63 points
*

rm -rf ${var}/ is a disaster waiting to happen.

Always do rm -rf "${var:?}/" so that the script aborts if the variable is empty. Or better yet rm -rf "./${var:?}/".

Edited to add quotes. Always quote a path: it might have spaces in it, without quotes that will become multiple paths! Which would also have avoided the particular bug in question.

permalink
report
reply
18 points

Is there not also a way to disallow empty variables in the script, I think it is set -u? Then you don’t have to keep thinking “should I add a :? here because if empty it may lead to disaster” all the time. Might be even safer.

permalink
report
parent
reply
27 points

set -euo pipefail at the top of every script makes stuff a lot safer. Explanation here.

permalink
report
parent
reply
8 points

Yep! I always do this too.

TL;DR: e aborts the whole script on a non-zero error. u aborts when using an undefined variable. -o pipefail aborts a piped compound command when one of the piped commands fail.

Any other way lies madness. Or erasing the whole filesystem apparently!

permalink
report
parent
reply
7 points
*

Yes! But -u is for undefined variables. It won’t stop a defined variable with an empty value. E.g foo="".

Also ? and :? have the advantage of telling you right then and there where the variable use is that it must be defined or not empty… having to trek back to (likely) the top of the script to check is easily forgotten.

permalink
report
parent
reply
15 points

Reminds me of a script a colleague has where it would sometimes accidentally wipe the entire production folder on a server. I pointed out the risk in his script and explained how to correct it like 2 years ago, give or take. He said he did, but then last week it happened again because apparently he had several scripts like that and only corrected one.

You can lead a horse to water, but you can’t force it to drink.

permalink
report
parent
reply
10 points

In this case the issue was that a change between kde5 and kde6 let to the variable being defined as somepath / (notice the space).

permalink
report
parent
reply
13 points

And that’s why you also surround it with double quotes.

permalink
report
parent
reply
3 points

I usually have a whole block that checks if the var exists and exits if not, but this is way more elegant

permalink
report
parent
reply
2 points

Protects you from accidentally changing the variable within the block too!

permalink
report
parent
reply
43 points

Reminds me of old bumblebee install script:

An extra space at line 351:
rm -rf /usr /lib/nvidia-current/xorg/xorg
permalink
report
reply
10 points

Yikes

permalink
report
parent
reply
40 points

That reminds me…

In circa 1995 I was running a dial upBBS service – as a teenager. So if course, it was full of bootlegged video games and such, and people would dial in, download a game, log off.

Someone uploaded Descent or something like that. But they had put "deltree /y C:" or similar into a batch file, used a BAT2COM converter program, then a COM2EXE program, then padded the file size to approximately the right size with random crap (probably just using APPEND)… And uploaded it. Well, fortunately for the rest of my users, I say the game and said: oh, that’s neat, I should try it and copied it to another computer over my internal network and launched it. It started deleting files right away and I hit CTRL-C to abort. I lost only a few dozen files.

Banned the user, deleted the package. Got lucky.

permalink
report
reply
32 points

The theme contained rm -rf, but claims it wasn’t malicious intent…I assume rm -rf for cleanup, but seems like it should have a apecific path other than /

permalink
report
reply
44 points
*

The command was rm -rf $pathvariable

Bug in the code caused the path to be root. Wasn’t explicitly malicious

permalink
report
parent
reply
19 points

Don’t most distros have safeguards against this? I tried sudo rm -rf / in an Ubuntu VM that I was about to delete just to see what happened, and it gave me a warning. I had to add some other option to bypass the warning.

permalink
report
parent
reply
14 points

it apparently was defaulting to the home dir, not /

permalink
report
parent
reply
9 points

Yes,

rm -rf --allow-unsafe

Or something is required

permalink
report
parent
reply
21 points

When I worked at Pixar long ago an intern had a cron job that was intended to clean up his nightly build and ended up deleting everything on the network share for everyone!

Fortunately there were back-ups and it was fine, but that day was really hilariously annoying while they tracked down things disappearing.

permalink
report
parent
reply
8 points

Was that the infamous Toy Story 2 incident?

permalink
report
parent
reply
14 points
*

Amusingly enough, no.

This was after Toy Story 3 released but before Brave.

permalink
report
parent
reply
2 points

Oof

permalink
report
parent
reply
6 points

Was it a native theme or a downloaded/custom theme?

permalink
report
parent
reply
8 points

Downloaded from the KDE store

permalink
report
parent
reply
4 points

Thank you. I couldn’t get google translate to work for me.

permalink
report
parent
reply
1 point

Custom download

permalink
report
parent
reply
23 points

A Linux user’s nightmare: the machine was wiped clean with one click

Timo Tamminen

One day a Linux user using KDE Plasma decided to download a generic theme for his desktop environment. This is possible with Plasma’s built-in tool, through which you can download anything from themes to icons and wallpapers.

Installing themes using Plasma’s tool is easy and fast. It practically only requires one click. This time, however, the user in question certainly wishes that that one click had not been completed.

Namely, installing the theme called Gray Layout wiped the machine completely empty of the user’s personal files. Without asking anything.

Although the theme developer’s intention this time was apparently not malicious, the accident was a clear indication that installing third-party themes without careful supervision can be a bad mistake. With the theme, almost anything can be installed in the user’s home directory.

The Gray Layout installation script ran the rm -rf command, which normally removes all files from the device, making the command particularly dangerous to use. However, without root access, it can only cause limited damage.

Reddit user Jeansen Vaars says that he lost all his games, settings files, browser history and other contents of his home directory in a crash.

The unofficial face of KDE, Nate Graham, apologizes for what happened. He promises that the matter will be thoroughly investigated. The theme in question has also been removed from the theme store.

permalink
report
reply

Linux

!linux@lemmy.ml

Create post

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

  • Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
  • No misinformation
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

Community stats

  • 8.1K

    Monthly active users

  • 6.4K

    Posts

  • 174K

    Comments