bug-coreutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#24604: Add '--no-preserve-roots' flag to 'rm' for better safety

From: Pádraig Brady
Subject: bug#24604: Add '--no-preserve-roots' flag to 'rm' for better safety
Date: Tue, 4 Oct 2016 15:59:54 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 
On 04/10/16 15:34, Jim Meyering wrote:
> On Tue, Oct 4, 2016 at 5:54 AM, Pádraig Brady <address@hidden> wrote:
>> On 04/10/16 12:38, Pádraig Brady wrote:
>>> On 04/10/16 03:21, Mohammed Sadiq wrote:
>>>> '--no-preserve-root' that can be used to ignore if the path is root when 
>>>> using
>>>> the 'rm' command.
>>>>
>>>> But as the most of the GNU commands accepts shortened flag as long as
>>>> there is no ambiguity, this can be an issue too. So, 'rm --n' may have the
>>>> same effect as 'rm --no-preserve-root'. There may be several users unaware
>>>> of this feature which can cause several issues.
>>>>
>>>> 1. A cracker may be able to trick a user to bring a system down using
>>>> '--n' flag.
>>>> 2. A folder/file name like '--n' as an argument to 'rm' command may
>>>> try to delete
>>>>     the whole files (in case a '/' too appears as an argument), and
>>>> the user won't
>>>>     find a reason why it happened.
>>>>
>>>> One way to overcome this is set '--no-preserve-roots' too an alias for
>>>> '--no-preserve-root'. This means that the user will have include the whole 
>>>> flag
>>>> to ignore root check (shortening will create an ambiguity).
>>>
>>> An interesting idea.
>>> The main focus of the --no-preserve-root option is to protect against
>>> accidental insertion of a space with `rm -rf blah /` or `rm -rf $blah/`.
>>> With malicious arguments though one can obfuscate using shell quoting,
>>> and the recent ls quoting changes are more general protection against that.
>>> In saying that I don't see any issue with this, and there is a slight
>>> increase in protection, so I'd be 60:40 for making this change.
>>
>> This would break scripts that used shortened --no-preserve for example,
>> though that's quite unlikely to be used.
>>
>> Implementation is attached.
> 
> I too like the idea.
> Did you consider this alternate implementation?
> 
> $ src/rm --no-preserve-root a
> src/rm: cannot remove 'a': No such file or directory
> [Exit 1]
> $ src/rm --no-preserve-roo a
> src/rm: you may not abbreviate the --no-preserve-root option
> [Exit 1]

More explicit and less hacky.
I'll change to that. thanks
reply via email to
[Prev in Thread] Current Thread [Next in Thread]