Re: How bad is "rm -rf /" ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 02/02/2016 04:57 PM, Valeri Galtsev wrote:
Suppose I executed the command
rm -rf /
on my CentOS 7 box. After it did what it could, how much damage will be
done to what I have (or _had_ rather ;-) on my hard drive?

In your experiment, rm processed /boot and /data first, and then /proc, where it hung removing one file. There are two important details to consider. First, that behavior doesn't appear to be standard. If I run "rm -rf /proc" on other kernels, rm doesn't hang. On systems running those kernels, rm will remove all of the files in the filesystem hierarchy. Second, on systems running that kernel, no more data was removed because readdir('/') returned /proc before the directories that rm didn't process.

and finally things started flying away, then the box locked with a bunch of
rm: cannot remove "/proc/sys/fs...": permission denied

The box did not "lock". Press Ctrl+c on the terminal, and rm will exit. What happened is simply that rm tried to unlink a file in /proc, and the syscall didn't return. I'm not sure why that happens, but it doesn't appear to be a feature.

OK, now: how about stuff that in / comes alphabetically before /dev?

As I told you before, rm doesn't process directory trees in alphabetical order.

First, symlink /bin (pointing to /usr/bin) stayed intact! This is not what
I expected, but I'm sure some clever person will explain that.

I did, in the previous thread.

Second, I
have two different partitions mounted as /boot and /data. Both of them are
gone (though their mount points stayed intact).

Directory entry order is in unpredictable. It's not possible to unlink a directory where a filesystem is mounted, which is why the mount point is intact, but its content is gone.

By no means I am considering myself an expert, but what I see is pretty
much what I expected. Namely, the kernel talks to hard drive via block
device (or raw device whenever applicable).

That is incorrect, and a much simpler test can verify that. First, rm -rf /dev/*, then remove any file, or write any file. Reboot. Your changes will have been saved, demonstrating that /dev is not required after a filesystem is mounted.

Once you've completed that experiment, you can simulate the effect of rm -rf on different kernels by unmounting /proc and then issuing "rm -rfv --no-preserve-root /". When it completes, your filesystem will be empty except for the handful of directories that are used for mount points.

Therefore, once resembling
device is deleted from /dev, there will be no more changes to the content
on hard drive platters. So, all in all "rm -rf /" is much less disatrous
than it sounds. It only obliterates stuff that every sysadmin can
re-create (like /boot or /bin bacl then when it was not symlink to
/usr/bin). So, happy "rm -rf /"-ing everybody!

No.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux