lostwebsite.net blog

In my last post I’ve shown that some people are annoyed at the fact that they can no longer erase their root directory simply by typing rm -rf /. I’m happy that this possibility is removed. I’m not scared that means Linux is being dumbed down. There are already some safeguards in Linux and nobody is complaining about them because they guard even seasoned users to do things that are dangerous or silly.

Proper safeguards

dpkg won’t remove itself

Erasing the primary package manager on your system prevents your from installing any other package. It is hard to argue that it is a good thing to let that happen without warnings.

fdgonthier@moka:~/ > sudo dpkg --purge dpkg
dpkg: error processing dpkg (--purge):
 This is an essential package - it should not be removed.
Errors were encountered while processing:
 dpkg

You can still erase dpkg if you want by using the --force-remove-essential option. I can actually think of reasons somebody might want to do that but this is a bad idea, and probably a mistake, most of the time its attempted. dpkg and apt protect essential and important packages on a Debian system by asking for obscure force options or confirmation, depending on what is attempted.

You can’t unmount /

fdgonthier@moka:~/ > sudo umount /
umount: /: device is busy
umount: /: device is busy

That is akin to removing the wheels of a running car. You can’t even force-unmount it.

You really shouldn’t fsck a drive in use

It is possible to do that, but when you call fsck.ext3 on a mounted partition, it will ask you with a rather serious prompt if you really want to proceed. fsck.ext3 has a force option but it has no effects on this prompt. This speaks volume about how much doing this is discouraged.

In good Unix fashion it is still possible to do it if you really want to but the developer of fsck.ext3 has made clear in the man page that you don’t want to do that.

Some kernel modules can’t be unloaded

modprobe has a force option (-f) too. It can be used to unload reluctant modules. It is clearly documented in modprobe manual page that removing by force may crash your system. I’ve used it a few times, it worked a few times, it crashed a few times, but most of the time it will not work if the module is important.

Why should it be possible to remove the module for the computer chipset while it is running? The answer is left to the imagination of the reader. I think its a good thing this kind of module won’t unload.

You can’t kill the init process

kill -9 1 will do nothing. This is actually hardcoded in the Linux kernel. The init process is the mother of all process in the system. Without it, you won’t be able to boot, or reboot, or use your virtual consoles. It is the reaper of zombies so if it dies, prepare for zombie invasion. There is really no reason to kill this process, ever.

You can’t format a mounted filesystem

fdgonthier@moka:~/ > sudo mkfs.ext3 /dev/sda1
mke2fs 1.41.5 (23-Apr-2009)
/dev/sda1 is mounted; will not make a filesystem here!

mkfs.ext3 offers a way to force this but you have to use the force option (-F)twice.

Files in /dev are dynamically recreated

The health of your system is no longer tied to what is in the mysterious /dev directory. You can delete those files if you wan’t, and, depending what you erase, your currently running system may or may not be affected, but those problems will not survive a reboot or the invocation of /etc/init.d/udev restart.

GUI environment won’t let you in the dark

This is something common now. If for some reason, you change your resolution to something your monitor can’t support and your screen goes blank, desktop environment will automatically switch to your last used resolution. This is a safety mechanism preventing desktop users to set their screen to a resolution that leaves them without graphic display. Any resolution can still be configured statically into the system-wide xorg.conf if necessary.

Conclusion

All the safeguards and behaviors I’ve described above go against the Do What I Mean (DWIM) philosophy of Unix, and the something against the semantic of some option of the command: the kernel won’t let you unload your chipset module because it won’t work without it, mkfs.ext3 won’t let your format a partition that is in use because it’s certainly not what you want to do, dpkg won’t let your remove itself because there is a chance you won’t be able to reinstall it after it was removed.

If you think doing anything of what I’ve named above would be totaly stupid anyway, then you are right. Good safeguards aren’t there to nag you, and won’t ask you to double check everything you do. They simply prevent you from doing things that are possibly catastrophically detrimental to your system. Stop thinking rm -rf / should work because the Unix pilosophy about DYIM, because some command you can type have might no meaning at all.

Then a few things surprised me…

While testing potentially destructive commands in my test virtual machine, I’ve found I was able to do things I think I shouldn’t have. There might be some reason those things are possible. If you know why, please comment.

deluser: delete the root user

You can run deluser root as root without problems. This is of no consequences to the system because the root user is always the user with UID 0, but I think many scripts would be broken by that.

mkfs.ext3: tries to formats a directory

I don’t think a directory can hold a ext3 filesystem, yet mkfs.ext3 /etc will still try to proceed, and fail, after showing a warning telling that will probably won’t work.

fdgonthier@moka:~/ > sudo mkfs.ext3 /etc
[sudo] password for fdgonthier:
mke2fs 1.41.5 (23-Apr-2009)
/etc is not a block special device.
Proceed anyway? (y,n) y
mkfs.ext3: Device size reported to be zero.  Invalid partition specified, or
        partition table wasn't reread after running fdisk, due to
        a modified partition being busy and in use.  You may need to reboot
        to re-read your partition table.

Should it even bother to try?

fdisk: delete an active, mounted partition

fsck.ext3 detects that if targeted partition is mounted. I don’t see why fdisk couldn’t do that. I think there is a good chance that deleting a mounted partition is a mistake and there is not even a warning before proceeding.

unmount /proc and /sys

Those pseudofilesystem have become necessary to a lot of program. It’s a bit weird that you can just unmount them without warnings.

More silly things…

cat /dev/urandom > /dev/mem will very quickly crashes your system. There are multiple variant to that, which are all as efficient as rm -rf / at causing harm to a Linux system.

Those silly commands are unlikely to outside forum of Linux users that love to abuse n00bs, so safeguarding against them is of little importance. Still, why should a superuser shell should have such a raw access to disk devices? Is it necessary? Is there a way to mitigate that?

If you like that post, please subscribe to my
RSS feed. More readers would motivate me to keep writing at least once a week.

A followup…

This entry now has a followup: Good safeguards.

Update

It was pointed to me from Reddit and from a commenter that the -f flag in rm -rf is the force flag and isn’t part of the command. I’m willing to admit I’m wrong and probably overuse the force flag, but I didn’t remember how I got that bad habit.

I then retried the rm -r command on a directory in /tmp. This directory is owned by me but happens to include some files owned by root. I’m allowed to erase those files, but for each file I don’t own, I get a prompt asking me to confirm. This gets annoying quickly and had this not been a test I would have hit Ctrl+C and re-run the command with -f. If you often work with directories with mixed permissions (and I do), you can quicly get into the habit of running rm using the force flag.

This weakens the value of the -f flag for protecting against the huge mistake that is erasing /.

Original post

Did you know that rm -rf / no longer works on recent Ubuntu version? I bet you did not because this command tends to be a bit destructive.

I did not know that. I’ve never been bitten by an accidental rm -rf / but the possibility scares the hell out of me whenever I do a command in my root directory or whenever I write scripts thats erase files.

I’m a seasoned Linux user, yet I was pleased to know that Ubuntu now has that command refuse to work by default. rm -rf / now comes with the implied --preserve-root switch which returns an error when it attemps to erase the root directory.

I’m happy because that command has little reasons to exists beyond the mere fact that rm -rf is meant to unconditionnally erases files and directory: ie, a sole rmsysroot command would not exists. It would make as much sense as a car designed to only crash into the first tree.

Yet, some people oppose such a safeguard. The people that oppose this are probably the kind that made some people come up with sarcasms such as this lovely t-shirt.

LWN’s John Corbet has made a pretty good article about why its a good thing that rm -rf / is safeguarded against errors so I’m not going to rewrite a whole article about that. Let’s just repeat what I find important:

• unguarded rm -rf / might not just happen on the command line, but in scripts too, and at times where you can’t just hit Ctrl+C to save a part of your day
• its just too easy to make a syntax error in a command and type rm -rf / tmp/* when you meant to type rm -rf /tmp/*
• if you really want to remove /, you can use the --no-preserve-root switch.

Now let’s just look at the people who opposes this. Here are some pearls form people complaining about this new feature. I’ve found them on the Launchpad bug report and a blog funnily named Ubuntard. I think naming the authors of those quotes is useless. Suffice to know and weep that they exists.

Also, this directly conflicts with the functionality of the ‘-f’ switch, without which there ALREADY IS CONFIRMATION OF EVERY DELETION.

Bullshit. The -f is not a confirmation, it’s part of the command. Confirmation should come after the command.

So, what’s next? Patch dd to prevent it from wiping your partition?

Well, yes, dd sucks indeed should probably changed. But that’s the subject for another blog post. The point is that I use rm -rf at work up to several times per hour, and I use dd a few times per year. I doubt this is generalizing to say that rm has a much higher potential for errors for every Linux shell users than dd ever has and ever will.

Couldn’t agree more with you. If people don’t know what they are doing, they shouldn’t be working the command line anyway.[...]

rm is not a gun, dynamite, or C4. It erases files. I’ve got 172583 files on this small computer, chances are some of them are superflous and need to be erased. There should not be any remote risk that I erase all my disk if I want to remove just one.

Safety if for bitches. Knowledge is for winners.

No comments. Let’s just say that I hope this person finds a creative, unsafeguarded, way to nuke his system.

[...] come to think of it, if I’d been given a stupid error message telling me not to do that, I’d probably have punched a hole in my CRT instead.

… or yeah, he can do that too! I could go on for quite a while, but the pearl, that is actually repeated more than once, is the invocation of the “Unix philsophy”.

Changes of this nature are destructive to the philosophy of *nix, and is a step closer to the laughable click-the-dialog-box security of Windows Vista.

This is a safeguard; a satefy cushion. This is the program saying “You can’t really be that stupid so I’m not letting you do that!”

Don’t tell me about this so called Unix philosophy! Unix is evolving and when technology evolves, it also tends to grow features that keep people from shooting themselves in the foot. This is why cars have airbags, this is why some laptops have spill guards and free-fall sensors, and also why your water heater doesn’t blow up your house.

Just like people that want to drive without airbags can just remove them, Unix doesn’t bolt the --preserve-root option onto the rm command. It’s probably easy enough to take the coreutils package, change its build options to disable --preserve-root. I could probably write some instructions to do that in a few paragraphs, but since I think doing that would be stupid, I won’t!

This is an annoyance I found got around to solve.  In Konsole, with a basic X configuration, when you type AltGr Space, you get a non-breakable space. It might happen in other things X terminal/shell combo, or the both of them might not matter at all.

If you are an heavy shell user, you might hit the AltGr Space combo by accident. This wouldn’t be bad if the shell made it somehow obvious that what you entered in a non-breakable space. The fact is that it doesn’t and it’s then totally impossible to distinguish a regular space with a non-breakable space after it was typed in the shell.

cd $HOME
zsh: no such file or directory: cd /home/fdgonthier

After typing such a command quickly, I was often left wondering what the hell was wrong with my command, since, as far as I could see, it was syntaxically correct.

The problem is that since there is a non-breakable space between cd and $HOME, Zsh wants to execute the whole command as a single command. Since I didn’t know I could even type non-breakable space in X, I checked what the hell the shell was doing by using strace. strace is my favorite diagnosis tool for any kind of problems in Linux. Programs don’t lie when they are spied with strace. The problem is obvious:

execve("cd\302\240/home/fdgonthier", ["cd\302\240/home/fdgonthier"], [/* 30 vars */]) = -1 ENOENT (No such file or directory)

It took me a while but I’ve found that \302\240 is the Unicode sequence for non-breakable space. Once I have found that, I Google search lead me to Launchpad bug 218637.

On this page, you see that you can disable non-breakable space using a xkb option in xorg.conf. Simply add the following in the InputDevice section related to your keyboard.

...
Option "XkbOptions"    "nbsp:none"
...

or use

setxkbmap -option "nbsp:none"

in a console, your favorite initialization file, or elsewhere.

The following is a description of the technique I’ve used to create partial Debian mirrors. I have damn near mastered that technique that is not immediately obvious if you don’t know the tool. Nothing there is black magic though, as you will see.

The following example will use the programs called reprepro and
germinate. Both are available on several versions of Ubuntu, Debian Lenny and Debian Sid. I’m not going to explain either in great details. They are well documented in the case of reprepro, and there is enough documentation in germinate.

Required steps

This configuration is necessary in both case.

reprepro is by far my favorite Debian repository manager. It has a steep learning curve at first but once you get past the initial configuration and the first few commands you’ll see it cannot really be made easier.

The first step is to create the directory that will contain the mirror. In that directory create a directory called conf.

In that directory, edit a file named distribution in your favorite editor At this point I usually pop-open the man page for reprepro. Write the following in that file:

Codename: etch
Architectures: amd64 source
Description: Debian Etch (required package only)
Components: main
Update: debian-etch-update

That’s all we need in that file right now. This describes what distribution this mirror will include. You can have several distributions in a mirror. Most field are self explanatory except perhaps the Updates field which will explain below.

Partial mirror, using reprepro only

The next step explain how to create a partial mirror using just reprepro. reprepro is powerful enough to select a subset of a whole package archive.

Name: debian-etch-update
Method: http://gulus.usherbrooke.ca/debian
Components: main
Architectures: amd64 source
FilterFormula: Priority (==required)

The content above is the content of your conf/updates file. It includes all the rules needed to update the distributions configured in the distributions file. The distribution etch we created in is linked to its respective update rule by the Update configuration field.

The key to partial mirroring in this case is the FilterFormula field, which selects just the Debian package in required in a very basic installation. There is also a FilterList field which can select just the set of package you list. This is the basis of the next section.

To start mirroring, go in the mirror directory and do:

reprepro -V update etch

and reprepro will start downloading packages. The -V argument activates verbose mode. After successfully creating the archive, you can reuse the same command to update your mirror.

Germinate and reprepro

germinate is an oddball program which, given a set of package, will recursively find all packages a set of package depend on.

As a simple example, if you tell germinate to germinate the dependencies from the package python, it will list libssl, libreadline and will eventually find libc6. It can also fetch build dependencies if you want everything needed to build the package you want.

We will use germinate to create a Debian repository that mirrors just the set of package the python2.5 package depends on.

germinate is a very specialised tool which sees little use outside making new Debian and Ubuntu derivative distributions. It’s very powerful but a bit confusing. I’ll give the basic recipe you need to know to accomplish our current goal. If there is enough or any interest, I give more use cases for germinate.

1. Create directories called seeds and germinate. The former will include the files we give as input to germinate. The later will include germinate’s output.

2. In the seeds directory, create files called blacklist, required, STRUCTURE and supported. The blacklist and required will stay empty.

3. In the STRUCTURE file, put the following:

   required:
   supported:
   

4. In the required file, put the following:

    * python2.5
   

   Don’t forget the space at the start of the line.

5. You can then run germinate.

   (MIRROR=http://gulus.usherbrooke.ca/debian
     cd germinate && \
     germinate -v \
               -m $MIRROR \
               -d etch \
               -c main \
               -s seeds \
               -S file:///tmp/temp-distro \
               --no-rdepends)
   

   where you can replace /tmp/temp-distro with the base directory of your mirror.

You should see a bunch of files created in the germinate directory. The only file we are interested in is germinate/required.

germinate output is meant to be human-readable so we need a bit of parsing to extract the required information.

The following Bash magic does the trick:

for pkg in $(cat germinate/required \
  | tail -n +3 \
  | head -n -2 \
  | cut -d '|' -f 1); do\
 echo $pkg install; \
done > mirror.packages

The resulting mirror.package is now suitable to act as a filter for reprepro.

Replace the FilterFormula line in conf/updates by:

FilterList: purge ../mirror.packages

purge tells reprepro not to do anything for packages not in the list.

Then run:

reprepro -V update etch

to create your mirror.

Did you know you could pretty much install Ubuntu on Debian Sid? Now you do!

Well, yes and no.

Yes because I installed a set of Ubuntu packages on a (de)bootstrapped Sid Debian distribution.

No because the debootstrap actually installed Ubuntu packages, and the set of packages Ubuntu and Debian install at their base are actually quite similar.

If you diff the 2 debootstraps scripts (Ubuntu Gutsy vs. Debian Sid), you’ll see very little difference between the 2. To make that work you have to alias the Debian Sid distribution to Gutsy otherwise deboostrap will fail saying it can’t find the source distribution on the mirror.

On the CD I’m making, I’m using a custom distribution name, made off Ubuntu packages. With a quick hack to deboostrap, you can make debootstrap install Sid using Gutsy packages!