← Back to context

Comment by messe

8 months ago

> Consider this command:

    # pkg delete -af

> [...]

> What the same "pkg delete -af" command does on a PKGBASE FreeBSD system?

> It kills/destroys almost all of the FreeBSD Base System [...]

> POLA is the principle that made FreeBSD such predictable system. Where is the POLA now?

IMO if you convert the base system to be installed via packages and then force delete all packages, then the principle of least astonishment says that you'll delete most of the base system too.

31 comments

messe

Reply
yjftsjthsd-h  8 months ago

There's an interesting analog to GNU rm having --preserve-root/--no-preserve-root ... Is it more or less surprising for `rm -rf /` to be special? (This isn't meant as advocating one side or the other; I think it's a genuine point of philosophical tension.)

  • throw0101d  8 months ago

    > Is it more or less surprising for `rm -rf /` to be special?

    A few years the POSIX folks declared that the behaviour of `rm -rf /` nuking the entire file system is a bug.

    IIRC, one of the Sun Solaris folks (Cantrill? Gregg? Other?) thought the behaviour was dumb and argued successfully that it should not be work that way. Any implementation that does it is not POSIX-compliant.

    • hulitu  8 months ago

      > A few years the POSIX folks declared that the behaviour of `rm -rf /` nuking the entire file system is a bug.

      Yes. PEBKAC bug. /s

  • inopinatus  8 months ago

    reminds me of that time a colleague (and FreeBSD committer) proposed su --with-wheel-group for gnu coreutils

  • charcircuit  8 months ago

    rm should not have permission to break the operating system. If a program can break the operating system that is a failure in the operating system's sandboxing or permissions. no-preserve-root tries to solve the issue at the wrong layer of the stack and only adresses one way to break the os. Being special to just / doesn't make sense to me.

    • ender341341  8 months ago

      It's treated special cause most shells handle undefined variables as empty strings so `rm -rf "${base_path}/${sub_dir}"` can turn into `rm -rf '/'` and users commonly don't expect that.

      While that case may be simple to catch the writers of gnu rm also recognize that scripts tend to not be well tested and decided "better than it currently is" is better than "we didn't do any mitigations to a common problem cause the solution wasn't perfect".

      8 replies →

    • yjftsjthsd-h  8 months ago

      > no-preserve-root tries to solve the issue at the wrong layer of the stack and only adresses one way to break the os. Being special to just / doesn't make sense to me.

      I could see that making sense. Maybe a "really important core OS" attribute? (I wouldn't want `rm /bin/sh` to run without forcing either.)

      However,

      > If a program can break the operating system that is a failure in the operating system's sandboxing or permissions.

      Not necessarily. I have on multiple occasions logged into a machine, gotten a root shell, and then told it to wipe its own disks (either by block discard, or just dding over with /dev/null). That is a legitimate use that should work.

      2 replies →

    • josefx  8 months ago

      At some point you have to give something the ability to update and modify system components and even then it is extreemely unlikely that deleting everything starting with / is the intended behavior.

      4 replies →

    • hulitu  8 months ago

      > rm should not have permission to break the operating system.

      It doesn't. You must su to root to "achieve" that.

    • serbuvlad  8 months ago

      Why?

      Obviously rm -rf / will only "destroy the operating system" if the user is root and we're in the root namespace. There is nothing stopping you from building a sandboxed OS that never gives your users real root (Android).

      But what'd be the point of that? Users care about their data, not about their OS internals. If the OS blows, that's just an OS reinstall. But if a non-backed-up /home blows, that could be months of work. And any program that can delete a file in /home (as they need to be able to do to allow the user to do everyday work) can also delete all of them.

      1 reply →