rm -rf * What would it do and why would you use it?

Tue Sep 11 04:37:12 PDT 2007

When asked his whereabouts on Tue, Sep 11, 2007 at 03:52:56AM -0700,
fp at casabellagallery.com took the fifth, drank it, and then slurred:
> Marked posted:

Mark.  I'd hope I'm not a marked man.  :)

> Some one logged in last night using rm -rf * as a user ID at about 9:00 PM
> last night.  I'm not sure who actually did but I traced the IP (166.82.96.28) 
> and it goes back to Walter Vaughan from Steel Rubber.

[cobalt] [~] [7:09am]: nslookup
> 166.82.96.28
Server:  nspubcache01.iglou.com
Address:  192.107.41.34

Name:    wvaughan.steelerubber.com
Address:  166.82.96.28

No disputing that conclusion, assuming you got the IP# correct.  

I do wonder how you know what time it was done.  Every time I use the
thing, it seems to be hovering at 19:xx.  Usually about 19:15-19:18.  Even
when I'm doing it at 2-4am.  Might wanna look at that.

> Not to approve of it is one thing, to post messages disapproving of it is
> about the same, but to go to the extend of attempting to do something like
> what the command could do really takes it to the lowest level.

Be sure of your security.  If someone really was out to be malicious and
was stupid enough to illegally do it, a well-placed semicolon or pipe (or
a slew of other ways to do it) would actually let it work if your input
wasn't sanitised and you fed it to system().  Never let any field near
a system() command unless you've stripped the hell out of it first--and
preferably still not even then.  Preferably, never trust any field anywhere
near a command, even if you assemble it by hand.  That's like CGI 101, but
people still do it 13 years later.

As for that behaviour...well, I'm not going there--assuming it wasn't
someone using his machine or spoofing his IP, which seems pretty unlikely.
I think that definitely speaks for itself.  What can one actually say to
something like that?  Besides, "Gee, time for a new firewall rule..."?

To be fair, when someone would ask idiot newbie questions on LinuxNET back
when I used to be a regular there, the stock answer to just about "how do
I...?" -anything- was indeed "rm -rf /". But we were joking, and we all
knew it, and it was not a "help" environment, especially for newbies--and
that was part of making it clear, in our minds.  Nobody would have actually
let someone -do- it, though.  So it could have been used in fun, I suppose.
It's not without precedent.

However, given the climate of yesterday, I wouldn't exactly be prepared to
give the benefit of the doubt to anyone involved, were I in your shoes.
Can't say I blame you for being upset.

As for the actual usage...I'm assuming you know what it'd do in general and
the subject was rhetorical.  The only thing I can say about someone using
"*" instead of "/" even in a joke is that they don't think big enough.  The
* would only affect $PWD.  The / would wipe anything by the current user,
system-wide.  (Which is why running httpd as filepro directly is not my
first choice, because if -any- part of httpd breaks, all your fP stuff
can go with it in the course of an attack, rather than just if something
wrapped by cgiwrap is compromised, for instance--so httpd itself becomes a
hazard to your data store.)  But given the tamer usage I guess even if it's
a joke, it makes them an incompetent joker.

mark->.
-- 
The latest synth mixdown...
http://media.fairlite.com/Isolation_Voiceless_Cry_Mix.mp3