Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 2 Oct 2004 11:23:52 +0200
From:      Max Laier <max@love2party.net>
To:        freebsd-hackers@freebsd.org
Cc:        Giorgos Keramidas <keramida@freebsd.org>
Subject:   Re: Protection from the dreaded "rm -fr /"
Message-ID:  <200410021123.59811.max@love2party.net>
In-Reply-To: <20041002081928.GA21439@gothmog.gr>
References:  <20041002081928.GA21439@gothmog.gr>

next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart5081245.8tqfDCvvXC
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

[ Sorry to be so negative ... ]

At very least you should consider to error out silently as POSIX requires "=
=2Df"=20
to be silent. Other than that you should really look into the standards and=
=20
what they way about rm and friends.

I am not a fan of providing seat belts like this. People concerned about th=
is,=20
can "alias rm 'rm -i'" etc. etc. Others have commented like this ...

If you still have to make this change, make it tuneable with a environment=
=20
variable (and make it default to off).

On Saturday 02 October 2004 10:19, Giorgos Keramidas wrote:
> John Beck, who works for Sun, has posted an entry in his blog yesterday
> about "rm -fr /" protection, which I liked a lot:
> http://blogs.sun.com/roller/page/jbeck/20041001#rm_rf_protection
>
> His idea was remarkably simple, so I went ahead and wrote this patch for
> rm(1) of FreeBSD:
>
> %%%
> Index: rm.c
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /home/ncvs/src/bin/rm/rm.c,v
> retrieving revision 1.47
> diff -u -r1.47 rm.c
> --- rm.c 6 Apr 2004 20:06:50 -0000 1.47
> +++ rm.c 2 Oct 2004 08:06:21 -0000
> @@ -157,6 +157,7 @@
>  void
>  rm_tree(char **argv)
>  {
> + char **argv_tmp;
>   FTS *fts;
>   FTSENT *p;
>   int needstat;
> @@ -164,6 +165,17 @@
>   int rval;
>
>   /*
> +  * If one of the members of argv[] is the root directory abort the
> +  * entire operation.
> +  */
> + argv_tmp =3D argv;
> + while (*argv_tmp !=3D NULL) {
> +  if (strcmp(*argv_tmp, "/") =3D=3D 0)
> +   errx(1, "rm of / is not allowed");
> +  argv_tmp++;
> + }
> +
> + /*
>    * Remove a file hierarchy.  If forcing removal (-f), or interactive
>    * (-i) or can't ask anyway (stdin_ok), don't stat the file.
>    */
> %%%
>
> To test it, I used a minimal chroot with /bin, /lib and /libexec copied
> over from my real / partition:
>
>     # mkdir -p /tmp/chroot/bin ; cp -Rp /lib /libexec /tmp/chroot
>     # cp /bin/sh /bin/ls /tmp/chroot/bin
>     # cp /a/freebsd/src/bin/rm/rm /tmp/chroot/bin
>     # env PS1=3D'chroot# ' chroot /tmp/chroot /bin/sh
>     chroot# rm -fr /
>     rm: recursive rm of / is not allowed
>     chroot# exit
>     #
>
> It seems to work nicely here.  I'm not sure if the overhead of
> traversing argv[] twice is a bug price to pay for the protection this
> adds, but if a lot of people like it I'll commit it when I get the
> approval of src-committers :-)
>
> - Giorgos
>
> _______________________________________________
> freebsd-hackers@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart5081245.8tqfDCvvXC
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQBBXnOvXyyEoT62BG0RApFGAJ9x6j4OMD1mfia7ZctNC+fjVbb5MACdFTN/
4kLfpbIeF8/6Y5PmMT24RG4=
=J9qe
-----END PGP SIGNATURE-----

--nextPart5081245.8tqfDCvvXC--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410021123.59811.max>