one random overwrite is sufficient, after some discussion on tech

2 files changed, 14 insertions, 23 deletions

diff --git a/bin/rm/rm.1 b/bin/rm/rm.1
index 33f8db44bc2..4cedbf7d6d8 100644
--- a/bin/rm/rm.1
+++ b/bin/rm/rm.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: rm.1,v 1.34 2010/10/04 07:17:30 jmc Exp $
+.\"	$OpenBSD: rm.1,v 1.35 2012/09/04 22:22:50 tedu Exp $
 .\"	$NetBSD: rm.1,v 1.8 1995/07/25 19:37:30 jtc Exp $
 .\"
 .\" Copyright (c) 1990, 1993, 1994
@@ -33,7 +33,7 @@
 .\"
 .\"	@(#)rm.1	8.5 (Berkeley) 12/5/94
 .\"
-.Dd $Mdocdate: October 4 2010 $
+.Dd $Mdocdate: September 4 2012 $
 .Dt RM 1
 .Os
 .Sh NAME
@@ -77,13 +77,7 @@ option overrides any previous
 options.
 .It Fl P
 Overwrite regular files before deleting them.
-Files are overwritten three times, first with the byte pattern
-.Li 0xff ,
-then
-.Li 0x00 ,
-and then
-.Li 0xff
-again, before they are deleted.
+Files are overwritten once with a random pattern.
 Files with multiple links will be unlinked but not overwritten.
 .It Fl R
 Attempt to remove the file hierarchy rooted in each file argument.
@@ -197,8 +191,9 @@ command appeared in
 .Sh BUGS
 The
 .Fl P
-option assumes that the underlying file system is a fixed-block file
-system,
-such as UFS.
+option assumes that both the underlying file system and storage medium write
+in place.
+This is true for the FFS and MSDOS file systems and magnetic hard disks,
+but not true for most flash storage.
 In addition, only regular files are overwritten, other types of files
 are not.
diff --git a/bin/rm/rm.c b/bin/rm/rm.c
index 436b70068a1..41b574edca1 100644
--- a/bin/rm/rm.c
+++ b/bin/rm/rm.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rm.c,v 1.25 2012/06/18 01:03:05 guenther Exp $	*/
+/*	$OpenBSD: rm.c,v 1.26 2012/09/04 22:22:50 tedu Exp $	*/
 /*	$NetBSD: rm.c,v 1.19 1995/09/07 06:48:50 jtc Exp $	*/
 
 /*-
@@ -55,7 +55,7 @@ int	check(char *, char *, struct stat *);
 void	checkdot(char **);
 void	rm_file(char **);
 int	rm_overwrite(char *, struct stat *);
-int	pass(int, int, off_t, char *, size_t);
+int	pass(int, off_t, char *, size_t);
 void	rm_tree(char **);
 void	usage(void);
 
@@ -261,7 +261,7 @@ rm_file(char **argv)
 
 /*
  * rm_overwrite --
- *	Overwrite the file 3 times with varying bit patterns.
+ *	Overwrite the file with varying bit patterns.
  *
  * XXX
  * This is a cheap way to *really* delete files.  Note that only regular
@@ -308,13 +308,9 @@ rm_overwrite(char *file, struct stat *sbp)
 	if ((buf = malloc(bsize)) == NULL)
 		err(1, "%s: malloc", file);
 
-	if (!pass(0xff, fd, sbp->st_size, buf, bsize) || fsync(fd) ||
-	    lseek(fd, (off_t)0, SEEK_SET))
+	if (!pass(fd, sbp->st_size, buf, bsize))
 		goto err;
-	if (!pass(0x00, fd, sbp->st_size, buf, bsize) || fsync(fd) ||
-	    lseek(fd, (off_t)0, SEEK_SET))
-		goto err;
-	if (!pass(0xff, fd, sbp->st_size, buf, bsize) || fsync(fd))
+	if (fsync(fd))
 		goto err;
 	close(fd);
 	free(buf);
@@ -329,11 +325,11 @@ err:
 }
 
 int
-pass(int val, int fd, off_t len, char *buf, size_t bsize)
+pass(int fd, off_t len, char *buf, size_t bsize)
 {
 	size_t wlen;
 
-	memset(buf, val, bsize);
+	arc4random_buf(buf, bsize);
 	for (; len > 0; len -= wlen) {
 		wlen = len < bsize ? len : bsize;
 		if (write(fd, buf, wlen) != wlen)