Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!genrad!panda!husc6!harvard!caip!lll-crg!lll-lcc!qantel!ihnp4!ltuxa!ttrdc!levy From: levy@ttrdc.UUCP (Daniel R. Levy) Newsgroups: net.sources.bugs Subject: Re: What happens during an unlink(2) Message-ID: <868@ttrdc.UUCP> Date: Fri, 9-May-86 20:36:44 EDT Article-I.D.: ttrdc.868 Posted: Fri May 9 20:36:44 1986 Date-Received: Tue, 13-May-86 00:58:56 EDT References: <947@kitty.UUCP> <403@ukecc.UUCP> <979@kitty.UUCP> Organization: AT&T, Computer Systems Division, Skokie, IL Lines: 51 Keywords: Disk blocks sometimes get zeroed In article <634@ihdev.UUCP>, pdg@ihdev.UUCP (P. D. Guthrie) writes: >In article <861@ttrdc.UUCP> levy@ttrdc.UUCP (Daniel R. Levy) writes: >>In article <438@ukecc.UUCP>, edward@ukecc.UUCP (Edward C. Bennett) writes: >>>In article <238@chronon.chronon.UUCP>, eric@chronon.UUCP (Eric Black) writes: >>>> > [discussion of what unlink(2) does] >>>> Spooks aren't the only people who might desire disks & memory to be >>>> cleansed when released, by the way. >>> You're absolutely right. I never though about that way. >>>Edward C. Bennett >>Hmmmm. Maybe there should be an option to 'rm' to cause it to zero out >>files before unlinking them? (like rm -e [for erase], similar to VMS's >>DELETE/ERASE) >> >The trouble with this is that is really would have to be an option to >unlink(2), which would make a lot of current software obsolete. The >only other way would be to have rm directly write to disk, but there is >too much margin for error or mass destruction here. Why either problem? The hypothetical 'rm -e' would check to see if the file was an ordinary file, and if so try to open() it. If it succeeded, it would write nulls all the way to the end (rm does a stat() anyway so that the file length is easy to get) then blow it away with an unlink() (or maybe vice versa, so that if it were interrupted in mid-zeroing, which would purposely be made difficult to do by ignoring interrupts, quits, and hangups during the zeroing process, at least there wouldn't be a partially munged file left). No mass destruction possible (at least not worse than the present rm), since ordinary user calls are being used, no setuid or direct device access stuff. If the file could be unlinked but not opened for writing, an attempt to 'rm -e' would warn the user about this [as it does now if the user cannot write the file] and ask for confirmation before unlinking sans zeroing out. Main disadvantage would be slowness. Things could be speeded up (for the user) by forking a nohup'ed background process to finish off the zeroing out for each file (but a 'rm -e *' might run up against a process limit problem, so maybe for big jobs this backgrounding would not happen or be done in small groups of processes). Directory files would be a different problem. They could be "zeroed" from user code by filling them with empty files like "a", "b", etc. after deleting the contents, then unlinking those empty files, then doing the rmdir. Device files would not need zeroing, obviously (except maybe for fifos--does the last data to go down them before close stay on disk?). -- ------------------------------- Disclaimer: The views contained herein are | dan levy | yvel nad | my own and are not at all those of my em- | an engihacker @ | ployer or the administrator of any computer | at&t computer systems division | upon which I may hack. | skokie, illinois | -------------------------------- Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa, vax135}!ttrdc!levy