The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Root security with "rm -rf /"

Discussion in 'Security' started by Jonah2, Jan 24, 2007.

  1. Jonah2

    Jonah2 Member

    Joined:
    Dec 11, 2003
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Vancouver, BC
    I have nightmares about accidentally typing "rm -rf /" while logged in to shell as root. Are there any solutions? And please let me post some relevant questions, because I know others have asked about this too.

    1) Will "rm -rf /" really delete the entirety of all volumes, including system files and the /backup drive? Will it give any warning before nuking everything? (Needless to say, I've never tried.)

    2) I once had a Unix account (long ago) that gave me a single "are you sure?" warning every time I typed "rm -rf", and then proceeded to rm all files. But it doesn't seem to work that way on Linux. I tried "rm -rfi" and "rm -rif" but that queries "are you sure?" for each and every file, not just one "are you sure?" at the beginning of the process.

    3) I know that logging in as a reseller or as a user, *not* as root, solves the problem. But then there's no way to gain root functionality for things like 'top' and 'ps' without typing 'sudo root top,' right? And if I do login as a reseller and use sudo, doesn't that present the same problem, in that typing "sudo root rm -rf /" would delete everything?

    Thanks! -Jonah
     
  2. nwilkens

    nwilkens Well-Known Member

    Joined:
    May 4, 2006
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Monroe MI
    cPanel Access Level:
    DataCenter Provider
    rm

    When decommissioning some of my personal machines, I like to test the various ways to screw things up ;) and rm -rf / really does screw things up for you...


    I just put together this quick script that you could use (at your own risk, I am not responsible for damages incurred.. etc.):

    Code:
    #!/bin/sh
    #
    # mv /bin/rm /bin/rm.orig
    # create /bin/rm with the contents of this file
    # chmod +x /bin/rm
    #
    
    RM_BIN=/bin/rm.orig
    
    if [ -n "$RM_AREYOUSURE" ]
    then
       echo -n "Are you sure? [Y/N]: "
       read yesno
       case "$yesno" in
         "Y" | "y" )  ${RM_BIN} $*;;
         "N" | "n" )  echo "Ok, not deleting anything.. exiting.";;
         *)    echo "Y or N, please!";;
       esac
    else
       ${RM_BIN} $*
    fi
    

    if you set an environment variable RM_AREYOUSURE to anything, at the command prompt (or add to your .bash_profile):

    # export RM_AREYOUSURE=enableme
    # rm -f test
    Are you sure? [Y/N]: y

    # rm -f test
    Are you sure? [Y/N]: n
    Ok, not deleting anything.. exiting.

    ... and yes, sudo rm is just as bad.

    It just boils down to, don't type that command and always double check yourself.

    rm -rf / is not usually going to be your problem though. I find that the real problem is when people are in the wrong directory, or that the wildcards being used are expanding in ways you are not expecting..

    so

    modify the code to print things like that is maybe another nice idea.

    by adding:
    echo "PWD: `pwd`"
    echo "CMD: rm $*"

    Hope this helps a bit.
     
    #2 nwilkens, Jan 24, 2007
    Last edited: Jan 24, 2007
  3. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    You might want to have a replacement that stats / and compares the abs path of the file name and inode number to what is being deleted. If it matches, halt the system.
     
  4. phoenixdarkdirk

    Joined:
    Feb 23, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Though it's still best to avoid running as root as often as possible, one of the things I do whenever running any type of `rm -rf` operation, as any user, is to place the -rf option at the end of the command like this:

    Code:
    rm /home/someguy/deletefiles/ -rf
    
    The success of this will depend on your shell and OS, but it does work in Linux+bash (I think that it's the BSDs that don't support it). The whole logic behind it is that if your hand slips on the enter key at any point, before the `-rf`, you haven't broken more than one file. Plus, typing the -rf at the very end makes you think about the command once more. Just something I've worked into habit that makes me feel nominally better.
     
    #4 phoenixdarkdirk, Jan 30, 2007
    Last edited: Jan 30, 2007
  5. Jonah2

    Jonah2 Member

    Joined:
    Dec 11, 2003
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Vancouver, BC
    This was a great tip: typing the "-rf" flag after the filename, as in "rm /home/someguy/deletefiles/ -rf". Thanks!

    I don't understand how one can "avoid running as root as often as possible". I'm constantly logging in as root to change crontabs, edit .conf files, fetch a file from my /backup directory, etc. Would you recommend doing all that as "sudo root," and if so, what extra security does that provide?

    The other solution I came up with was simply to unmount my /backup drive after nightly backups (in WHM's "Configure Backup"). So even if I should sometime leave my shell open and a cat walks across the keyboard typing "rm -rf /" I wouldn't lose my backup data.

    Thanks for your suggestions! -Jonah
     
Loading...

Share This Page