[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

11. Basic operations

This chapter describes the commands for basic file manipulation: copying, moving (renaming), and deleting (removing).


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

11.1 cp: Copy files and directories

cp copies files (or, optionally, directories). The copy is completely independent of the original. You can either copy one file to another, or copy arbitrarily many files to a destination directory. Synopses:

 
cp [option]… [-T] source dest
cp [option]… sourcedirectory
cp [option]… -t directory source

Generally, files are written just as they are read. For exceptions, see the `--sparse' option below.

By default, cp does not copy directories. However, the `-R', `-a', and `-r' options cause cp to copy recursively by descending into source directories and copying files to corresponding destination directories.

When copying from a symbolic link, cp normally follows the link only when not copying recursively. This default can be overridden with the `--archive' (`-a'), `-d', `--dereference' (`-L'), `--no-dereference' (`-P'), and `-H' options. If more than one of these options is specified, the last one silently overrides the others.

When copying to a symbolic link, cp follows the link only when it refers to an existing regular file. However, when copying to a dangling symbolic link, cp refuses by default, and fails with a diagnostic, since the operation is inherently dangerous. This behavior is contrary to historical practice and to POSIX. Set POSIXLY_CORRECT to make cp attempt to create the target of a dangling destination symlink, in spite of the possible risk. Also, when an option like `--backup' or `--link' acts to rename or remove the destination before copying, cp renames or removes the symbolic link rather than the file it points to.

By default, cp copies the contents of special files only when not copying recursively. This default can be overridden with the `--copy-contents' option.

cp generally refuses to copy a file onto itself, with the following exception: if `--force --backup' is specified with source and dest identical, and referring to a regular file, cp will make a backup file, either regular or numbered, as specified in the usual ways (see section Backup options). This is useful when you simply want to make a backup of an existing file before changing it.

The program accepts the following options. Also see Common options.

`-a'
`--archive'

Preserve as much as possible of the structure and attributes of the original files in the copy (but do not attempt to preserve internal directory structure; i.e., `ls -U' may list the entries in a copied directory in a different order). Try to preserve SELinux security context and extended attributes (xattr), but ignore any failure to do that and print no corresponding diagnostic. Equivalent to `-dR --preserve=all' with the reduced diagnostics.

`-b'
`--backup[=method]'

See section Backup options. Make a backup of each file that would otherwise be overwritten or removed. As a special case, cp makes a backup of source when the force and backup options are given and source and dest are the same name for an existing, regular file. One useful application of this combination of options is this tiny Bourne shell script:

 
#!/bin/sh
# Usage: backup FILE...
# Create a GNU-style backup of each listed FILE.
for i; do
  cp --backup --force -- "$i" "$i"
done
`--copy-contents'

If copying recursively, copy the contents of any special files (e.g., FIFOs and device files) as if they were regular files. This means trying to read the data in each source file and writing it to the destination. It is usually a mistake to use this option, as it normally has undesirable effects on special files like FIFOs and the ones typically found in the `/dev' directory. In most cases, cp -R --copy-contents will hang indefinitely trying to read from FIFOs and special files like `/dev/console', and it will fill up your destination disk if you use it to copy `/dev/zero'. This option has no effect unless copying recursively, and it does not affect the copying of symbolic links.

`-d'

Copy symbolic links as symbolic links rather than copying the files that they point to, and preserve hard links between source files in the copies. Equivalent to `--no-dereference --preserve=links'.

`-f'
`--force'

When copying without this option and an existing destination file cannot be opened for writing, the copy fails. However, with `--force'), when a destination file cannot be opened, cp then removes it and tries to open it again. Contrast this behavior with that enabled by `--link' and `--symbolic-link', whereby the destination file is never opened but rather is removed unconditionally. Also see the description of `--remove-destination'.

This option is independent of the `--interactive' or `-i' option: neither cancels the effect of the other.

This option is redundant if the `--no-clobber' or `-n' option is used.

`-H'

If a command line argument specifies a symbolic link, then copy the file it points to rather than the symbolic link itself. However, copy (preserving its nature) any symbolic link that is encountered via recursive traversal.

`-i'
`--interactive'

When copying a file other than a directory, prompt whether to overwrite an existing destination file. The `-i' option overrides a previous `-n' option.

`-l'
`--link'

Make hard links instead of copies of non-directories.

`-L'
`--dereference'

Follow symbolic links when copying from them. With this option, cp cannot create a symbolic link. For example, a symlink (to regular file) in the source tree will be copied to a regular file in the destination tree.

`-n'
`--no-clobber'

Do not overwrite an existing file. The `-n' option overrides a previous `-i' option. This option is mutually exclusive with `-b' or `--backup' option.

`-P'
`--no-dereference'

Copy symbolic links as symbolic links rather than copying the files that they point to. This option affects only symbolic links in the source; symbolic links in the destination are always followed if possible.

`-p'
`--preserve[=attribute_list]'

Preserve the specified attributes of the original files. If specified, the attribute_list must be a comma-separated list of one or more of the following strings:

`mode'

Preserve the file mode bits and access control lists.

`ownership'

Preserve the owner and group. On most modern systems, only users with appropriate privileges may change the owner of a file, and ordinary users may preserve the group ownership of a file only if they happen to be a member of the desired group.

`timestamps'

Preserve the times of last access and last modification, when possible. On older systems, it is not possible to preserve these attributes when the affected file is a symbolic link. However, many systems now provide the utimensat function, which makes it possible even for symbolic links.

`links'

Preserve in the destination files any links between corresponding source files. Note that with `-L' or `-H', this option can convert symbolic links to hard links. For example,

 
$ mkdir c; : > a; ln -s a b; cp -aH a b c; ls -i1 c
74161745 a
74161745 b

Note the inputs: `b' is a symlink to regular file `a', yet the files in destination directory, `c/', are hard-linked. Since `-a' implies `--preserve=links', and since `-H' tells cp to dereference command line arguments, it sees two files with the same inode number, and preserves the perceived hard link.

Here is a similar example that exercises cp's `-L' option:

 
$ mkdir b c; (cd b; : > a; ln -s a b); cp -aL b c; ls -i1 c/b
74163295 a
74163295 b
`context'

Preserve SELinux security context of the file. cp will fail if the preserving of SELinux security context is not succesful.

`xattr'

Preserve extended attributes if cp is built with xattr support, and xattrs are supported and enabled on your file system. If SELinux context and/or ACLs are implemented using xattrs, they are preserved by this option as well.

`all'

Preserve all file attributes. Equivalent to specifying all of the above, but with the difference that failure to preserve SELinux security context or extended attributes does not change cp's exit status. cp does diagnose such failures.

Using `--preserve' with no attribute_list is equivalent to `--preserve=mode,ownership,timestamps'.

In the absence of this option, each destination file is created with the mode bits of the corresponding source file, minus the bits set in the umask and minus the set-user-ID and set-group-ID bits. See section File permissions.

`--no-preserve=attribute_list'

Do not preserve the specified attributes. The attribute_list has the same form as for `--preserve'.

`--parents'

Form the name of each destination file by appending to the target directory a slash and the specified name of the source file. The last argument given to cp must be the name of an existing directory. For example, the command:

 
cp --parents a/b/c existing_dir

copies the file `a/b/c' to `existing_dir/a/b/c', creating any missing intermediate directories.

`-R'
`-r'
`--recursive'

Copy directories recursively. By default, do not follow symbolic links in the source; see the `--archive' (`-a'), `-d', `--dereference' (`-L'), `--no-dereference' (`-P'), and `-H' options. Special files are copied by creating a destination file of the same type as the source; see the `--copy-contents' option. It is not portable to use `-r' to copy symbolic links or special files. On some non-GNU systems, `-r' implies the equivalent of `-L' and `--copy-contents' for historical reasons. Also, it is not portable to use `-R' to copy symbolic links unless you also specify `-P', as POSIX allows implementations that dereference symbolic links by default.

`--reflink[=when]'

Perform a lightweight, copy-on-write (COW) copy. Copying with this option can succeed only on some file systems. Once it has succeeded, beware that the source and destination files share the same disk data blocks as long as they remain unmodified. Thus, if a disk I/O error affects data blocks of one of the files, the other suffers the exact same fate.

The when value can be one of the following:

`always'

The default behavior: if the copy-on-write operation is not supported then report the failure for each file and exit with a failure status.

`auto'

If the copy-on-write operation is not supported then fall back to the standard copy behaviour.

`--remove-destination'

Remove each existing destination file before attempting to open it (contrast with `-f' above).

`--sparse=when'

A sparse file contains holes--a sequence of zero bytes that does not occupy any physical disk blocks; the `read' system call reads these as zeros. This can both save considerable disk space and increase speed, since many binary files contain lots of consecutive zero bytes. By default, cp detects holes in input source files via a crude heuristic and makes the corresponding output file sparse as well. Only regular files may be sparse.

The when value can be one of the following:

`auto'

The default behavior: if the input file is sparse, attempt to make the output file sparse, too. However, if an output file exists but refers to a non-regular file, then do not attempt to make it sparse.

`always'

For each sufficiently long sequence of zero bytes in the input file, attempt to create a corresponding hole in the output file, even if the input file does not appear to be sparse. This is useful when the input file resides on a file system that does not support sparse files (for example, `efs' file systems in SGI IRIX 5.3 and earlier), but the output file is on a type of file system that does support them. Holes may be created only in regular files, so if the destination file is of some other type, cp does not even try to make it sparse.

`never'

Never make the output file sparse. This is useful in creating a file for use with the mkswap command, since such a file must not have any holes.

`--strip-trailing-slashes'

Remove any trailing slashes from each source argument. See section Trailing slashes.

`-s'
`--symbolic-link'

Make symbolic links instead of copies of non-directories. All source file names must be absolute (starting with `/') unless the destination files are in the current directory. This option merely results in an error message on systems that do not support symbolic links.

`-S suffix'
`--suffix=suffix'

Append suffix to each backup file made with `-b'. See section Backup options.

`-t directory'
`--target-directory=directory'

Specify the destination directory. See section Target directory.

`-T'
`--no-target-directory'

Do not treat the last operand specially when it is a directory or a symbolic link to a directory. See section Target directory.

`-u'
`--update'

Do not copy a non-directory that has an existing destination with the same or newer modification time. If time stamps are being preserved, the comparison is to the source time stamp truncated to the resolutions of the destination file system and of the system calls used to update time stamps; this avoids duplicate work if several `cp -pu' commands are executed with the same source and destination.

`-v'
`--verbose'

Print the name of each file before copying it.

`-x'
`--one-file-system'

Skip subdirectories that are on different file systems from the one that the copy started on. However, mount point directories are copied.

An exit status of zero indicates success, and a nonzero value indicates failure.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

11.2 dd: Convert and copy a file

dd copies a file (from standard input to standard output, by default) with a changeable I/O block size, while optionally performing conversions on it. Synopses:

 
dd [operand]…
dd option

The only options are `--help' and `--version'. See section Common options. dd accepts the following operands.

`if=file'

Read from file instead of standard input.

`of=file'

Write to file instead of standard output. Unless `conv=notrunc' is given, dd truncates file to zero bytes (or the size specified with `seek=').

`ibs=bytes'

Set the input block size to bytes. This makes dd read bytes per block. The default is 512 bytes.

`obs=bytes'

Set the output block size to bytes. This makes dd write bytes per block. The default is 512 bytes.

`bs=bytes'

Set both input and output block sizes to bytes. This makes dd read and write bytes per block, overriding any `ibs' and `obs' settings. In addition, if no data-transforming `conv' option is specified, each input block is copied to the output as a single block, without aggregating short reads.

`cbs=bytes'

Set the conversion block size to bytes. When converting variable-length records to fixed-length ones (`conv=block') or the reverse (`conv=unblock'), use bytes as the fixed record length.

`skip=blocks'

Skip blocks `ibs'-byte blocks in the input file before copying.

`seek=blocks'

Skip blocks `obs'-byte blocks in the output file before copying.

`count=blocks'

Copy blocks `ibs'-byte blocks from the input file, instead of everything until the end of the file.

`status=noxfer'

Do not print the overall transfer rate and volume statistics that normally make up the third status line when dd exits.

`conv=conversion[,conversion]…'

Convert the file as specified by the conversion argument(s). (No spaces around any comma(s).)

Conversions:

`ascii'

Convert EBCDIC to ASCII, using the conversion table specified by POSIX. This provides a 1:1 translation for all 256 bytes.

`ebcdic'

Convert ASCII to EBCDIC. This is the inverse of the `ascii' conversion.

`ibm'

Convert ASCII to alternate EBCDIC, using the alternate conversion table specified by POSIX. This is not a 1:1 translation, but reflects common historical practice for `~', `[', and `]'.

The `ascii', `ebcdic', and `ibm' conversions are mutually exclusive.

`block'

For each line in the input, output `cbs' bytes, replacing the input newline with a space and padding with spaces as necessary.

`unblock'

Remove any trailing spaces in each `cbs'-sized input block, and append a newline.

The `block' and `unblock' conversions are mutually exclusive.

`lcase'

Change uppercase letters to lowercase.

`ucase'

Change lowercase letters to uppercase.

The `lcase' and `ucase' conversions are mutually exclusive.

`swab'

Swap every pair of input bytes. GNU dd, unlike others, works when an odd number of bytes are read--the last byte is simply copied (since there is nothing to swap it with).

`noerror'

Continue after read errors.

`nocreat'

Do not create the output file; the output file must already exist.

`excl'

Fail if the output file already exists; dd must create the output file itself.

The `excl' and `nocreat' conversions are mutually exclusive.

`notrunc'

Do not truncate the output file.

`sync'

Pad every input block to size of `ibs' with trailing zero bytes. When used with `block' or `unblock', pad with spaces instead of zero bytes.

`fdatasync'

Synchronize output data just before finishing. This forces a physical write of output data.

`fsync'

Synchronize output data and metadata just before finishing. This forces a physical write of output data and metadata.

`iflag=flag[,flag]…'

Access the input file using the flags specified by the flag argument(s). (No spaces around any comma(s).)

`oflag=flag[,flag]…'

Access the output file using the flags specified by the flag argument(s). (No spaces around any comma(s).)

Here are the flags. Not every flag is supported on every operating system.

`append'

Write in append mode, so that even if some other process is writing to this file, every dd write will append to the current contents of the file. This flag makes sense only for output. If you combine this flag with the `of=file' operand, you should also specify `conv=notrunc' unless you want the output file to be truncated before being appended to.

`cio'

Use concurrent I/O mode for data. This mode performs direct I/O and drops the POSIX requirement to serialize all I/O to the same file. A file cannot be opened in CIO mode and with a standard open at the same time.

`direct'

Use direct I/O for data, avoiding the buffer cache. Note that the kernel may impose restrictions on read or write buffer sizes. For example, with an ext4 destination file system and a linux-based kernel, using `oflag=direct' will cause writes to fail with EINVAL if the output buffer size is not a multiple of 512.

`directory'

Fail unless the file is a directory. Most operating systems do not allow I/O to a directory, so this flag has limited utility.

`dsync'

Use synchronized I/O for data. For the output file, this forces a physical write of output data on each write. For the input file, this flag can matter when reading from a remote file that has been written to synchronously by some other process. Metadata (e.g., last-access and last-modified time) is not necessarily synchronized.

`sync'

Use synchronized I/O for both data and metadata.

`nonblock'

Use non-blocking I/O.

`noatime'

Do not update the file's access time. Some older file systems silently ignore this flag, so it is a good idea to test it on your files before relying on it.

`noctty'

Do not assign the file to be a controlling terminal for dd. This has no effect when the file is not a terminal. On many hosts (e.g., GNU/Linux hosts), this option has no effect at all.

`nofollow'

Do not follow symbolic links.

`nolinks'

Fail if the file has multiple hard links.

`binary'

Use binary I/O. This option has an effect only on nonstandard platforms that distinguish binary from text I/O.

`text'

Use text I/O. Like `binary', this option has no effect on standard platforms.

`fullblock'

Accumulate full blocks from input. The read system call may return early if a full block is not available. When that happens, continue calling read to fill the remainder of the block. This flag can be used only with iflag.

These flags are not supported on all systems, and `dd' rejects attempts to use them when they are not supported. When reading from standard input or writing to standard output, the `nofollow' and `noctty' flags should not be specified, and the other flags (e.g., `nonblock') can affect how other processes behave with the affected file descriptors, even after dd exits.

The numeric-valued strings above (bytes and blocks) can be followed by a multiplier: `b'=512, `c'=1, `w'=2, `xm'=m, or any of the standard block size suffixes like `k'=1024 (see section Block size).

Use different dd invocations to use different block sizes for skipping and I/O. For example, the following shell commands copy data in 512 KiB blocks between a disk and a tape, but do not save or restore a 4 KiB label at the start of the disk:

 
disk=/dev/rdsk/c0t1d0s2
tape=/dev/rmt/0

# Copy all but the label from disk to tape.
(dd bs=4k skip=1 count=0 && dd bs=512k) <$disk >$tape

# Copy from tape back to disk, but leave the disk label alone.
(dd bs=4k seek=1 count=0 && dd bs=512k) <$tape >$disk

Sending an `INFO' signal to a running dd process makes it print I/O statistics to standard error and then resume copying. In the example below, dd is run in the background to copy 10 million blocks. The kill command makes it output intermediate I/O statistics, and when dd completes normally or is killed by the SIGINT signal, it outputs the final statistics.

 
$ dd if=/dev/zero of=/dev/null count=10MB & pid=$!
$ kill -s INFO $pid; wait $pid
3385223+0 records in
3385223+0 records out
1733234176 bytes (1.7 GB) copied, 6.42173 seconds, 270 MB/s
10000000+0 records in
10000000+0 records out
5120000000 bytes (5.1 GB) copied, 18.913 seconds, 271 MB/s

On systems lacking the `INFO' signal dd responds to the `USR1' signal instead, unless the POSIXLY_CORRECT environment variable is set.

An exit status of zero indicates success, and a nonzero value indicates failure.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

11.3 install: Copy files and set attributes

install copies files while setting their file mode bits and, if possible, their owner and group. Synopses:

 
install [option]… [-T] source dest
install [option]… sourcedirectory
install [option]… -t directory source…
install [option]… -d directory

install is similar to cp, but allows you to control the attributes of destination files. It is typically used in Makefiles to copy programs into their destination directories. It refuses to copy files onto themselves.

install never preserves extended attributes (xattr).

The program accepts the following options. Also see Common options.

`-b'
`--backup[=method]'

See section Backup options. Make a backup of each file that would otherwise be overwritten or removed.

`-C'
`--compare'

Compare each pair of source and destination files, and if the destination has identical content and any specified owner, group, permissions, and possibly SELinux context, then do not modify the destination at all.

`-c'

Ignored; for compatibility with old Unix versions of install.

`-D'

Create any missing parent directories of dest, then copy source to dest. This option is ignored if a destination directory is specified via `--target-directory=DIR'.

`-d'
`--directory'

Create any missing parent directories, giving them the default attributes. Then create each given directory, setting their owner, group and mode as given on the command line or to the defaults.

`-g group'
`--group=group'

Set the group ownership of installed files or directories to group. The default is the process's current group. group may be either a group name or a numeric group ID.

`-m mode'
`--mode=mode'

Set the file mode bits for the installed file or directory to mode, which can be either an octal number, or a symbolic mode as in chmod, with `a=' (no access allowed to anyone) as the point of departure (see section File permissions). The default mode is `u=rwx,go=rx,a-s'--read, write, and execute for the owner, read and execute for group and other, and with set-user-ID and set-group-ID disabled. This default is not quite the same as `755', since it disables instead of preserving set-user-ID and set-group-ID on directories. See section Directories and the Set-User-ID and Set-Group-ID Bits.

`-o owner'
`--owner=owner'

If install has appropriate privileges (is run as root), set the ownership of installed files or directories to owner. The default is root. owner may be either a user name or a numeric user ID.

`--preserve-context'

Preserve the SELinux security context of files and directories. Failure to preserve the context in all of the files or directories will result in an exit status of 1. If SELinux is disabled then print a warning and ignore the option.

`-p'
`--preserve-timestamps'

Set the time of last access and the time of last modification of each installed file to match those of each corresponding original file. When a file is installed without this option, its last access and last modification times are both set to the time of installation. This option is useful if you want to use the last modification times of installed files to keep track of when they were last built as opposed to when they were last installed.

`-s'
`--strip'

Strip the symbol tables from installed binary executables.

`--strip-program=program'

Program used to strip binaries.

`-S suffix'
`--suffix=suffix'

Append suffix to each backup file made with `-b'. See section Backup options.

`-t directory'
`--target-directory=directory'

Specify the destination directory. See section Target directory.

`-T'
`--no-target-directory'

Do not treat the last operand specially when it is a directory or a symbolic link to a directory. See section Target directory.

`-v'
`--verbose'

Print the name of each file before copying it.

`-Z context'
`--context=context'

Set the default SELinux security context to be used for any created files and directories. If SELinux is disabled then print a warning and ignore the option.

An exit status of zero indicates success, and a nonzero value indicates failure.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

11.4 mv: Move (rename) files

mv moves or renames files (or directories). Synopses:

 
mv [option]… [-T] source dest
mv [option]… sourcedirectory
mv [option]… -t directory source

mv can move any type of file from one file system to another. Prior to version 4.0 of the fileutils, mv could move only regular files between file systems. For example, now mv can move an entire directory hierarchy including special device files from one partition to another. It first uses some of the same code that's used by cp -a to copy the requested directories and files, then (assuming the copy succeeded) it removes the originals. If the copy fails, then the part that was copied to the destination partition is removed. If you were to copy three directories from one partition to another and the copy of the first directory succeeded, but the second didn't, the first would be left on the destination partition and the second and third would be left on the original partition.

mv always tries to copy extended attributes (xattr).

If a destination file exists but is normally unwritable, standard input is a terminal, and the `-f' or `--force' option is not given, mv prompts the user for whether to replace the file. (You might own the file, or have write permission on its directory.) If the response is not affirmative, the file is skipped.

Warning: Avoid specifying a source name with a trailing slash, when it might be a symlink to a directory. Otherwise, mv may do something very surprising, since its behavior depends on the underlying rename system call. On a system with a modern Linux-based kernel, it fails with errno=ENOTDIR. However, on other systems (at least FreeBSD 6.1 and Solaris 10) it silently renames not the symlink but rather the directory referenced by the symlink. See section Trailing slashes.

The program accepts the following options. Also see Common options.

`-b'
`--backup[=method]'

See section Backup options. Make a backup of each file that would otherwise be overwritten or removed.

`-f'
`--force'

Do not prompt the user before removing a destination file. If you specify more than one of the `-i', `-f', `-n' options, only the final one takes effect.

`-i'
`--interactive'

Prompt whether to overwrite each existing destination file, regardless of its permissions. If the response is not affirmative, the file is skipped. If you specify more than one of the `-i', `-f', `-n' options, only the final one takes effect.

`-n'
`--no-clobber'

Do not overwrite an existing file. If you specify more than one of the `-i', `-f', `-n' options, only the final one takes effect. This option is mutually exclusive with `-b' or `--backup' option.

`-u'
`--update'

Do not move a non-directory that has an existing destination with the same or newer modification time. If the move is across file system boundaries, the comparison is to the source time stamp truncated to the resolutions of the destination file system and of the system calls used to update time stamps; this avoids duplicate work if several `mv -u' commands are executed with the same source and destination.

`-v'
`--verbose'

Print the name of each file before moving it.

`--strip-trailing-slashes'

Remove any trailing slashes from each source argument. See section Trailing slashes.

`-S suffix'
`--suffix=suffix'

Append suffix to each backup file made with `-b'. See section Backup options.

`-t directory'
`--target-directory=directory'

Specify the destination directory. See section Target directory.

`-T'
`--no-target-directory'

Do not treat the last operand specially when it is a directory or a symbolic link to a directory. See section Target directory.

An exit status of zero indicates success, and a nonzero value indicates failure.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

11.5 rm: Remove files or directories

rm removes each given file. By default, it does not remove directories. Synopsis:

 
rm [option]… [file]…

If the `-I' or `--interactive=once' option is given, and there are more than three files or the `-r', `-R', or `--recursive' are given, then rm prompts the user for whether to proceed with the entire operation. If the response is not affirmative, the entire command is aborted.

Otherwise, if a file is unwritable, standard input is a terminal, and the `-f' or `--force' option is not given, or the `-i' or `--interactive=always' option is given, rm prompts the user for whether to remove the file. If the response is not affirmative, the file is skipped.

Any attempt to remove a file whose last file name component is `.' or `..' is rejected without any prompting.

Warning: If you use rm to remove a file, it is usually possible to recover the contents of that file. If you want more assurance that the contents are truly unrecoverable, consider using shred.

The program accepts the following options. Also see Common options.

`-f'
`--force'

Ignore nonexistent files and never prompt the user. Ignore any previous `--interactive' (`-i') option.

`-i'

Prompt whether to remove each file. If the response is not affirmative, the file is skipped. Ignore any previous `--force' (`-f') option. Equivalent to `--interactive=always'.

`-I'

Prompt once whether to proceed with the command, if more than three files are named or if a recursive removal is requested. Ignore any previous `--force' (`-f') option. Equivalent to `--interactive=once'.

`--interactive [=when]'

Specify when to issue an interactive prompt. when may be omitted, or one of:

`--interactive' with no when is equivalent to `--interactive=always'.

`--one-file-system'

When removing a hierarchy recursively, skip any directory that is on a file system different from that of the corresponding command line argument.

This option is useful when removing a build "chroot" hierarchy, which normally contains no valuable data. However, it is not uncommon to bind-mount `/home' into such a hierarchy, to make it easier to use one's start-up file. The catch is that it's easy to forget to unmount `/home'. Then, when you use rm -rf to remove your normally throw-away chroot, that command will remove everything under `/home', too. Use the `--one-file-system' option, and it will warn about and skip directories on other file systems. Of course, this will not save your `/home' if it and your chroot happen to be on the same file system.

`--preserve-root'

Fail upon any attempt to remove the root directory, `/', when used with the `--recursive' option. This is the default behavior. See section Treating `/' specially.

`--no-preserve-root'

Do not treat `/' specially when removing recursively. This option is not recommended unless you really want to remove all the files on your computer. See section Treating `/' specially.

`-r'
`-R'
`--recursive'

Remove the listed directories and their contents recursively.

`-v'
`--verbose'

Print the name of each file before removing it.

One common question is how to remove files whose names begin with a `-'. GNU rm, like every program that uses the getopt function to parse its arguments, lets you use the `--' option to indicate that all following arguments are non-options. To remove a file called `-f' in the current directory, you could type either:

 
rm -- -f

or:

 
rm ./-f

The Unix rm program's use of a single `-' for this purpose predates the development of the getopt standard syntax.

An exit status of zero indicates success, and a nonzero value indicates failure.


[ < ] [ > ]   [ << ] [ Up ] [ >> ]         [Top] [Contents] [Index] [ ? ]

11.6 shred: Remove files more securely

shred overwrites devices or files, to help prevent even very expensive hardware from recovering the data.

Ordinarily when you remove a file (see section rm: Remove files or directories), the data is not actually destroyed. Only the index listing where the file is stored is destroyed, and the storage is made available for reuse. There are undelete utilities that will attempt to reconstruct the index and can bring the file back if the parts were not reused.

On a busy system with a nearly-full drive, space can get reused in a few seconds. But there is no way to know for sure. If you have sensitive data, you may want to be sure that recovery is not possible by actually overwriting the file with non-sensitive data.

However, even after doing that, it is possible to take the disk back to a laboratory and use a lot of sensitive (and expensive) equipment to look for the faint "echoes" of the original data underneath the overwritten data. If the data has only been overwritten once, it's not even that hard.

The best way to remove something irretrievably is to destroy the media it's on with acid, melt it down, or the like. For cheap removable media like floppy disks, this is the preferred method. However, hard drives are expensive and hard to melt, so the shred utility tries to achieve a similar effect non-destructively.

This uses many overwrite passes, with the data patterns chosen to maximize the damage they do to the old data. While this will work on floppies, the patterns are designed for best effect on hard drives. For more details, see the source code and Peter Gutmann's paper Secure Deletion of Data from Magnetic and Solid-State Memory, from the proceedings of the Sixth USENIX Security Symposium (San Jose, California, July 22-25, 1996).

Please note that shred relies on a very important assumption: that the file system overwrites data in place. This is the traditional way to do things, but many modern file system designs do not satisfy this assumption. Exceptions include:

In the particular case of ext3 file systems, the above disclaimer applies (and shred is thus of limited effectiveness) only in data=journal mode, which journals file data in addition to just metadata. In both the data=ordered (default) and data=writeback modes, shred works as usual. Ext3 journaling modes can be changed by adding the data=something option to the mount options for a particular file system in the `/etc/fstab' file, as documented in the mount man page (man mount).

If you are not sure how your file system operates, then you should assume that it does not overwrite data in place, which means that shred cannot reliably operate on regular files in your file system.

Generally speaking, it is more reliable to shred a device than a file, since this bypasses the problem of file system design mentioned above. However, even shredding devices is not always completely reliable. For example, most disks map out bad sectors invisibly to the application; if the bad sectors contain sensitive data, shred won't be able to destroy it.

shred makes no attempt to detect or report this problem, just as it makes no attempt to do anything about backups. However, since it is more reliable to shred devices than files, shred by default does not truncate or remove the output file. This default is more suitable for devices, which typically cannot be truncated and should not be removed.

Finally, consider the risk of backups and mirrors. File system backups and remote mirrors may contain copies of the file that cannot be removed, and that will allow a shredded file to be recovered later. So if you keep any data you may later want to destroy using shred, be sure that it is not backed up or mirrored.

 
shred [option]… file[…]

The program accepts the following options. Also see Common options.

`-f'
`--force'

Override file permissions if necessary to allow overwriting.

`-number'
`-n number'
`--iterations=number'

By default, shred uses 3 passes of overwrite. You can reduce this to save time, or increase it if you think it's appropriate. After 25 passes all of the internal overwrite patterns will have been used at least once.

`--random-source=file'

Use file as a source of random data used to overwrite and to choose pass ordering. See section Sources of random data.

`-s bytes'
`--size=bytes'

Shred the first bytes bytes of the file. The default is to shred the whole file. bytes can be followed by a size specification like `K', `M', or `G' to specify a multiple. See section Block size.

`-u'
`--remove'

After shredding a file, truncate it (if possible) and then remove it. If a file has multiple links, only the named links will be removed.

`-v'
`--verbose'

Display to standard error all status updates as sterilization proceeds.

`-x'
`--exact'

By default, shred rounds the size of a regular file up to the next multiple of the file system block size to fully erase the last block of the file. Use `--exact' to suppress that behavior. Thus, by default if you shred a 10-byte regular file on a system with 512-byte blocks, the resulting file will be 512 bytes long. With this option, shred does not increase the apparent size of the file.

`-z'
`--zero'

Normally, the last pass that shred writes is made up of random data. If this would be conspicuous on your hard drive (for example, because it looks like encrypted data), or you just think it's tidier, the `--zero' option adds an additional overwrite pass with all zero bits. This is in addition to the number of passes specified by the `--iterations' option.

You might use the following command to erase all trace of the file system you'd created on the floppy disk in your first drive. That command takes about 20 minutes to erase a "1.44MB" (actually 1440 KiB) floppy.

 
shred --verbose /dev/fd0

Similarly, to erase all data on a selected partition of your hard disk, you could give a command like this:

 
shred --verbose /dev/sda5

A file of `-' denotes standard output. The intended use of this is to shred a removed temporary file. For example:

 
i=`tempfile -m 0600`
exec 3<>"$i"
rm -- "$i"
echo "Hello, world" >&3
shred - >&3
exec 3>-

However, the command `shred - >file' does not shred the contents of file, since the shell truncates file before invoking shred. Use the command `shred file' or (if using a Bourne-compatible shell) the command `shred - 1<>file' instead.

An exit status of zero indicates success, and a nonzero value indicates failure.


[ << ] [ >> ]           [Top] [Contents] [Index] [ ? ]

This document was generated on January, 20 2010 using texi2html 1.76.