| blob | 10425a31d6ff35c2a7b82c880be3246c7355f014 |
1 /* shred.c - overwrite files and devices to make it harder to recover data
3 Copyright (C) 1999-2011 Free Software Foundation, Inc.
4 Copyright (C) 1997, 1998, 1999 Colin Plumb.
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 Written by Colin Plumb. */
21 /* TODO:
22 - use consistent non-capitalization in error messages
23 - add standard GNU copyleft comment
25 - Add -r/-R/--recursive
26 - Add -i/--interactive
27 - Reserve -d
28 - Add -L
29 - Add an unlink-all option to emulate rm.
30 */
32 /*
33 * Do a more secure overwrite of given files or devices, to make it harder
34 * for even very expensive hardware probing to recover the data.
35 *
36 * Although this process is also known as "wiping", I prefer the longer
37 * name both because I think it is more evocative of what is happening and
38 * because a longer name conveys a more appropriate sense of deliberateness.
39 *
40 * For the theory behind this, see "Secure Deletion of Data from Magnetic
41 * and Solid-State Memory", on line at
42 * http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
43 *
44 * Just for the record, reversing one or two passes of disk overwrite
45 * is not terribly difficult with hardware help. Hook up a good-quality
46 * digitizing oscilloscope to the output of the head preamplifier and copy
47 * the high-res digitized data to a computer for some off-line analysis.
48 * Read the "current" data and average all the pulses together to get an
49 * "average" pulse on the disk. Subtract this average pulse from all of
50 * the actual pulses and you can clearly see the "echo" of the previous
51 * data on the disk.
52 *
53 * Real hard drives have to balance the cost of the media, the head,
54 * and the read circuitry. They use better-quality media than absolutely
55 * necessary to limit the cost of the read circuitry. By throwing that
56 * assumption out, and the assumption that you want the data processed
57 * as fast as the hard drive can spin, you can do better.
58 *
59 * If asked to wipe a file, this also unlinks it, renaming it to in a
60 * clever way to try to leave no trace of the original filename.
61 *
62 * This was inspired by a desire to improve on some code titled:
63 * Wipe V1.0-- Overwrite and delete files. S. 2/3/96
64 * but I've rewritten everything here so completely that no trace of
65 * the original remains.
66 *
67 * Thanks to:
68 * Bob Jenkins, for his good RNG work and patience with the FSF copyright
69 * paperwork.
70 * Jim Meyering, for his work merging this into the GNU fileutils while
71 * still letting me feel a sense of ownership and pride. Getting me to
72 * tolerate the GNU brace style was quite a feat of diplomacy.
73 * Paul Eggert, for lots of useful discussion and code. I disagree with
74 * an awful lot of his suggestions, but they're disagreements worth having.
75 *
76 * Things to think about:
77 * - Security: Is there any risk to the race
78 * between overwriting and unlinking a file? Will it do anything
79 * drastically bad if told to attack a named pipe or socket?
80 */
82 /* The official name of this program (e.g., no `g' prefix). */
87 #include <config.h>
89 #include <getopt.h>
90 #include <stdio.h>
91 #include <assert.h>
92 #include <setjmp.h>
93 #include <sys/types.h>
104 /* Default number of times to overwrite. */
107 /* How many seconds to wait before checking whether to output another
108 verbose output line. */
111 /* Sector size and corresponding mask, for recovering after write failures.
112 The size must be a power of 2. */
117 struct Options
118 {
126 };
128 /* For long options that have no equivalent short option, use a
129 non-character as a pseudo short option, starting with CHAR_MAX + 1. */
130 enum
131 {
133 };
136 {
148 };
150 void
152 {
155 program_name);
156 else
157 {
233 }
235 }
238 /*
239 * Fill a buffer with a fixed pattern.
240 *
241 * The buffer must be at least 3 bytes long, even if
242 * size is less. Larger sizes are filled exactly.
243 */
244 static void
246 {
259 /* Invert the first bit of every sector. */
263 }
265 /*
266 * Generate a 6-character (+ nul) pass name string
267 * FIXME: allow translation of "random".
268 */
269 #define PASS_NAME_SIZE 7
270 static void
272 {
275 else
277 }
279 /* Return true when it's ok to ignore an fsync or fdatasync
280 failure that set errno to ERRNO_VAL. */
281 static bool
283 {
286 /* HP-UX does this */
288 }
290 /* Request that all data for FD be transferred to the corresponding
291 storage device. QNAME is the file name (quoted for colons).
292 Report any errors found. Return 0 on success, -1
293 (setting errno) on failure. It is not an error if fdatasync and/or
294 fsync is not supported for this file, or if the file is not a
295 writable file descriptor. */
296 static int
298 {
301 #if HAVE_FDATASYNC
306 {
310 }
311 #endif
317 {
321 }
325 }
327 /* Turn on or off direct I/O mode for file descriptor FD, if possible.
328 Try to turn it on if ENABLE is true. Otherwise, try to turn it off. */
329 static void
331 {
333 {
336 {
342 }
343 }
345 #if HAVE_DIRECTIO && defined DIRECTIO_ON && defined DIRECTIO_OFF
346 /* This is Solaris-specific. See the following for details:
347 http://docs.sun.com/db/doc/816-0213/6m6ne37so?q=directio&a=view */
349 #endif
350 }
352 /*
353 * Do pass number k of n, writing "size" bytes of the given pattern "type"
354 * to the file descriptor fd. Qname, k and n are passed in only for verbose
355 * progress message purposes. If n == 0, no progress messages are printed.
356 *
357 * If *sizep == -1, the size is unknown, and it will be filled in as soon
358 * as writing fails.
359 *
360 * Return 1 on write error, -1 on other error, 0 on success.
361 */
362 static int
365 {
374 /* Fill pattern buffer. Aligning it to a 32-bit boundary speeds up randread
375 in some cases. */
377 union
378 {
379 fill_pattern_buffer buffer;
389 /* Printable previous offset into the file */
394 {
397 }
399 /* Constant fill patterns need only be set up once. */
401 {
405 }
406 else
407 {
409 }
411 /* Set position if first status update */
413 {
417 }
421 {
422 /* How much to write this time? */
425 {
431 }
434 /* Loop to retry partial writes. */
436 {
439 {
441 {
442 /* Ah, we have found the end of the file */
445 }
446 else
447 {
451 /* If the first write of the first pass for a given file
452 has just failed with EINVAL, turn off direct mode I/O
453 and try again. This works around a bug in Linux kernel
454 2.4 whereby opening with O_DIRECT would succeed for some
455 file system types (e.g., ext3), but any attempt to
456 access a file through the resulting descriptor would
457 fail with EINVAL. */
459 {
463 }
467 /* 'shred' is often used on bad media, before throwing it
468 out. Thus, it shouldn't give up on bad blocks. This
469 code works because lim is always a multiple of
470 SECTOR_SIZE, except at the end. */
473 {
476 {
477 /* Arrange to skip this block. */
481 }
483 }
485 }
486 }
487 }
489 /* Okay, we have written "soff" bytes. */
492 {
495 }
499 /* Time to print progress? */
503 {
514 {
518 else
519 {
534 percent);
535 }
541 /*
542 * Force periodic syncs to keep displayed progress accurate
543 * FIXME: Should these be present even if -v is not enabled,
544 * to keep the buffer cache from filling with dirty pages?
545 * It's a common problem with programs that do lots of writes,
546 * like mkfs.
547 */
549 {
553 }
554 }
555 }
556 }
558 /* Force what we just wrote to hit the media. */
560 {
564 }
567 }
569 /*
570 * The passes start and end with a random pass, and the passes in between
571 * are done in random order. The idea is to deprive someone trying to
572 * reverse the process of knowledge of the overwrite patterns, so they
573 * have the additional step of figuring out what was done to the disk
574 * before they can try to reverse or cancel it.
575 *
576 * First, all possible 1-bit patterns. There are two of them.
577 * Then, all possible 2-bit patterns. There are four, but the two
578 * which are also 1-bit patterns can be omitted.
579 * Then, all possible 3-bit patterns. Likewise, 8-2 = 6.
580 * Then, all possible 4-bit patterns. 16-4 = 12.
581 *
582 * The basic passes are:
583 * 1-bit: 0x000, 0xFFF
584 * 2-bit: 0x555, 0xAAA
585 * 3-bit: 0x249, 0x492, 0x924, 0x6DB, 0xB6D, 0xDB6 (+ 1-bit)
586 * 100100100100 110110110110
587 * 9 2 4 D B 6
588 * 4-bit: 0x111, 0x222, 0x333, 0x444, 0x666, 0x777,
589 * 0x888, 0x999, 0xBBB, 0xCCC, 0xDDD, 0xEEE (+ 1-bit, 2-bit)
590 * Adding three random passes at the beginning, middle and end
591 * produces the default 25-pass structure.
592 *
593 * The next extension would be to 5-bit and 6-bit patterns.
594 * There are 30 uncovered 5-bit patterns and 64-8-2 = 46 uncovered
595 * 6-bit patterns, so they would increase the time required
596 * significantly. 4-bit patterns are enough for most purposes.
597 *
598 * The main gotcha is that this would require a trickier encoding,
599 * since lcm(2,3,4) = 12 bits is easy to fit into an int, but
600 * lcm(2,3,4,5) = 60 bits is not.
601 *
602 * One extension that is included is to complement the first bit in each
603 * 512-byte block, to alter the phase of the encoded data in the more
604 * complex encodings. This doesn't apply to MFM, so the 1-bit patterns
605 * are considered part of the 3-bit ones and the 2-bit patterns are
606 * considered part of the 4-bit patterns.
607 *
608 *
609 * How does the generalization to variable numbers of passes work?
610 *
611 * Here's how...
612 * Have an ordered list of groups of passes. Each group is a set.
613 * Take as many groups as will fit, plus a random subset of the
614 * last partial group, and place them into the passes list.
615 * Then shuffle the passes list into random order and use that.
616 *
617 * One extra detail: if we can't include a large enough fraction of the
618 * last group to be interesting, then just substitute random passes.
619 *
620 * If you want more passes than the entire list of groups can
621 * provide, just start repeating from the beginning of the list.
622 */
623 static int const
624 patterns[] =
625 {
634 /* The following patterns have the frst bit per block flipped */
640 };
642 /*
643 * Generate a random wiping pass pattern with num passes.
644 * This is a two-stage process. First, the passes to include
645 * are chosen, and then they are shuffled into the desired
646 * order.
647 */
648 static void
650 {
661 /* Stage 1: choose the passes to use */
668 {
673 }
678 {
681 }
684 }
691 }
696 }
697 else
699 do
700 {
702 {
704 n--;
705 }
706 p++;
707 }
710 }
711 }
713 /* assert (d == dest+top); */
715 /*
716 * We now have fixed patterns in the dest buffer up to
717 * "top", and we need to scramble them, with "randpasses"
718 * random passes evenly spaced among them.
719 *
720 * We want one at the beginning, one at the end, and
721 * evenly spaced in between. To do this, we basically
722 * use Bresenham's line draw (a.k.a DDA) algorithm
723 * to draw a line with slope (randpasses-1)/(num-1).
724 * (We use a positive accumulator and count down to
725 * do this.)
726 *
727 * So for each desired output value, we do the following:
728 * - If it should be a random pass, copy the pass type
729 * to top++, out of the way of the other passes, and
730 * set the current pass to -1 (random).
731 * - If it should be a normal pattern pass, choose an
732 * entry at random between here and top-1 (inclusive)
733 * and swap the current entry with that one.
734 */
738 {
740 {
744 }
745 else
746 {
751 }
753 }
754 /* assert (top == num); */
755 }
757 /*
758 * The core routine to actually do the work. This overwrites the first
759 * size bytes of the given fd. Return true if successful.
760 */
761 static bool
764 {
778 {
781 }
783 /* If we know that we can't possibly shred the file, give up now.
784 Otherwise, we may go into a infinite loop writing data before we
785 find that we can't rewind the device. */
789 {
792 }
796 /* Allocate pass array */
801 {
802 /* Accept a length of zero only if it's a regular file.
803 For any other type of file, try to get the size another way. */
805 {
808 {
811 }
812 }
813 else
814 {
817 {
818 /* We are unable to determine the length, up front.
819 Let dopass do that as part of its first iteration. */
821 }
822 }
824 /* Allow `rounding up' only for regular files. */
826 {
829 /* If in rounding up, we've just overflowed, use the maximum. */
832 }
833 }
835 /* Schedule the passes in random order. */
840 /* Do the work */
842 {
845 {
847 {
851 }
853 }
854 }
860 {
863 {
867 }
868 }
870 /* Okay, now deallocate the data. The effect of ftruncate on
871 non-regular files is unspecified, so don't worry about any
872 errors reported for them. */
875 {
878 }
881 }
883 /* A wrapper with a little more checking for fds on the command line */
884 static bool
887 {
891 {
894 }
896 {
899 }
901 }
903 /* --- Name-wiping code --- */
905 /* Characters allowed in a file name - a safe universal set. */
909 /* Increment NAME (with LEN bytes). NAME must be a big-endian base N
910 number with the digits taken from nameset. Return true if
911 successful if not (because NAME already has the greatest possible
912 value. */
914 static bool
916 {
918 {
921 /* If this character has a successor, use it. */
923 {
926 }
928 /* Otherwise, set this digit to 0 and increment the prefix. */
930 }
933 }
935 /*
936 * Repeatedly rename a file with shorter and shorter names,
937 * to obliterate all traces of the file name on any system that
938 * adds a trailing delimiter to on-disk file names and reuses
939 * the same directory slot. Finally, unlink it.
940 * The passed-in filename is modified in place to the new filename.
941 * (Which is unlinked if this function succeeds, but is still present if
942 * it fails for some reason.)
943 *
944 * The main loop is written carefully to not get stuck if all possible
945 * names of a given length are occupied. It counts down the length from
946 * the original to 0. While the length is non-zero, it tries to find an
947 * unused file name of the given length. It continues until either the
948 * name is available and the rename succeeds, or it runs out of names
949 * to try (incname wraps and returns 1). Finally, it unlinks the file.
950 *
951 * The unlink is Unix-specific, as ANSI-standard remove has more
952 * portability problems with C libraries making it "safe". rename
953 * is ANSI-standard.
954 *
955 * To force the directory data out, we try to open the directory and
956 * invoke fdatasync and/or fsync on it. This is non-standard, so don't
957 * insist that it works: just fall back to a global sync in that case.
958 * This is fairly significantly Unix-specific. Of course, on any
959 * file system with synchronous metadata updates, this is unnecessary.
960 */
961 static bool
963 {
978 {
981 do
982 {
985 {
987 {
991 {
992 /*
993 * People seem to understand this better than talking
994 * about renaming oldname. newname doesn't need
995 * quoting because we picked it. oldname needs to
996 * be quoted only the first time.
997 */
1001 }
1004 }
1005 else
1006 {
1007 /* The rename failed: give up on this length. */
1009 }
1010 }
1011 else
1012 {
1013 /* newname exists, so increment BASE so we use another */
1014 }
1015 }
1017 len--;
1018 }
1020 {
1023 }
1027 {
1031 {
1034 }
1035 }
1040 }
1042 /*
1043 * Finally, the function that actually takes a filename and grinds
1044 * it into hamburger.
1045 *
1046 * FIXME
1047 * Detail to note: since we do not restore errno to EACCES after
1048 * a failed chmod, we end up printing the error code from the chmod.
1049 * This is actually the error that stopped us from proceeding, so
1050 * it's arguably the right one, and in practice it'll be either EACCES
1051 * again or EPERM, which both give similar error messages.
1052 * Does anyone disagree?
1053 */
1054 static bool
1057 {
1067 {
1070 }
1074 {
1077 }
1081 }
1084 /* Buffers for random data. */
1087 /* Just on general principles, wipe buffers containing information
1088 that may be related to the possibly-pseudorandom values used during
1089 shredding. */
1090 static void
1092 {
1094 }
1097 int
1099 {
1120 {
1122 {
1128 {
1132 {
1135 }
1137 }
1151 {
1155 {
1158 }
1160 }
1175 case_GETOPT_HELP_CHAR;
1181 }
1182 }
1188 {
1191 }
1199 {
1202 {
1204 }
1205 else
1206 {
1207 /* Plain filename - Note that this overwrites *argv! */
1209 }
1211 }
1214 }
1215 /*
1216 * vim:sw=2:sts=2:
1217 */