From owner-freebsd-hackers@FreeBSD.ORG Sat Oct 2 09:06:39 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9C9A16A4CE for ; Sat, 2 Oct 2004 09:06:39 +0000 (GMT) Received: from rosebud.otenet.gr (rosebud.otenet.gr [195.170.0.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4543143D3F for ; Sat, 2 Oct 2004 09:06:39 +0000 (GMT) (envelope-from keramida@freebsd.org) Received: from gothmog.gr (patr530-a232.otenet.gr [212.205.215.232]) i9296ajI027306; Sat, 2 Oct 2004 12:06:37 +0300 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.13.1/8.13.1) with ESMTP id i9296a5f072629; Sat, 2 Oct 2004 12:06:36 +0300 (EEST) (envelope-from keramida@freebsd.org) Received: (from giorgos@localhost) by gothmog.gr (8.13.1/8.13.1/Submit) id i9296aVj072625; Sat, 2 Oct 2004 12:06:36 +0300 (EEST) (envelope-from keramida@freebsd.org) Date: Sat, 2 Oct 2004 12:06:35 +0300 From: Giorgos Keramidas To: Michael Reifenberger Message-ID: <20041002090635.GA71050@gothmog.gr> References: <20041002081928.GA21439@gothmog.gr> <20041002102918.W22102@fw.reifenberger.com> <20041002085143.GA52519@gothmog.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041002085143.GA52519@gothmog.gr> cc: freebsd-hackers@freebsd.org Subject: Re: Protection from the dreaded "rm -fr /" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Oct 2004 09:06:40 -0000 On 2004-10-02 11:51, Giorgos Keramidas wrote: > On 2004-10-02 10:34, Michael Reifenberger wrote: > > > > This does only help for the obvious case of '/' but not for the > > './' and '../' or '../../' ... accidents. > > Hmm, indeed. This can be fixed, but it might take a little thinking > over about ways to implement it without adding too much overhead to the > way rm(1) works now. One way to do that is to use realpath(3), but I have to ask more knowledgeable people about the comment immediately below my change: %%% Index: rm.c =================================================================== RCS file: /home/ncvs/src/bin/rm/rm.c,v retrieving revision 1.47 diff -u -r1.47 rm.c --- rm.c 6 Apr 2004 20:06:50 -0000 1.47 +++ rm.c 2 Oct 2004 09:00:41 -0000 @@ -157,6 +157,8 @@ void rm_tree(char **argv) { + char *rpath; + char **argv_tmp; FTS *fts; FTSENT *p; int needstat; @@ -164,6 +166,20 @@ int rval; /* + * If one of the members of argv[] is the root directory abort the + * entire operation. + */ + rpath = malloc(PATH_MAX * sizeof(char)); + if (rpath == NULL) + err(1, "malloc"); + for (argv_tmp = argv; *argv_tmp != NULL; argv_tmp++) { + if (realpath(*argv_tmp, rpath) == NULL) + err(1, "%s", *argv_tmp); + if (strcmp(rpath, "/") == 0) + errx(1, "recursive rm of / is not allowed"); + } + + /* * Remove a file hierarchy. If forcing removal (-f), or interactive * (-i) or can't ask anyway (stdin_ok), don't stat the file. */ %%% I'm a bit worried about the "don't stat the file" comment below. The realpath(3) library function *does* stat the file when trying to find its real pathname ;-/