bug#24604: Add '--no-preserve-roots' flag to 'rm' for better safety

Tue, 04 Oct 2016 07:55:01 -0700 

On Tue, Oct 4, 2016 at 5:54 AM, Pádraig Brady <[email protected]> wrote:
> On 04/10/16 12:38, Pádraig Brady wrote:
>> On 04/10/16 03:21, Mohammed Sadiq wrote:
>>> '--no-preserve-root' that can be used to ignore if the path is root when 
>>> using
>>> the 'rm' command.
>>>
>>> But as the most of the GNU commands accepts shortened flag as long as
>>> there is no ambiguity, this can be an issue too. So, 'rm --n' may have the
>>> same effect as 'rm --no-preserve-root'. There may be several users unaware
>>> of this feature which can cause several issues.
>>>
>>> 1. A cracker may be able to trick a user to bring a system down using
>>> '--n' flag.
>>> 2. A folder/file name like '--n' as an argument to 'rm' command may
>>> try to delete
>>>     the whole files (in case a '/' too appears as an argument), and
>>> the user won't
>>>     find a reason why it happened.
>>>
>>> One way to overcome this is set '--no-preserve-roots' too an alias for
>>> '--no-preserve-root'. This means that the user will have include the whole 
>>> flag
>>> to ignore root check (shortening will create an ambiguity).
>>
>> An interesting idea.
>> The main focus of the --no-preserve-root option is to protect against
>> accidental insertion of a space with `rm -rf blah /` or `rm -rf $blah/`.
>> With malicious arguments though one can obfuscate using shell quoting,
>> and the recent ls quoting changes are more general protection against that.
>> In saying that I don't see any issue with this, and there is a slight
>> increase in protection, so I'd be 60:40 for making this change.
>
> This would break scripts that used shortened --no-preserve for example,
> though that's quite unlikely to be used.
>
> Implementation is attached.

I too like the idea.
Did you consider this alternate implementation?

$ src/rm --no-preserve-root a
src/rm: cannot remove 'a': No such file or directory
[Exit 1]
$ src/rm --no-preserve-roo a
src/rm: you may not abbreviate the --no-preserve-root option
[Exit 1]

diff --git a/src/rm.c b/src/rm.c
index 13a5714..100d02e 100644
--- a/src/rm.c
+++ b/src/rm.c
@@ -287,6 +287,9 @@ main (int argc, char **argv)
           break;

         case NO_PRESERVE_ROOT:
+          if (! STREQ (argv[optind - 1], "--no-preserve-root"))
+            error (EXIT_FAILURE, 0,
+                   "you may not abbreviate the --no-preserve-root option");
           preserve_root = false;
           break;

Reply via email to