Comment by yjftsjthsd-h

8 months ago

> no-preserve-root tries to solve the issue at the wrong layer of the stack and only adresses one way to break the os. Being special to just / doesn't make sense to me.

I could see that making sense. Maybe a "really important core OS" attribute? (I wouldn't want `rm /bin/sh` to run without forcing either.)

However,

> If a program can break the operating system that is a failure in the operating system's sandboxing or permissions.

Not necessarily. I have on multiple occasions logged into a machine, gotten a root shell, and then told it to wipe its own disks (either by block discard, or just dding over with /dev/null). That is a legitimate use that should work.

2 comments

yjftsjthsd-h

Reply
charcircuit  8 months ago

>and then told it to wipe its own disks

This can be done via a dedicated factory reset or wipe feature. It doesn't need to be the responsibility of rm.

  • yjftsjthsd-h  8 months ago

    It sounded like you were arguing that no program should be able to do it, which makes it somewhat difficult to implement a wipe feature. (And whatever wipe/reset feature we have needs to be done by some operating system, because a solution that requires adding new features to everything's firmware is a non-starter in practice)