Comment by yjftsjthsd-h
8 months ago
There's an interesting analog to GNU rm having --preserve-root/--no-preserve-root ... Is it more or less surprising for `rm -rf /` to be special? (This isn't meant as advocating one side or the other; I think it's a genuine point of philosophical tension.)
Once upon a time I nuked a GNU/Linux installation exactly with that command, due to a finger race between backspace and return keys.
Some "RTFM" for you :)
https://www.zeugmaweb.net/misc/unix/admin-horror.html
> Is it more or less surprising for `rm -rf /` to be special?
A few years the POSIX folks declared that the behaviour of `rm -rf /` nuking the entire file system is a bug.
IIRC, one of the Sun Solaris folks (Cantrill? Gregg? Other?) thought the behaviour was dumb and argued successfully that it should not be work that way. Any implementation that does it is not POSIX-compliant.
> A few years the POSIX folks declared that the behaviour of `rm -rf /` nuking the entire file system is a bug.
Yes. PEBKAC bug. /s
reminds me of that time a colleague (and FreeBSD committer) proposed su --with-wheel-group for gnu coreutils
rm should not have permission to break the operating system. If a program can break the operating system that is a failure in the operating system's sandboxing or permissions. no-preserve-root tries to solve the issue at the wrong layer of the stack and only adresses one way to break the os. Being special to just / doesn't make sense to me.
It's treated special cause most shells handle undefined variables as empty strings so `rm -rf "${base_path}/${sub_dir}"` can turn into `rm -rf '/'` and users commonly don't expect that.
While that case may be simple to catch the writers of gnu rm also recognize that scripts tend to not be well tested and decided "better than it currently is" is better than "we didn't do any mitigations to a common problem cause the solution wasn't perfect".
I think a valid interpretation of GPs point could be that top-level folders should have special properties so that they're not at risk of a bad rm, e.g. xattr "unchangeable" flags.
The fact that you can accidentally nuke the system seems a remnant from the olden days which we should have corrected a long time ago.
(I think GNU did a valid mitigation with preserve-root, just musing philosophically.)
6 replies →
Ah, the beauties of the POSIX shell.
> no-preserve-root tries to solve the issue at the wrong layer of the stack and only adresses one way to break the os. Being special to just / doesn't make sense to me.
I could see that making sense. Maybe a "really important core OS" attribute? (I wouldn't want `rm /bin/sh` to run without forcing either.)
However,
> If a program can break the operating system that is a failure in the operating system's sandboxing or permissions.
Not necessarily. I have on multiple occasions logged into a machine, gotten a root shell, and then told it to wipe its own disks (either by block discard, or just dding over with /dev/null). That is a legitimate use that should work.
>and then told it to wipe its own disks
This can be done via a dedicated factory reset or wipe feature. It doesn't need to be the responsibility of rm.
1 reply →
At some point you have to give something the ability to update and modify system components and even then it is extreemely unlikely that deleting everything starting with / is the intended behavior.
An EXTRA flag to rm could be required in order for it to be able to modify fundamental os files. This would eliminate nearly all accidents.
2 replies →
I agree, but rm doesn't have to be the thing to modify system files.
> rm should not have permission to break the operating system.
It doesn't. You must su to root to "achieve" that.
Why?
Obviously rm -rf / will only "destroy the operating system" if the user is root and we're in the root namespace. There is nothing stopping you from building a sandboxed OS that never gives your users real root (Android).
But what'd be the point of that? Users care about their data, not about their OS internals. If the OS blows, that's just an OS reinstall. But if a non-backed-up /home blows, that could be months of work. And any program that can delete a file in /home (as they need to be able to do to allow the user to do everyday work) can also delete all of them.
>not about their OS internals
Yes, they do. Users definitely care about their system being able to properly boot and work correctly. It's unnaceptable how Linux distros make you use a live usb to go in and fix them instead of having a built in way to the OS for it to recover from bad things happening.