82 messages in org.freebsd.freebsd-hackersProtection from the dreaded "rm -fr /"| From | Sent On | Attachments |
|---|---|---|
| Giorgos Keramidas | Oct 2, 2004 1:19 am | |
| Edwin Groothuis | Oct 2, 2004 1:33 am | |
| Michael Reifenberger | Oct 2, 2004 1:34 am | |
| Giorgos Keramidas | Oct 2, 2004 1:39 am | |
| Giorgos Keramidas | Oct 2, 2004 1:51 am | |
| Ryan Sommers | Oct 2, 2004 1:52 am | |
| Giorgos Keramidas | Oct 2, 2004 1:53 am | |
| Giorgos Keramidas | Oct 2, 2004 2:06 am | |
| Max Laier | Oct 2, 2004 2:24 am | |
| Giorgos Keramidas | Oct 2, 2004 3:19 am | |
| Greg Black | Oct 2, 2004 3:57 am | |
| Ceri Davies | Oct 2, 2004 4:22 am | |
| Ceri Davies | Oct 2, 2004 4:25 am | |
| Max Laier | Oct 2, 2004 4:51 am | |
| Peter Jeremy | Oct 2, 2004 5:43 am | |
| Dimitry Andric | Oct 2, 2004 7:48 am | |
| Simon L. Nielsen | Oct 2, 2004 8:03 am | |
| Sean Farley | Oct 2, 2004 8:41 am | |
| Sam | Oct 2, 2004 8:54 am | |
| Jacques A. Vidrine | Oct 2, 2004 9:46 am | |
| Tillman Hodgson | Oct 2, 2004 9:51 am | |
| Lee Harr | Oct 2, 2004 9:53 am | |
| Tillman Hodgson | Oct 2, 2004 9:55 am | |
| Giorgos Keramidas | Oct 2, 2004 10:10 am | |
| Giorgos Keramidas | Oct 2, 2004 10:55 am | |
| Giorgos Keramidas | Oct 2, 2004 10:56 am | |
| Tillman Hodgson | Oct 2, 2004 11:09 am | |
| Doug Russell | Oct 2, 2004 11:37 am | |
| David Schultz | Oct 2, 2004 11:50 am | |
| David Schultz | Oct 2, 2004 12:01 pm | |
| Michael Reifenberger | Oct 2, 2004 12:16 pm | |
| Doug Russell | Oct 2, 2004 12:18 pm | |
| Michael Reifenberger | Oct 2, 2004 12:26 pm | |
| Dmitry Frolov | Oct 2, 2004 12:37 pm | |
| Doug Russell | Oct 2, 2004 12:48 pm | |
| David Schultz | Oct 2, 2004 1:11 pm | |
| Michael Reifenberger | Oct 2, 2004 1:49 pm | |
| Tillman Hodgson | Oct 2, 2004 2:05 pm | |
| Garance A Drosihn | Oct 2, 2004 2:22 pm | |
| Ceri Davies | Oct 2, 2004 3:00 pm | |
| sor...@cydem.org | Oct 2, 2004 3:11 pm | |
| Giorgos Keramidas | Oct 2, 2004 4:28 pm | |
| Giorgos Keramidas | Oct 2, 2004 4:28 pm | |
| David Schultz | Oct 2, 2004 5:19 pm | |
| M. Warner Losh | Oct 2, 2004 6:26 pm | |
| M. Warner Losh | Oct 2, 2004 6:28 pm | |
| M. Warner Losh | Oct 2, 2004 6:29 pm | |
| Giorgos Keramidas | Oct 2, 2004 6:53 pm | |
| Thomas David Rivers | Oct 2, 2004 6:53 pm | |
| M. Warner Losh | Oct 2, 2004 7:07 pm | |
| Doug Russell | Oct 2, 2004 7:11 pm | |
| Tillman Hodgson | Oct 2, 2004 8:09 pm | |
| Tillman Hodgson | Oct 2, 2004 8:11 pm | |
| David Schultz | Oct 2, 2004 11:31 pm | |
| Sam Lawrance | Oct 3, 2004 12:35 am | |
| Chris Howells | Oct 3, 2004 5:07 am | |
| Mike Meyer | Oct 3, 2004 5:07 am | |
| Mike Meyer | Oct 3, 2004 5:07 am | |
| M. Warner Losh | Oct 3, 2004 10:37 am | |
| Greg Shenaut | Oct 3, 2004 11:14 am | |
| Dmitry Morozovsky | Oct 3, 2004 11:28 am | |
| Thomas Sparrevohn | Oct 3, 2004 11:40 am | |
| Dag-Erling Smørgrav | Oct 3, 2004 1:33 pm | |
| Roman Neuhauser | Oct 3, 2004 2:59 pm | |
| M. Warner Losh | Oct 3, 2004 6:38 pm | |
| Mark Murray | Oct 4, 2004 1:10 am | |
| Dmitry Karasik | Oct 4, 2004 3:15 am | |
| Dave Horsfall | Oct 4, 2004 3:27 am | |
| Giorgos Keramidas | Oct 4, 2004 3:49 am | |
| Stijn Hoop | Oct 4, 2004 4:52 am | |
| Ceri Davies | Oct 4, 2004 5:33 am | |
| Søren Schmidt | Oct 4, 2004 5:43 am | |
| Chris Howells | Oct 4, 2004 6:16 pm | |
| Chris Dillon | Oct 5, 2004 8:36 am | |
| Sam | Oct 5, 2004 9:03 am | |
| Giorgos Keramidas | Oct 5, 2004 5:12 pm | |
| Giorgos Keramidas | Oct 5, 2004 5:42 pm | |
| Matthew Dillon | Oct 5, 2004 6:30 pm | |
| Matthew Dillon | Oct 5, 2004 6:56 pm | |
| Matthew Dillon | Oct 5, 2004 11:39 pm | |
| Thomas Sparrevohn | Oct 6, 2004 12:49 pm | |
| Lyndon Nerenberg | Oct 28, 2004 5:31 am |
| Subject: | Protection from the dreaded "rm -fr /" | |
|---|---|---|
| From: | Giorgos Keramidas (kera...@freebsd.org) | |
| Date: | Oct 2, 2004 3:19:26 am | |
| List: | org.freebsd.freebsd-hackers | |
On 2004-10-02 03:52, Ryan Sommers <rya...@gamersimpact.com> wrote:
On Sat, Oct 02, 2004 at 11:19:28AM +0300, Giorgos Keramidas wrote:
about "rm -fr /" protection, which I liked a lot: http://blogs.sun.com/roller/page/jbeck/20041001#rm_rf_protection
His idea was remarkably simple, so I went ahead and wrote this patch for rm(1) of FreeBSD:
As for adding this kind of oops-proofing. I'm not sure I like the idea of completely removing the ability to use / as an argument. How about prompting and needing 'yes' as input?
This might break things because the user hasn't specified -i and will suddenly get a prompt. Unexpected prompts might never get an answer.
I liked what Max Laier proposed though, about making this tunable and defaulting to off. See below for the behavior of what I've come up with:
On 2004-10-02 11:23, Max Laier <ma...@love2party.net> wrote:
[ Sorry to be so negative ... ]
At very least you should consider to error out silently as POSIX requires "-f" to be silent. Other than that you should really look into the standards and what they way about rm and friends.
Agreed. Thanks for the feedback. Positive replies are not the only sort that are worth a lot :-)
How does the following look instead of forcing stuff to the user?
1. Silently erroring out:
chroot# export RM_PROTECT_ROOT=1 chroot# /bin/rm -fr / chroot# echo $? 1 chroot# /bin/rm -fr .././ chroot# echo $? 1
2. Warning with an error message because RM_PROTECT_ROOT is set:
chroot# export RM_PROTECT_ROOT=1 chroot# /bin/rm -r / rm: recursive rm of / not allowed chroot# /bin/rm -r .././ rm: recursive rm of / not allowed
3. The current behavior as a default when RM_PROTECT_ROOT is unset:
chroot# unset RM_PROTECT_ROOT chroot# /bin/rm -r / override rwxr-xr-x 0/0 for /bin/rm? ^Cchroot# chroot# chroot# chroot# /bin/rm -fr / rm: /libexec/ld-elf.so.1: Operation not permitted rm: /libexec: Directory not empty rm: /lib/libc.so.5: Operation not permitted rm: /lib/libcrypt.so.2: Operation not permitted rm: /lib: Directory not empty rm: /: Is a directory chroot# ls -l ls: not found chroot# echo * lib libexec chroot# cd lib chroot# echo * libc.so.5 libcrypt.so.2 chroot# exit
Here's the updated diff:
%%% Index: rm.c =================================================================== RCS file: /home/ncvs/src/bin/rm/rm.c,v retrieving revision 1.47 diff -u -r1.47 rm.c --- rm.c 6 Apr 2004 20:06:50 -0000 1.47 +++ rm.c 2 Oct 2004 10:06:59 -0000 @@ -57,7 +57,7 @@ #include <sysexits.h> #include <unistd.h>
-int dflag, eval, fflag, iflag, Pflag, vflag, Wflag, stdin_ok; +int dflag, eval, fflag, iflag, Pflag, vflag, Wflag, stdin_ok, protect_root; uid_t uid;
int check(char *, char *, struct stat *); @@ -100,6 +100,10 @@ exit(eval); }
+ protect_root = 0; + if (getenv("RM_PROTECT_ROOT") != NULL) + protect_root = 1; + Pflag = rflag = 0; while ((ch = getopt(argc, argv, "dfiPRrvW")) != -1) switch(ch) { @@ -157,6 +161,8 @@ void rm_tree(char **argv) { + static char *rpath = NULL; + char **argv_tmp; FTS *fts; FTSENT *p; int needstat; @@ -164,6 +170,25 @@ int rval;
/* + * If enabled in the environment with RM_PROTECT_ROOT disable the + * ability to recursively remove the root directory. + */ + if (protect_root) { + if (rpath == NULL && + (rpath = malloc(PATH_MAX * sizeof(char))) == NULL) + err(1, "malloc"); + for (argv_tmp = argv; *argv_tmp != NULL; argv_tmp++) { + if (realpath(*argv_tmp, rpath) == NULL && + strcmp(rpath, "/") != 0) + continue; + if (fflag != 0) + exit (1); + else + errx(1, "recursive rm of / not allowed"); + } + } + + /* * Remove a file hierarchy. If forcing removal (-f), or interactive * (-i) or can't ask anyway (stdin_ok), don't stat the file. */ %%%