
Rm -rf / in Windows Subsystem for Linux reveals sharp set of teeth - hitr
https://www.slightfuture.com/technote/rmrf-in-wsl
======
rdtsc
> I actually expected Windows’ Syscall translation layer for Linux to block
> any such clearly destructive actions.

Well, I bet, if it blocked these actions, there would have been another blog
complaining how the Linux subsystem is just a toy, goes against the Unix
tradition of "can shoot yourself in the foot if you really want" etc etc.

~~~
dejawu
This is absolutely right.

And I'd definitely much rather be able to do dangerous things if I want to,
than be told that I need to be protected from them. I do appreciate that rm
-rf requires "\--no-preserve-root" for that extra level of certainty, but the
author of the OP should not be surprised at what happened.

~~~
Houshalter
That's fine until 4chan starts distributing images telling people to run this
cool command to speed up their computer or something stupid. Ala delete system
32. They will have to lock this down like they did with system 32. Users do
need to be protected from their own stupidity.

~~~
JoshTriplett
Running a random shell command from the Internet without understanding it can
do any number of terrible things; removing all your files and making your
system unbootable is _not_ the worst that could happen.

\--no-preserve-root seems like a sufficient safeguard here.

~~~
Houshalter
I'm just making predictions. That this will become a malicious advice meme.
That lots of people will lose all their files over it. And that microsoft will
probably disable it.

This exact thing happened with system32. And deleting a system file somehow
seems _much_ more obviously dangerous than entering a command you don't
understand. "rm" looks pretty harmless, and someone could come up with a
backronym that even makes it seem sensible.

In fact I wonder if this is the reason pasting into console is disabled, or at
least hard to figure out, on Windows.

~~~
mafuy
Why do you think this is the reason system32 was protected? I think it was
simply protected for the same reason the program files folder was, which is
security. Not to prevent user mistakes.

~~~
Houshalter
No, deleting system files was only disabled on the user interface. You could
still do it with a bat script or the windows api.

They also got rid of deltree, which is the Windows equivalent of rm -rf, and
was abused in a similar way.

------
beardog
TIL running a destructive command does destructive things.

------
Ezhik
I think this is actually a good thing, Linux being a first class citizen in
this environment and all. Linux is a different beast from Windows, and this
being a developer tool, will not babysit the user as much.

------
kyriakos
So you run a destructive command and you are surprised it destroyed your
system? The sub system is not an isolated vm so it does what it's supposed to
do. I don't see a problem here you could achieve the same thing in regular
windows command prompt or powershell.

------
est

        cmd /crd /s /q \
    

This is faster in Windows

~~~
codehotter
Just to be clear, this calls the command "rd" (remove directory) with argument
/s (recursively remove all subdirectories) and path \ (root of your drive).

Initially it looked to me like a switch called "crd" as argument to the "cmd"
command. This would have fooled me into thinking it is harmless. I wouldn't
have fallen for "format c:" but I might have fallen for this.

The space between "/c" and "rd" is apparently not necessary. I tested it and
it really works.

------
mintplant
"Shooting own foot considered harmful."

------
stormbrew
Hm, does this mean it ignores win32 file locking? By that I mean files are
locked against deletion while a handle to them is held open, unlike on posix
systems where you can rm an open file and it just unlinks it from the
filesystem without deleting the data (until the refcount goes to zero).

The level of damage described sounds like it does.

------
adrianratnapala
Do you really need the Linux subsystem to do mass deletions on Windows?

Googling around tells me that good old "deltree" no longer exists, but I would
have assumed PowerShell would have some equivalent. If you do such a thing as
administrator, won't you expect serious damage?

~~~
MichaelGG
I thought perhaps the Linux layer lets you delete/unlink files that are in
use, unlike Windows. But I also thought this was pretty baked into the
kernel/VM paging system.

If the Linux layer allows deleting and replacing in-use files, that's pretty
cool and a welcome feature.

If this is just a substitute for deltree I'm not sure I get the point.

~~~
shadowfox
Windows (at least NTFS) does allow you to delete files in use as long as it
has been opened with a sharing mode of FILE_SHARE_DELETE. Unfortunately most
regular programs don't do this.

An exception to this is memory mapped files as they are not allowed to be
deleted that way. Executables are executed in Windows by memory-mapping them;
so runnning programs are hard to delete.

~~~
piscisaureus
Yes, but as long as the file is openen by another process...

\- You can't delete the parent directory

\- You can't create a new file with the same name

... which makes that flag quite useless.

------
stormcloud
I see the writer has used '\--no-​preserve-root' when deleting /mnt/c - does
anybody know if that's necessary?

It would be an interesting (and probably good enough) safety net if they
treated /mnt/c the same as / in this case.

~~~
NetTechM
The --no-preserve-root is the safety net of sorts. If you deliberately type
it, you obviously know what you are asking for.

~~~
wlesieutre
But does the Linux subsystem actually understand that /mnt/c is the root of
the drive, or can you omit the option?

~~~
Ezhik
`rm` is probably hardcoded to not touch `/` without the flag and that's it, so
most likely it's not necessary.

~~~
DSMan195276
I just checked the `rm` source code for the GNU coreutils, and it actually
checks for `/` by checking for identical device and inode numbers to `/`. I
admittedly don't want to test if the feature works, but in theory if you
remount `/` at a different location `rm` will still require the `--no-
preserve-root` flag to delete it.

That said, the above only saves you if `/` and `/mnt/c` are the same device
mounted at two different places - I haven't used the system to know.

------
bereasonable
You can also drop a fork bomb in bash and blue screen win10.

:(){ :|:& };:

~~~
0xmohit
It's called _Windows blues_.

~~~
dethoma
This has been fixed in recent Windows insider builds.

------
voltagex_
If you assume a non-Administrator/non-UAC elevated user _can 't_ delete
anything in c:\windows this does raise the question of why the Linux subsystem
has so many privileges

~~~
wvenable
I'm curious about this myself. I would have to be an elevated command prompt
to do this natively in Windows. I would assume that, by default, the Linux
subsystem runs non-Elevated. If this is not the case then the Linux subsystem
is a bit of security risk in Windows.

~~~
dogma1138
You would have to be in an elevated command prompt and manually take ownership
from "trusted installer" in order to do it.

------
0xmohit
Maybe you could also try executing

    
    
      sudo chmod -R a-x /
    

and post the findings.

------
dogma1138
Hmmm the only thing that prevents you from deleting system files are file
permission which in windows 7 restrict it to "trusted installer".

This begs the question how many other things you can exploit with it to bypass
file/system permissions.

~~~
userbinator
_Hmmm the only thing that prevents you from deleting system files are file
permission which in windows 7 restrict it to "trusted installer"._

I'd consider it a bug/limitation if running as root in the Linux subsystem,
because root should be able to do that too.

~~~
dogma1138
"Trusted Installer" also protects other folders like "program files", all of a
sudden dll injection / unescaped path vulnerabilities might become much more
common if this is indeed an issue.

Nothing actually stopping you from deleting "explorer.exe" from gui/cmd but
you have to do some steps in order to take ownership of those files even with
admin rights, this includes interacting with the UAC functionality in windows.

Seems that the new linux subsystem bypasses that and unless the guy in the
article has already disabled every security measure in windows this is a big
deal.

And no I won't consider it a bug, I don't care what root should or should not
be able to do the fact that a user can delete critical system files while the
OS is running is bad design there is simply no scenario in which you would
want or need to do it, not in Windows and not even in Linux.

------
vortico
"I actually expected Windows’ Syscall translation layer for Linux to block any
such clearly destructive actions."

How would you suggest this could be done?

~~~
solarengineer
In an interview with BSDNow[0], Bryan Cantrill had mentioned how at Sun,
they'd discussed with the person in charge of POSIX compliance, and got a
clearance to specifically check for this case and prevent it. This code is
present in Illumos [1].

(Edit: added links correctly)

[0]
[http://www.bsdnow.tv/episodes/2015_11_23-the_cantrill_strike...](http://www.bsdnow.tv/episodes/2015_11_23-the_cantrill_strikes_back)

[1] [https://github.com/illumos/illumos-
gate/blob/5a4ef21a18dfdc6...](https://github.com/illumos/illumos-
gate/blob/5a4ef21a18dfdc65328821a265582d03e85a97c9/usr/src/cmd/rm/rm.c#L142)

~~~
daurnimator
That's in the 'rm' command; not in the syscall itself.

You have the same thing in other OSes, hence --no-preserve-root

~~~
solarengineer
Indeed. Thanks for clarifying this.

I now realise that while one may have an rm that takes care of this, one could
always get another rm that does not.

------
lupinglade
I actually expected rm -rf / to do just that.

------
ratfacemcgee
i guess the original title "running Rm -rf/ runs Rm -rf/" wasn't catchy
enough.

------
FuturePromise
Looks like it did what it's supposed to do!

I'm very excited about the Subsystem for Linux. It will make Windows a great
all-purpose development system. As it is, I have an easier time running must
GNU/Linuxy stuff on cygwin than I do on Mac....

~~~
NegativeLatency
Genuinely curious: what software do you use that you have problems with on OS
X?

~~~
busterarm
libsdr (might have been librtlsdr) and opencv here. Complete and total
nightmare to get either of those going.

Total cake on a windows system.

Anything that requires python libraries outside of the bog standard seems to
be a 50/50 tossup on OS X.

~~~
FuturePromise
Exactly right: OpenCV is the worst. And lots of trouble with Python 2 and 3
things that "just work" on Windows. I guess people don't do a lot of "real
development" on Macs -- around the world, Windows is still the standard.

The only thing I use regularly that works better on Mac is "Vagrant" 1.8. I
have to stay on 1.7.4 on Windows. If you look at their issue tracker, it's
clear nobody's caring too much about Windows over there. Of course, with the
Subsystem For Linux, I can just run the Linux one on Windows!

~~~
lupinglade
I think this depends on what you consider “real development”. I always thought
people don’t do any "real development" on non-unix systems. As far as anything
Internet or modern goes, Windows is far, far from the standard. I guess that’s
the point of this compatiblity layer, after all.

