Why is the dreadful 'rm -rf /' even allowed?
Why is there no such safeguard in the rm command?
There are already three safeguards:
- The
-r
switch, without which a directory can't be removed. - The
-i
switch, which verifies that you actually want to delete what you've asked to delete. Aliasingrm
torm -i
turns that safeguard on unless you add the-f
switch to turn it off. - File ownership, which prevents all users but
root
from deleting the root directory.
The Unix toolset is like a chainsaw: it was designed to do very powerful things and be wielded by people who understand what they're doing. Those who tread carelessly are likely to end up injuring themselves. This isn't to say that the experienced don't make mistakes, and obviously Sun and others feel that users with root
need to be protected from themselves.
However shouldn't this specific case be an exception to that rule?
People have been asking why we can't put a blade guard over the rm
chainsaw since at least the 1980s. (Probably longer, but my history with Unix doesn't go back any further than that.) You have to ask yourself more questions:
Since we're adding exceptions, what else should be considered sacred? Should we prevent recursive deletion of anything in the root directory to avoid equally-devastating mistakes like
rm -rf /*
? What about the user's home directory? What about/lib
or/bin
? Would we have to have a special version ofrm
to prevent these mistakes on systems with a nontraditional file system layout?Where do we put the enforcement of these prohibitions? Just in
rm
or do we give the kernel that job? Sincerm
doesn't actually delete anything (it makes lots of calls tounlink(2)
andrmdir(2)
based on the arguments), there would be no way for the kernel to detect thatrm
was really gunning for/
until the moment actually came to delete it. Since the only call tormdir(2)
that would ever succeed is when the target directory is empty, reaching that point with/
would mean the system's already done for.
It depends on the distribution. The older Linux I'm on right now allows it (I think, didn't test it though :-) ) and states in man rm
:
--no-preserve-root do not treat '/' specially (the default)
--preserve-root
fail to operate recursively on '/'
On many recent distributions, you need to explicitly add --no-preserve-root
to disable the safeguard. Otherwise it will fail to execute.
Regarding Ubuntu, see this issue where this behavior is discussed.
The history of this protection according to Wikipedia:
Sun Microsystems introduced
rm -rf /
protection in Solaris 10, first released in 2005. Upon executing the command, the system now reports that the removal of/
is not allowed. Shortly after, the same functionality was introduced into FreeBSD version ofrm
utility. GNUrm
refuses to executerm -rf /
if the--preserve-root
option is given, which has been the default since version 6.4 of GNU Core Utilities was released in 2006.