Date: Sat, 2 Oct 2004 11:23:52 +0200 From: Max Laier <max@love2party.net> To: freebsd-hackers@freebsd.org Cc: Giorgos Keramidas <keramida@freebsd.org> Subject: Re: Protection from the dreaded "rm -fr /" Message-ID: <200410021123.59811.max@love2party.net> In-Reply-To: <20041002081928.GA21439@gothmog.gr> References: <20041002081928.GA21439@gothmog.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart5081245.8tqfDCvvXC Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Sorry to be so negative ... ] At very least you should consider to error out silently as POSIX requires "= =2Df"=20 to be silent. Other than that you should really look into the standards and= =20 what they way about rm and friends. I am not a fan of providing seat belts like this. People concerned about th= is,=20 can "alias rm 'rm -i'" etc. etc. Others have commented like this ... If you still have to make this change, make it tuneable with a environment= =20 variable (and make it default to off). On Saturday 02 October 2004 10:19, Giorgos Keramidas wrote: > John Beck, who works for Sun, has posted an entry in his blog yesterday > about "rm -fr /" protection, which I liked a lot: > http://blogs.sun.com/roller/page/jbeck/20041001#rm_rf_protection > > His idea was remarkably simple, so I went ahead and wrote this patch for > rm(1) of FreeBSD: > > %%% > Index: rm.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/bin/rm/rm.c,v > retrieving revision 1.47 > diff -u -r1.47 rm.c > --- rm.c 6 Apr 2004 20:06:50 -0000 1.47 > +++ rm.c 2 Oct 2004 08:06:21 -0000 > @@ -157,6 +157,7 @@ > void > rm_tree(char **argv) > { > + char **argv_tmp; > FTS *fts; > FTSENT *p; > int needstat; > @@ -164,6 +165,17 @@ > int rval; > > /* > + * If one of the members of argv[] is the root directory abort the > + * entire operation. > + */ > + argv_tmp =3D argv; > + while (*argv_tmp !=3D NULL) { > + if (strcmp(*argv_tmp, "/") =3D=3D 0) > + errx(1, "rm of / is not allowed"); > + argv_tmp++; > + } > + > + /* > * Remove a file hierarchy. If forcing removal (-f), or interactive > * (-i) or can't ask anyway (stdin_ok), don't stat the file. > */ > %%% > > To test it, I used a minimal chroot with /bin, /lib and /libexec copied > over from my real / partition: > > # mkdir -p /tmp/chroot/bin ; cp -Rp /lib /libexec /tmp/chroot > # cp /bin/sh /bin/ls /tmp/chroot/bin > # cp /a/freebsd/src/bin/rm/rm /tmp/chroot/bin > # env PS1=3D'chroot# ' chroot /tmp/chroot /bin/sh > chroot# rm -fr / > rm: recursive rm of / is not allowed > chroot# exit > # > > It seems to work nicely here. I'm not sure if the overhead of > traversing argv[] twice is a bug price to pay for the protection this > adds, but if a lot of people like it I'll commit it when I get the > approval of src-committers :-) > > - Giorgos > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart5081245.8tqfDCvvXC Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBXnOvXyyEoT62BG0RApFGAJ9x6j4OMD1mfia7ZctNC+fjVbb5MACdFTN/ 4kLfpbIeF8/6Y5PmMT24RG4= =J9qe -----END PGP SIGNATURE----- --nextPart5081245.8tqfDCvvXC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410021123.59811.max>