Protection from the dreaded "rm -fr /"

Sat Oct 2 02:24:44 PDT 2004

[ Sorry to be so negative ... ]

At very least you should consider to error out silently as POSIX requires "-f" 
to be silent. Other than that you should really look into the standards and 
what they way about rm and friends.

I am not a fan of providing seat belts like this. People concerned about this, 
can "alias rm 'rm -i'" etc. etc. Others have commented like this ...

If you still have to make this change, make it tuneable with a environment 
variable (and make it default to off).

On Saturday 02 October 2004 10:19, Giorgos Keramidas wrote:
> John Beck, who works for Sun, has posted an entry in his blog yesterday
> about "rm -fr /" protection, which I liked a lot:
> http://blogs.sun.com/roller/page/jbeck/20041001#rm_rf_protection
>
> His idea was remarkably simple, so I went ahead and wrote this patch for
> rm(1) of FreeBSD:
>
> %%%
> Index: rm.c
> ===================================================================
> RCS file: /home/ncvs/src/bin/rm/rm.c,v
> retrieving revision 1.47
> diff -u -r1.47 rm.c
> --- rm.c 6 Apr 2004 20:06:50 -0000 1.47
> +++ rm.c 2 Oct 2004 08:06:21 -0000
> @@ -157,6 +157,7 @@
>  void
>  rm_tree(char **argv)
>  {
> + char **argv_tmp;
>   FTS *fts;
>   FTSENT *p;
>   int needstat;
> @@ -164,6 +165,17 @@
>   int rval;
>
>   /*
> +  * If one of the members of argv[] is the root directory abort the
> +  * entire operation.
> +  */
> + argv_tmp = argv;
> + while (*argv_tmp != NULL) {
> +  if (strcmp(*argv_tmp, "/") == 0)
> +   errx(1, "rm of / is not allowed");
> +  argv_tmp++;
> + }
> +
> + /*
>    * Remove a file hierarchy.  If forcing removal (-f), or interactive
>    * (-i) or can't ask anyway (stdin_ok), don't stat the file.
>    */
> %%%
>
> To test it, I used a minimal chroot with /bin, /lib and /libexec copied
> over from my real / partition:
>
>     # mkdir -p /tmp/chroot/bin ; cp -Rp /lib /libexec /tmp/chroot
>     # cp /bin/sh /bin/ls /tmp/chroot/bin
>     # cp /a/freebsd/src/bin/rm/rm /tmp/chroot/bin
>     # env PS1='chroot# ' chroot /tmp/chroot /bin/sh
>     chroot# rm -fr /
>     rm: recursive rm of / is not allowed
>     chroot# exit
>     #
>
> It seems to work nicely here.  I'm not sure if the overhead of
> traversing argv[] twice is a bug price to pay for the protection this
> adds, but if a lot of people like it I'll commit it when I get the
> approval of src-committers :-)
>
> - Giorgos
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20041002/ea1ab2f2/attachment.bin