here, --one-file-system is in effect, and with remove_cwd_entries'
1462 traversal into the current directory, (known as SUBDIR, from ..),
1463 DIRP's device number is different from CURRENT_DEV. Arrange not
1464 to do anything more with this hierarchy. */
1471 }
1473 /* Execution reaches this point when we've removed the last
1474 removable entry from the current directory -- or, with
1475 --one-file-system, when the current directory is on a
1476 different file system. */
1477 {
1479 /* The name of the directory that we have just processed,
1480 nominally removing all of its contents. */
1485 /* Try to remove EMPTY_DIR only if remove_cwd_entries succeeded. */
1487 {
1489 Ternary is_empty;
1496 {
1502 }
1505 {
1509 }
1510 else
1511 {
1517 }
1518 }
1527 {
1532 }
1533 }
1534 }
1536 /* If the first/final hash table of unremovable entries was used,
1537 free it here. */
1540 closedir_and_return:;
1542 {
1546 }
1549 }
1551 /* Remove the file or directory specified by FILENAME.
1552 Return RM_OK if it is removed, and RM_ERROR or RM_USER_DECLINED if not. */
1554 static enum RM_status
1557 {
1560 {
1566 }
1572 {
1574 {
1579 }
1581 {
1584 }
1585 }
1593 {
1594 /* In the event that remove_dir->remove_cwd_entries detects
1595 a directory cycle, arrange to fail, give up on this FILE, but
1596 continue on with any other arguments. */
1599 else
1603 }
1607 }
1609 /* Remove all files and/or directories specified by N_FILES and FILE.
1610 Apply the options in X. */
1613 {
1620 {
1622 {
1625 }
1626 else
1627 {
1631 }
1632 }
1635 {
1639 }
1644 }