Dear All,
Suppose I executed the command
rm -rf /
on my CentOS 7 box. After it did what it could, how much damage will be done to what I have (or _had_ rather ;-) on my hard drive?
I'm going to describe simple experiment which was prompted in another thread. I need to say a few words before I do it, however. First of all, that other thread was about doing the same thing on UEFI machine. This experiment has nothing to do with UEFI, it was done not with the goal to answer that question for UEFI machine.
What I did is this: I took two used drives (same manufacturer, same model, same size). Then on some (pre-UEFI) hardware I kick-start installed Development workstation (whith a bunch of scientific software I install for people in our department). I did this install twice, once of each of drives. Then I booted freshly installed system, went to virtual console, logged in as root, and did:
cd /
rm -rfv /
(yes, I decided to add verbose flag to see things flying away). Guess what? My clever CentOS 7 box told me that I am trying to remove everything from root filesystem, and failed (I know, rm is aliased to "rm -i", that still was not why this happened. Clever!). So, being determined to still attempt to remove everything, I executed the command with an extra option:
rm -rfv --no-preserve-root /
and finally things started flying away, then the box locked with a bunch of
rm: cannot remove "/proc/sys/fs...": permission denied
OK, looks like I achieved the goal. I let this "obliterated" box sit for another couple of hours like that. Then I did the only thing you can do in this situation: pulled the power cord.
After that was done, I had two drives: one subjected to "rm -rf /" and another not. This is not quite clean experiment as one drive was not a clone of another; kickstart strictly speaking does not guarantee the drives are identical. Also, as experiment is not clean, I decided I will not boot system with second drive at all.
Before I go to comparison of two drives I need to tell you that I still partition the drives when I install system, and here how the drive is partitioned (as configured in kickstart file):
partition number filesystem
1 /boot 2 /usr 3 /
5 /home 6 swap 7 /var 8 /tmp 9 /data
Now, I mounted each of the drives on different machine, and compared them to see what I still have on the drive I tried to obliterate wit "rm -rf /".
Here is what I see:
/ contains on its top level all what it did (plus one more file: core dump!) My /etc lives on root filesystem, so I looked how damaged that is.
On "obliterated" drive:
find /media/80caeb82-571a-4afe-b3bf-9bce1a35f49a/etc -type f | wc -l 2280
On intact comparison drive:
find /media/e2132f68-01a0-4815-aa38-1180ebcd41dc/etc -type f | wc -l 2272
(a few things did not create on comparison drive which I never booted). In general, all seems intact!
I have /usr on separate partition, let's see what happened to /usr:
On "obliterated" drive:
find /media/39766043-9733-4f76-800f-696e604845ff -type f | wc -l 289498
du -s /media/39766043-9733-4f76-800f-696e604845ff 7438636 /media/39766043-9733-4f76-800f-696e604845ff
On intact comparison drive:
find /media/a3912c30-bf5f-4788-83f7-70756ef4b4ac -type f | wc -l 289498
du -s /media/a3912c30-bf5f-4788-83f7-70756ef4b4ac 7438640 /media/a3912c30-bf5f-4788-83f7-70756ef4b4ac
Well, all seems intact again.
OK, now: how about stuff that in / comes alphabetically before /dev? First, symlink /bin (pointing to /usr/bin) stayed intact! This is not what I expected, but I'm sure some clever person will explain that. Second, I have two different partitions mounted as /boot and /data. Both of them are gone (though their mount points stayed intact).
By no means I am considering myself an expert, but what I see is pretty much what I expected. Namely, the kernel talks to hard drive via block device (or raw device whenever applicable). Therefore, once resembling device is deleted from /dev, there will be no more changes to the content on hard drive platters. So, all in all "rm -rf /" is much less disatrous than it sounds. It only obliterates stuff that every sysadmin can re-create (like /boot or /bin bacl then when it was not symlink to /usr/bin). So, happy "rm -rf /"-ing everybody!
I know there are many experts on this list (from whom I constantly learn something!). They probably give much better explanation of what I observed in the experiment I described.
Cheers,
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++