From owner-freebsd-hackers  Mon May 15 02:11:04 1995
Return-Path: hackers-owner
Received: (from majordom@localhost)
          by freefall.cdrom.com (8.6.10/8.6.6) id CAA23132
          for hackers-outgoing; Mon, 15 May 1995 02:11:04 -0700
Received: from UUCP-GW.CC.UH.EDU (root@UUCP-GW.CC.UH.EDU [129.7.1.11])
          by freefall.cdrom.com (8.6.10/8.6.6) with SMTP id CAA23125
          for <freebsd-hackers@freebsd.org>; Mon, 15 May 1995 02:10:50 -0700
Received: from Taronga.COM by UUCP-GW.CC.UH.EDU with UUCP id AA15814
  (5.67a/IDA-1.5); Mon, 15 May 1995 02:05:29 -0500
Received: by bonkers.taronga.com (smail2.5p) id AA23727; 14 May 95 20:32:08 CDT (Sun)
Received: (from peter@localhost) by bonkers.taronga.com (8.6.11/8.6.6) id UAA23724; Sun, 14 May 1995 20:32:07 -0500
From: Peter da Silva <peter@bonkers.taronga.com>
Message-Id: <199505150132.UAA23724@bonkers.taronga.com>
Subject: Re: kern/1043: unlink(2) should not let superuser remove directories
To: jtk@kolvir.blrc.ma.us
Date: Sun, 14 May 1995 20:32:07 -0500 (CDT)
Cc: seebs@solon.com, netbsd-bugs@netbsd.org, freebsd-hackers@FreeBSD.org
In-Reply-To: <199505141953.PAA04095@kolvir.blrc.ma.us> from "John Kohl" at May 14, 95 03:53:06 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1346      
Sender: hackers-owner@FreeBSD.org
Precedence: bulk

> That's an argument for using fsdb, not to let root run rampant causing
> file system corruption.  Using fsdb makes it absolutely clear that
> you're intentionally doing something dangerous.  Using unlink(2) on
> directories is just the _Wrong Way_ to fix a damaged/broken filesystem!

If that's the only thing wrong with the file system, I'd rather use link
and unlink and clri and fsck than dive into fdsb... and I've been doing
this for fifteen years. Fsdb will let you totally screw your filesystem
to the point where you have to reinstall faster than you can say jack
robinson. Fsdb is a tool of last resort, like using adb on a running
kernel (which I've done too, now that I think of it). Link and unlink
take some effort to produce that level of brokenness... because they work
through the file system, and won't *create* half-broken inodes if there
aren't any there already.

In any case, I have real strong philosophical problems with removing the
ability of root to do *anything*... not just link and unlink directories.

Yes, we have symlinks now. Yes, you 99% of the time don't want to do that.
Yes, you can create inconsistent directory structures this way... but as
far as I'm concerned you might as well issue a patch that prevents you
from creating files and directories with control characters or shell
metacharacters in them.