

Rm -rf remains - mmastrac
http://lambdaops.com/rm-rf-remains 

======
kator
Related but fun commands to try along same vane (as root).

(WARNING: These make a mess don't do this on a system you care about)

(NOTE: Spaces matter here watch if you cut-paste)

    
    
        yes > /dev/mem
        dd if=/dev/urandom of=$(mount|sed -n '/\/ /s/ .*//p')
        rm -fr /lib /usr/lib
        rm /etc/passwd && init 6
    

In the good 'ole days me and a friend of mine would boot a Xenix system from
an 8" floppy that was designed to bring up console and tty1 with a bash
prompt. The goal was to see who could crash the system the fastest.. Then we'd
copy the disk, reboot and do it again.. The number one rule was you couldn't
use the same one-liner in the next round so each round got more and more
convoluted.

~~~
ISL
I did the third one (mv, not rm) to a system I cared about with a full hard
disk early in my linux tutelage.

Educational day.

------
JoshTriplett
This is a nice exploration of what's built into the bash shell. Handy not just
for when you rm -rf / , but also for when you suddenly find yourself lacking
in usable tools. For instance, I've had an upgrade break the dynamic linker
(/lib/ld-linux.so.2 or /lib64/ld-linux-x86-64.so.2), and suddenly no
dynamically linked program runs.

However, the solution given here assumes you have a bash compiled with support
for /dev/tcp. You can, instead, paste the necessary executables directly over
the existing connection to the system, encoded to survive that transport.

------
userbinator
This is basically a bootstrapping problem and turns out to rest on these
critical functions:

\- being able to create a file containing arbitrary data

\- being able to make a file executable

\- being able to execute a file

Would the same be possible if your shell was not bash but one with fewer
features, like e.g. POSIX sh? That doesn't even require echo to be a builtin
(it only has the 3rd function above), so it might be a dead end, but maybe
there's some other way...

~~~
jacobgreenleaf
Alternatively, I think it might be possible if you can cause arbitrary
interrupts to the operating system and control some registers and perhaps the
stack as well. Depending on the shell, you might be able to do this; you
certainly don't need the standard command-line tools for chmod and cat,
because those are just small programs that pass through to actual system
calls:

[http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls....](http://docs.cs.up.ac.za/programming/asm/derick_tut/syscalls.html)

~~~
haberman
How are you going to cause arbitrary interrupts from the shell?

------
obiterdictum
The classic version of it:

[http://lug.wsu.edu/node/414](http://lug.wsu.edu/node/414)

~~~
lsh123
I've had very similar experience. I believe it was Oracle 7 and one smart guy
tried to install it into the root folder. The only problem was that the
install script did 'rm -rf $DESTFOLDER' at the beginning. Luckily for us, the
script actually printed the commands on the console and the guy quickly
realized what is about to happen. He aborted the install script but by the
time /etc and quite a few other things were gone.

It was a Sun OS 5.1 I believe on a pretty big box (for its time) with A LOT of
user data. We recovered it using roughly the same steps. We didn't need to
write in assembler though since we've had Sun compiler tool chain in /opt that
survived. At the end, we used a modem to connect the damaged box to another
one with a tape backup. It took about 12 hours to copy the data over.

~~~
jevinskie
On Macs, /Applications is probably the first to go. I stopped an rm -rf /*
(intended .*) inside /Applications/Adium.app. I'm really glad I wasn't using a
SSD!! Adium itself started acting very odd. One of the many issues was that
sending a message to a specific person actually sent the message to a group
chat. I was lucky to figure that one out before I cursed out the group chat
while describing my stupidity.

------
philips
Mildly interesting: CoreOS is shooting for `rm -rf /` being safe and similar
to a "factory reset" on your phone. Here are the results on vagrant after
rebooting a machine where `rm -rf /` was done:
[http://i.imgur.com/VMuPkf3.png](http://i.imgur.com/VMuPkf3.png)

------
galapago
This article feels like a "Minecraft" in desolated Linux system.

~~~
andrey-p
I was thinking more of a post-apocalyptic sci-fi story.

> We lost everything in the Big War. Luckily our last supplies of Bash built-
> ins were left intact. If we pool our resources and use our remaining
> executable bits wisely, we might just last through the nuclear winter.

~~~
hobo_mark
That was more or less the premise behind 0x10c
[http://en.wikipedia.org/wiki/0x10c](http://en.wikipedia.org/wiki/0x10c)

------
adrianhoward
About 25 years ago I saw somebody do a "chmod a-rwx ." as root, at root on an
SunOs box. Recovering from that was almost entertaining ;-)

~~~
fjarlq
But the superuser privileges should have overridden such directory
permissions, even 25 years ago....

~~~
DmitriRavinoff
Yes, but if you can't run the chmod binary...

~~~
fjarlq
No, root can still run chmod, because its superuser privileges override the
new restrictive directory perms. That was my point.

Maybe the original problem was actually "chmod a-rwx /bin/chmod" ... That
would mean even the superuser couldn't execute /bin/chmod anymore, so you'd
have to do something more creative to reset the executable bit on /bin/chmod.
Like compile a C program that calls the chmod system call, or:

    
    
      mv /bin/chmod /bin/chmod.orig
      cp -p /bin/ls /bin/chmod
      cp /bin/chmod.orig /bin/chmod

~~~
pantalaimon
> Like compile a C program that calls the chmod system call

The compiler wouldn't be executable anymore either

~~~
claviola
Yes, it would. Like he said, you can still run it unless you specifically
removed its permissions.

------
haberman
That was a really fun read. I had no idea that bash supported loading plugins
out of shared libraries with the "enable" command.

~~~
voltagex_
I'm trying to work out how enable is useful over dropping an executable in
/bin or ~/bin (not in this story, but in general)

It's definitely a nice trick, though.

Edit: [http://cfajohnson.com/shell/articles/dynamically-
loadable/](http://cfajohnson.com/shell/articles/dynamically-loadable/)

------
jl6
bash enable sounds like a potential attack vector for executing code on a
filesystem that would otherwise not allow it.

------
s-macke
Thanks for the nice description!

For my small Linux emulator I put the link in the Wiki after "Destroy the
system" :)

[https://github.com/s-macke/jor1k/wiki/Explore-the-
emulator#r...](https://github.com/s-macke/jor1k/wiki/Explore-the-
emulator#restore-the-system)

The system runs already on Busybox, so the whole binary is in RAM. Is there a
way to restore the binary from /proc ? Or to restore the symlinks and maybe
link them to /proc/self/exe or so?

------
general_failure
[http://www.reddit.com/r/linux/comments/27is0x/rm_rf_remains/...](http://www.reddit.com/r/linux/comments/27is0x/rm_rf_remains/ci199bk)
is the link on his blog. Great read.

------
barosl
I lol'd on an attempt to find the executables to overwrite. It does make
sense, though the applicable files are already gone.

~~~
kuschku
Shouldn't you still be able to directly invoke ld-linux.so to load the ELF
binary, even if it's marked as non-executable?

~~~
0x0
That won't help when it has been deleted :)

------
rburhum
There may be an obvious reason, but if using another machine is fair game as
he did in one of the examples, then why did OP not just copy ls/chmod/etc from
another machine to poke around?

~~~
jsnell
How are you proposing he copy it from another machine? There's no file
transfer program, client or server, remaining. Nor is there a way to mount an
external filesystem. The whole point of the exercise is to bootstrap up from
the few remaining resources to the point where you can "just" copy stuff in
from another machine.

~~~
rburhum
If the ssh connection remains (it is what he is using to poke around
afterall), you can tunnel through the active connection without having to
create a new one [http://unix.stackexchange.com/questions/2857/ssh-easily-
copy...](http://unix.stackexchange.com/questions/2857/ssh-easily-copy-file-to-
local-system)

------
yoha
Already posted →
[https://hn.algolia.com/?q=lambdaosp](https://hn.algolia.com/?q=lambdaosp)

It would have make more sense to at least change the title to make it more
explicit.

~~~
dang
Reposts are fine when an item hasn't had significant attention within about
the last year. The previous post had 10 points, but 0 comments, so this repost
probably doesn't count as a dupe.

