Not all systems have the preserve-root flag enforced, actually… I accidentally did the rm -rf / in a bash script (the variable for the path returned empty), and it irreversibly deleted a bunch of my system, including sudo and a big part of /etc, before I realized and did Ctrl+C. However the damage was done, rendering the system both unusable and unbootable. Fortunately I managed to recover some data, as the drive was not encrypted.
Edit: Yes, like a fool I ran the script as sudo… I am now older and wiser.
I didn’t personally do this one, but I once worked at a job where I was tasked with updating a kickstart file from RHEL6 to 7. I don’t remember the details, but in the postscript, there was a variable that was set in 6 but not 7. That variable was then used in a command like rm -rf /${variable}.
It took me a little while to figure out why every system imaged with that kickstart was emptying its own filesystem.
Iirc, it was Debian 10 (Buster). I thought they enforced it (rm did support it at the time), but perhaps it was tricked by using an empty variable or something?
Not all systems have the preserve-root flag enforced, actually… I accidentally did the
rm -rf /in a bash script (the variable for the path returned empty), and it irreversibly deleted a bunch of my system, including sudo and a big part of /etc, before I realized and did Ctrl+C. However the damage was done, rendering the system both unusable and unbootable. Fortunately I managed to recover some data, as the drive was not encrypted.Edit: Yes, like a fool I ran the script as sudo… I am now older and wiser.
I didn’t personally do this one, but I once worked at a job where I was tasked with updating a kickstart file from RHEL6 to 7. I don’t remember the details, but in the postscript, there was a variable that was set in 6 but not 7. That variable was then used in a command like
rm -rf /${variable}.It took me a little while to figure out why every system imaged with that kickstart was emptying its own filesystem.
What distro was this out of curiosity? As far as I’m aware preserve-root enforcement comes from upstream coreutils
Iirc, it was Debian 10 (Buster). I thought they enforced it (
rmdid support it at the time), but perhaps it was tricked by using an empty variable or something?Ahhh, I just re-read your comment, and yeah that would have been the case.
I think another quick bypass without using the proper flag could be to use a wildcard (for example, rm -rf /*), I think that might work too maybe