And what exactly will sudo rm -rf do?

The furor around the sudo rm -rf clowns has subsided (but will no doubt resurface in the future), but just for the record, what will that command do?

Our guinea pig today is the naive and unsuspecting ugly laptop, this time running an arbitrary leftover installation of Lowarch, which I was using to recreate those fbpanel settings for the occasional person who wants to make Openbox look like Gnome (why someone would want to do that, I can’t imagine :roll: ).

When the computer wasn’t looking, I snuck up on it, installed sudo and set the permissions, and then gave it this.

sudo rm -rf /

And the reply was this.

rm: cannot remove root directory '/'

Well that's not right! I wanted something impressive! Chaos! Catastrophes! Cataclysms! Other words that start with C!

Maybe sudo is keeping me from removing it. So I signed in as root, and issued the same command.

rm: cannot remove root directory '/'

This is becoming disappointing. Okay, maybe it's because I'm within root's home directory. Maybe there's something unbeknownst to me, that requires you to be outside the directory you rm when you rm it.

I switched to the root directory -- / -- and tried again.

rm: cannot remove root directory '/'

Well, I give up. It's not that big a deal to me. I thought it might be worth watching, like the time I ran Killdisk on a running XP system, and it became very frantic for a few minutes. But there were no fireworks here. Maybe the rm -rf plague is meager hysteria.

Maybe Ubuntu behaves differently -- more precariously. :shock: Or maybe there's another, correct way to hose a system that I just don't know about yet. I suppose I could shred the partition while it's mounted. That might work. I'll keep trying. :P

Update No. 1: Judging by Luke's comment below, I am thinking the specific rm -rf / command is filtered out, or at least kicks back the above error message. Changing it slightly, like tallman suggested, to sudo rm -rf /*, gave me a system that was still running, but completely hosed. Yay! :mrgreen: :roll:

Update No. 2: The rumors are true: Ubuntu happily destroys itself with that command, and as a result I've filed a bug report with coreutils over the rm command. Explanation and gory details here.

About these ads

51 thoughts on “And what exactly will sudo rm -rf do?

  1. JiGGaK

    Interesting… I’ve yet to try this as well and sure enough I get the same error. Went to try it on my poor old stinkpad (p2 300, 64MB ram) running slackware but sadly she won’t boot anymore!

    Anyway, I had an Arch install in a VM and issuing this command didn’t complain:
    sudo find . -exec rm -rf {} \;

    I got a barrage of “Operation not permitted” and “Device or resource busy” messages flying through the console but after about a minute it was finished and sure enough nothing works. After a reset grub shows a prompt but no boot options.

    Reply
    1. Ben Dibell

      You need to umount /sys and /proc before doing this, or things like that will happen. It’s best to do this from a livecd with nothing mounted.

      Reply
  2. lefty.crupps

    well, what it is MEANT to do, is:

    sudo = do the following command as the Super User (aka root (the system administrator account))

    rm = remove (aka delete) the following files

    -rf = flags for the ‘rm’ command, which mean ‘recursive’ (aka go into each subdirectory, and their sub-sub-directories, etc, forever) and force (aka don’t prompt, “Are you sure?” nor “Cannot remove a non-empty directory”)

    / = root directory, base of your drive, from where all other folders on your directory tree stem off of. /home is a part of /, /etc is a part of /, even /mount/WindowsXP is a part of /

    So you’re telling the system to remove itself. When the command is run, it gets loaded into RAM and when it finishes, it finds itself without anything on the drive (in theory, apparently).

    Reply
  3. K.Mandla Post author

    @Luke: I was wondering if it was hard-wired to avoid that command in particular. That would be my guess.

    @tallman: That was more effective. A lot of scary messages about “Operation not permitted” and “Permission denied” and “Too many levels of symbolic links.” I think deviating from the specific command avoided whatever protective measures were in place.

    @Dr Small: That’s what I thought was interesting. If Ubuntu doesn’t have that command screened (which, by Luke’s suggestion, is what I’m assuming Arch has done), I would be surprised. I’ll try it tomorrow, when I pursue Ubuntulite again.

    @JiGGaK: I can see how that would work, although I don’t wonder if a newbie getting that command, which looks more complex, might not be suspicious of it. Of course, I was a newbie once, and I would not have known better.

    Reply
  4. Jay

    I was an unfortunate victim of this command…My ubuntu deleted my home directory as the command executed from my home directory…Clean system and after reboot nothing booted. Ubuntu doesnt screen this command as of 3rd week of november.

    Reply
  5. wag

    sudo rm -rf / worked on ubuntu server 7.10, kills all except some files in dev/ proc/ sys/ var/.
    after restart, grub gives an “Error 15″ :>

    Reply
  6. man

    $ man rm
    –no-preserve-root
    do not treat ‘/’ specially

    –preserve-root
    do not remove ‘/’ (default)

    Reply
  7. K.Mandla Post author

    That’s odd. It’s marked as the default behavior, but Ubuntu definitely will eat its own self with that command. Hmm.

    Reply
  8. Pingback: It’s true: sudo rm -rf kills Ubuntu; a bug report « Motho ke motho ka botho

  9. Planet Malaysia

    I think this is make sense. If you want to delete everything, why not just install from scratch instead of “rm -rf”. Any reason why you need to delete “/”?

    Reply
  10. igknighted

    @planet:

    Perhaps if the cops were busting down your door and you had to delete all you pr0n & illegally downloaded songs/movies quickly… you know, didn’t have time to boot up a live disk to partition or something ;)

    Reply
  11. Timothy Goddard

    You’re filing a bug report? What’s the bug? I anticipate it will not let you remove the root of any mounted filesystem as every filesystem has to have one. When you run rm -rf / it first tries to remove the / directory. Since this is impossible it stops. When you run rm -rf /* as root it is actually possible do it so it should obey without question.

    Reply
  12. CdeMills

    there is more fun than that:

    sudo dd if=/dev/zero of=/dev/hda bs=512 count=64

    and … say goodbye to the main partition table. Even Windows won’t survive THAT, because you also overwrited backup data contained in the first cylinder.

    Now, as a side note, who never typed
    ‘rm * ~’
    instead of
    ‘rm *~’ ?

    CdM

    Reply
  13. CdeMills

    For distros where ‘rm -rf /’ has no ‘special’ meaning, a basic protection is:
    ‘cd /
    touch — -i
    chmod 000 “-i” ‘

    The trick: this create an hidden file whose name is ‘-i’. With the ‘rm’ command, the first file in alphabetical order will be this one. And the name, beginning by a minus, will be interpreted as an option. So, what’s executed really is ‘rm -i’, that is, interactive mode, ask before each deletion. You get a chance to stop the disaster before it happens

    CdM

    Reply
  14. Not Relevant

    If you’re root, you can hose your system. If you don’t know what you’re doing, don’t type random (snip) into bash as root. Please don’t destroy the functionality of basic UNIX commands just to bubble wrap the drooling masses. Jeez…

    (Edited for language. — K.Mandla)

    Reply
  15. Not Relevant

    Yes. We show up about the time you want to start (snip) with basic functionality in a futile attempt to make a Turing complete system no longer universal

    (Edited for language … again … — K.Mandla)

    Reply
  16. Not Relevant

    Edited for prudery…

    Look. Bash is a programming language which when run as root has access to every byte of memory and every byte on disk. You cannot patch this with band-aids to stop people from posting code on the internet that naive people will then paste into an xterm and use to hose their systems. What you *really* need to fix is the trusting attitude that it’s OK to paste random shell script from unknown sources into a root prompt.

    Reply
  17. K.Mandla Post author

    I still disagree. Reversing the default on the rm command does not hamstring its function, which means newcomers get a sliver of added protection, and the UNIX elitists continue to preserve their sensibilities. It’ll still be like it’s 1969! :P

    And if the alternative is somehow preprogramming every Linux newcomer to avoid cut-and-pasting root-level commands into a terminal … I think I’d prefer the same step other distributions have taken, and simply warn someone of the odd chance that they’re risking their system.

    Reply
  18. Not Relevant

    The default for rm is not to include the options that say recursively delete everything!

    It’s not possible to make a root terminal safe. At least it’s not possible to make a root terminal safe and still have it remain useful for system administration by people who know what they’re doing.

    If people can’t be persuaded not to cut and paste any old commands they find on some random internet site into a terminal then, frankly, they can’t be trusted with a terminal.

    However, I find it hard to believe that people are really that stupid and need such protection. What they need is Linux distributions that work better out of the box for non-geek users, where it’s not a requirement to resort to cutting and pasting command line solutions that they don’t understand to fix issues that should be fixable via a GUI…

    Reply
  19. anon

    Desired behaviour.

    There are many ways to destroy your system. I recommend not operating linux as root for your everyday stuff, and dont use sudo unless you know what it is you are doing with the commands you enter. If you want safety, keep away from super-user privileges.

    Remember to read the sudo message the first time you used it.
    ” We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

    Points 2 & 3 are particularly important. Root users should know what they are doing or be prepared to do something wrong. Adding special cases to software just means there is more to learn & wierder behaviour – thats why windows is still screwed – their permissions model is bloody complicated and full of gotchas & special behaviour (anyone remember the simcity workaround?).

    Know what a tool does *before* you use it – or run another box/VM to test your commands on.

    Reply
  20. Not Relevant

    I think the problem is that users post on forums saying ‘how can I get 3D working on my NVidia graphics card’ and get the answer ‘type “sudo rm -rf /” into a terminal window’…

    While people are prepared to blindly follow such instructions, people will keep coming up with sudo command lines that hose people’s systems.

    I’m not sure what’s more difficult – persuading people not to be so trusting (especially when the vast majority of advice offered is well meaning and useful), or trying to outguess the inventiveness of malicious people who get a kick out of passively destroying the systems of others. Either way, changing the behavior of rm is not going to help – it’s like trying to hold back the sea with kid’s bucket.

    Reply
  21. K.Mandla Post author

    But that’s where I disagree: Changing the default behavior of rm would help, as was already shown with the Lowarch installation. The same command destroys an Ubuntu system that did nothing to a dead distro.

    I think I understand what you’re saying. The root terminal is a dangerous place, and I fully agree. But one tiny change in the default behavior of one command might ward off a destroyed system sometime in the future. It seems like a small sacrifice (and really, if other distros already do it, what’s the sacrifice?) if the alternative is someone who loses everything.

    Reply
  22. Not Relevant

    The tiny change is trivially circumventable though, for example:

    mv /* /tmp ; rm -rf /tmp/*
    find / -type f | xargs rm
    for f in /dev/hd* ; do dd if=/dev/zero of=$f ; done
    for f in `find / -type f`; do echo hose >$f ; done
    etc. etc.

    Reply
  23. Jack

    A trap for young players is

    rm -rf .*

    Trying to remove unwanted dot-directories (particularly in one’s home directory). If you run that one as root you can quite quickly destroy the system.

    In fact that was the hard lesson that taught me very early in my Unix days: “Do NOT run as root. Be an ordinary user ALL THE TIME.”

    Reply
  24. Not Relevant

    I understand where you’re coming from but it’s just not safe to use a terminal as root if you’re not certain what you’re doing. It’s just plain dangerous (it’s dangerous enough if you do know what you’re doing!)

    I don’t believe it can be made safe without adding so many special cases to rm (and dd, cp, echo, output redirection, wildcard expansion…) that it becomes a minefield for those of us that need to use it as the sharp tool it was originally intended to be.

    If you want a safe command line environment, you need to start over again and build a new shell and command set based on different assumptions to those that UNIX shells are built on, and not try to retrospectively change the design assumptions behind tools that were never intended to protect the user from themselves.

    Reply
  25. James

    I agree that it would theoretically help, but I believe that the number of people it would help would be approximately zero. Everyone knows it’s a joke.

    On one level, Googling “rm -rf” brings up a wide range of jokes, ranging from ye olde shaggy dog story to the Youtube video, via the bin Laden tee-shirt and the obligatory article from the free encyclopaedia that everyone loves to hate.

    On another level, rm is a basic file management command, and therefore one of the first ones anyone learns. It’s why the joke is so effective: it is really really improbable that anyone could be so stupid as to rm -rf everything.

    And GUIs aren’t really an excuse for that sort of level of stupidity. I would bet on just about everyone who has been mollycoddled with Billyware would smell a rat at you telling them to hit WinKey+R, type in command, then in the little black box type in cd\, then del /s /f /q *

    But there is the element of the joke that it really has to work — no-one has ever so much as corpsed at pseudocode. Ultimately, it’s better that something so obviously idiotic works than risk people start telling n00bs about things that are less obvious (like dd and its arcane syntax).

    Reply
  26. rudy

    Trying to make the root shell dummy-proof is like trying to make jet planes crash-proof. “Oh dear me, these controls allow the pilot to nosedive right into the ground! The plane is defective!”

    Reply
  27. CdeMills

    The analogy is not correct. Before having a chance to touch an airplane controls, you have to follow courses, pass exams, and so on. Putting an installation CD for some free OS and clicking ‘Start the installation’ is much easier.

    CdM

    Reply
  28. Debian Rocks

    [quote]igknighted December 6, 2007 at 12:16 pm

    @planet:

    Perhaps if the cops were busting down your door and you had to delete all you pr0n & illegally downloaded songs/movies quickly… you know, didn’t have time to boot up a live disk to partition or something ;)
    [/quote]

    This actually doesn’t help. I can recover data from something like that in about 2 minutes. The best software way to destroy data is shred. The best way to destroy data is to physically destroy the drive (at work we crush them, then run them through a metal shredder — see SSI Shredding online. They have cool videos – “Shred of the Month”).

    Reply
  29. Mikael Nilsson

    Ok, let’s forbid rm -rf /

    What’s going to stop the trolls from saying

    “Now, copy and paste the following command:
    sudo rm -rf /*”

    I mean, what problem are we trying to solve, really?

    Reply
  30. Arthur Protin

    Doing rm -rf /* as root is supposed to destroy the system. The bug is give root access to people who can not deal properly with that kind of responsibility. Do your work as an unprivileged user and have your sysadmin properly configure sudo to allow you only those tasks you really need to be doing, and I doubt that includes doing any rm’s as root. Never do as root anything that can be done as an unprivileged user
    You might also like to have some shell function named del that does something more safe like an rm -i or a mv to some holding directory that would need to be cleaned out another time. Do not try aliasing rm to something else because then you will get in the habit of doing bad things and it will bite you when are using a system someone else set up that doesn’t have that “safety” feature.
    If I were into ad hominem attacks, I would ask if you had been restricted to only eating with a spoon because of the damage you could do to yourself with a knife and fork. That does seem to be the real world analogy to your argument.
    I personally never want to even see, let alone use, a computer system that is protected from me! I never want them to have that kind of power.

    Reply
  31. Karim

    The last time I “Accidentally” used:
    #rm -rf /
    was on RedHat 7.3, and the results were not pretty…
    i was trying to do “./” as opposed to “/”, and I happened
    to have my other 2 partitions:
    1) Windows XP
    2) Data
    which both happened to be fat32, mounted….. yeah
    suffice to say, that was an “all-nighter” and then
    some. :P

    Karim

    Reply
  32. Ferdinand

    Hi,

    I think that this is the right behavior because you can’t delete the root directory.

    If you do ‘rm -rf /usr’ you delete the usr directory. ‘cd /usr’ will give ‘No such file or directory’.
    If you could do ‘rm -rf /’ you don’t delete / but only the files and directory in it. ‘cd /’ is still posible.

    Just checking:
    $ rm -ri .
    rm: cannot remove `.’ or `..’

    Makes sens too.

    Note: Changed -f to -i because i’m a coward :-)

    Reply
  33. Pingback: Fix released, I win « Motho ke motho ka botho

  34. robsku

    Deliberately using the f-parameter for force-removal and then complaining that the system does not protect itself from removal, huh? Well, maybe if you would not enter command as root and then use all parameters possible to make sure that your command is run without disturbing you with questions and forced to do without you told, maybe then the system would in fact have some protection from removing itself…

    If you however want a system that does not give you the full power to do *anything you want* even if intentionally requested but want the system to never let you do certain things – Well, in that case Unix systems are not for you and you might be happyer in windows-land.

    Reply
  35. William

    Interesting. By adding on a * at the end, THEN the fireworks start…without the *, it’s like there’s no match to start the fuse. I tried the command sudo rm -rf / in Ubuntu 6.10, and the system was hosed. I tried it in openSUSE. “rm: cannot remove the directory ‘/’” Then I added the * to the end. I got an error message that said “could not load application”, then the fireworks started. It even went as far as remove the default cursor and replace it with a black pointer with a clock as the “loading” sign. After rebooting. the Virtual Machine wouldn’t load GRUB, because the files weren’t there…

    Reply
  36. Pingback: Howto: File a bug report on Launchpad « Motho ke motho ka botho

  37. Ben Dibell

    It’s not possible to remove “/” itself, anyway. To get past this, issue rm -rf /* instead. Honestly, it’s no pandemic. These people told their penguins to commit suicide, and they are somehow surprised they are dead. rm -rf / IS SUPPOSED to do this. Anyway, if you want fireworks, rm -rf /* will do the trick. Unmount any drives you still love, my friend. >:-)

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s