From owner-freebsd-hackers@FreeBSD.ORG Sat Oct 2 09:24:43 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D980516A4CE; Sat, 2 Oct 2004 09:24:43 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBE2843D1D; Sat, 2 Oct 2004 09:24:42 +0000 (GMT) (envelope-from max@love2party.net) Received: from [212.227.126.207] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1CDg8A-00089h-00; Sat, 02 Oct 2004 11:24:42 +0200 Received: from [217.227.153.30] (helo=donor.laier.local) by mrelayng.kundenserver.de with asmtp (TLSv1:RC4-MD5:128) (Exim 3.35 #1) id 1CDg89-0006cy-00; Sat, 02 Oct 2004 11:24:42 +0200 From: Max Laier To: freebsd-hackers@freebsd.org Date: Sat, 2 Oct 2004 11:23:52 +0200 User-Agent: KMail/1.7 References: <20041002081928.GA21439@gothmog.gr> In-Reply-To: <20041002081928.GA21439@gothmog.gr> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart5081245.8tqfDCvvXC"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200410021123.59811.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:61c499deaeeba3ba5be80f48ecc83056 cc: Giorgos Keramidas Subject: Re: Protection from the dreaded "rm -fr /" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Oct 2004 09:24:44 -0000 --nextPart5081245.8tqfDCvvXC Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline [ Sorry to be so negative ... ] At very least you should consider to error out silently as POSIX requires "= =2Df"=20 to be silent. Other than that you should really look into the standards and= =20 what they way about rm and friends. I am not a fan of providing seat belts like this. People concerned about th= is,=20 can "alias rm 'rm -i'" etc. etc. Others have commented like this ... If you still have to make this change, make it tuneable with a environment= =20 variable (and make it default to off). On Saturday 02 October 2004 10:19, Giorgos Keramidas wrote: > John Beck, who works for Sun, has posted an entry in his blog yesterday > about "rm -fr /" protection, which I liked a lot: > http://blogs.sun.com/roller/page/jbeck/20041001#rm_rf_protection > > His idea was remarkably simple, so I went ahead and wrote this patch for > rm(1) of FreeBSD: > > %%% > Index: rm.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/src/bin/rm/rm.c,v > retrieving revision 1.47 > diff -u -r1.47 rm.c > --- rm.c 6 Apr 2004 20:06:50 -0000 1.47 > +++ rm.c 2 Oct 2004 08:06:21 -0000 > @@ -157,6 +157,7 @@ > void > rm_tree(char **argv) > { > + char **argv_tmp; > FTS *fts; > FTSENT *p; > int needstat; > @@ -164,6 +165,17 @@ > int rval; > > /* > + * If one of the members of argv[] is the root directory abort the > + * entire operation. > + */ > + argv_tmp =3D argv; > + while (*argv_tmp !=3D NULL) { > + if (strcmp(*argv_tmp, "/") =3D=3D 0) > + errx(1, "rm of / is not allowed"); > + argv_tmp++; > + } > + > + /* > * Remove a file hierarchy. If forcing removal (-f), or interactive > * (-i) or can't ask anyway (stdin_ok), don't stat the file. > */ > %%% > > To test it, I used a minimal chroot with /bin, /lib and /libexec copied > over from my real / partition: > > # mkdir -p /tmp/chroot/bin ; cp -Rp /lib /libexec /tmp/chroot > # cp /bin/sh /bin/ls /tmp/chroot/bin > # cp /a/freebsd/src/bin/rm/rm /tmp/chroot/bin > # env PS1=3D'chroot# ' chroot /tmp/chroot /bin/sh > chroot# rm -fr / > rm: recursive rm of / is not allowed > chroot# exit > # > > It seems to work nicely here. I'm not sure if the overhead of > traversing argv[] twice is a bug price to pay for the protection this > adds, but if a lot of people like it I'll commit it when I get the > approval of src-committers :-) > > - Giorgos > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart5081245.8tqfDCvvXC Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBXnOvXyyEoT62BG0RApFGAJ9x6j4OMD1mfia7ZctNC+fjVbb5MACdFTN/ 4kLfpbIeF8/6Y5PmMT24RG4= =J9qe -----END PGP SIGNATURE----- --nextPart5081245.8tqfDCvvXC--