Correct a security issue introduced in previous commit:

instead of removing the file and issue a warning about
the removal, do not do any operation at all in case -P
is specified when the dinode has hard links.

With -f and -P specified together, we assume that the
user wants rm to overwrite the contents of the file
and remove it (destroy the contents of file but leave
its hard links as is).

The reason of doing it this way is that, in case where
a hard link is created by a malicious user (currently
this is permitted even if the user has no access to the
file).  Losing the link can potentially mean that the
actual owner would lose control completely to the user
who wants to obtain access in a future day.

Discussed with:	Peter Jermey

1 files changed, 2 insertions, 2 deletions

diff --git a/bin/rm/rm.c b/bin/rm/rm.c
index c311b6e..25a984e 100644
--- a/bin/rm/rm.c
+++ b/bin/rm/rm.c
@@ -400,10 +400,10 @@ rm_overwrite(char *file, struct stat *sbp)
 	}
 	if (!S_ISREG(sbp->st_mode))
 		return (1);
-	if (sbp->st_nlink > 1) {
+	if (sbp->st_nlink > 1 && !fflag) {
 		warnx("%s (inode %u): not overwritten due to multiple links",
 		    file, sbp->st_ino);
-		return (1);
+		return (0);
 	}
 	if ((fd = open(file, O_WRONLY, 0)) == -1)
 		goto err;