[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#24604: Add '--no-preserve-roots' flag to 'rm' for better safety
From: |
Pádraig Brady |
Subject: |
bug#24604: Add '--no-preserve-roots' flag to 'rm' for better safety |
Date: |
Tue, 4 Oct 2016 13:54:17 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 |
On 04/10/16 12:38, Pádraig Brady wrote:
> On 04/10/16 03:21, Mohammed Sadiq wrote:
>> '--no-preserve-root' that can be used to ignore if the path is root when
>> using
>> the 'rm' command.
>>
>> But as the most of the GNU commands accepts shortened flag as long as
>> there is no ambiguity, this can be an issue too. So, 'rm --n' may have the
>> same effect as 'rm --no-preserve-root'. There may be several users unaware
>> of this feature which can cause several issues.
>>
>> 1. A cracker may be able to trick a user to bring a system down using
>> '--n' flag.
>> 2. A folder/file name like '--n' as an argument to 'rm' command may
>> try to delete
>> the whole files (in case a '/' too appears as an argument), and
>> the user won't
>> find a reason why it happened.
>>
>> One way to overcome this is set '--no-preserve-roots' too an alias for
>> '--no-preserve-root'. This means that the user will have include the whole
>> flag
>> to ignore root check (shortening will create an ambiguity).
>
> An interesting idea.
> The main focus of the --no-preserve-root option is to protect against
> accidental insertion of a space with `rm -rf blah /` or `rm -rf $blah/`.
> With malicious arguments though one can obfuscate using shell quoting,
> and the recent ls quoting changes are more general protection against that.
> In saying that I don't see any issue with this, and there is a slight
> increase in protection, so I'd be 60:40 for making this change.
This would break scripts that used shortened --no-preserve for example,
though that's quite unlikely to be used.
Implementation is attached.
Pádraig
rm--n.patch
Description: Text Data