[CentOS] How bad is "rm -rf /" ?

Wed Feb 3 00:57:24 UTC 2016
Valeri Galtsev <galtsev at kicp.uchicago.edu>

Dear All,

Suppose I executed the command

rm -rf /

on my CentOS 7 box. After it did what it could, how much damage will be
done to what I have (or _had_ rather ;-) on my hard drive?

I'm going to describe simple experiment which was prompted in another
thread. I need to say a few words before I do it, however. First of all,
that other thread was about doing the same thing on UEFI machine. This
experiment has nothing to do with UEFI, it was done not with the goal to
answer that question for UEFI machine.

What I did is this: I took two used drives (same manufacturer, same model,
same size). Then on some (pre-UEFI) hardware I kick-start installed
Development workstation (whith a bunch of scientific software I install
for people in our department). I did this install twice, once of each of
drives. Then I booted freshly installed system, went to virtual console,
logged in as root, and did:

cd /

rm -rfv /

(yes, I decided to add verbose flag to see things flying away). Guess
what? My clever CentOS 7 box told me that I am trying to remove everything
from root filesystem, and failed (I know, rm is aliased to "rm -i", that
still was not why this happened. Clever!). So, being determined to still
attempt to remove everything, I executed the command with an extra option:

rm -rfv --no-preserve-root /

and finally things started flying away, then the box locked with a bunch of

rm: cannot remove "/proc/sys/fs...": permission denied

OK, looks like I achieved the goal. I let this "obliterated" box sit for
another couple of hours like that. Then I did the only thing you can do in
this situation: pulled the power cord.

After that was done, I had two drives: one subjected to "rm -rf /" and
another not. This is not quite clean experiment as one drive was not a
clone of another; kickstart strictly speaking does not guarantee the
drives are identical. Also, as experiment is not clean, I decided I will
not boot system with second drive at all.

Before I go to comparison of two drives I need to tell you that I still
partition the drives when I install system, and here how the drive is
partitioned (as configured in kickstart file):

partition number   filesystem

1                  /boot
2                  /usr
3                  /

5                  /home
6        swap
7                  /var
8                  /tmp
9                  /data

Now, I mounted each of the drives on different machine, and compared them
to see what I still have on the drive I tried to obliterate wit "rm -rf

Here is what I see:

/ contains on its top level all what it did (plus one more file: core dump!)
My /etc lives on root filesystem, so I looked how damaged that is.

On "obliterated" drive:

find /media/80caeb82-571a-4afe-b3bf-9bce1a35f49a/etc -type f | wc -l

On intact comparison drive:

find /media/e2132f68-01a0-4815-aa38-1180ebcd41dc/etc -type f | wc -l

(a few things did not create on comparison drive which I never booted). In
general, all seems intact!

I have /usr on separate partition, let's see what happened to /usr:

On "obliterated" drive:

find /media/39766043-9733-4f76-800f-696e604845ff -type f | wc -l

du -s /media/39766043-9733-4f76-800f-696e604845ff
7438636	 /media/39766043-9733-4f76-800f-696e604845ff

On intact comparison drive:

find /media/a3912c30-bf5f-4788-83f7-70756ef4b4ac -type f | wc -l

du -s /media/a3912c30-bf5f-4788-83f7-70756ef4b4ac
7438640	/media/a3912c30-bf5f-4788-83f7-70756ef4b4ac

Well, all seems intact again.

OK, now: how about stuff that in / comes alphabetically before /dev?
First, symlink /bin (pointing to /usr/bin) stayed intact! This is not what
I expected, but I'm sure some clever person will explain that. Second, I
have two different partitions mounted as /boot and /data. Both of them are
gone (though their mount points stayed intact).

By no means I am considering myself an expert, but what I see is pretty
much what I expected. Namely, the kernel talks to hard drive via block
device (or raw device whenever applicable). Therefore, once resembling
device is deleted from /dev, there will be no more changes to the content
on hard drive platters. So, all in all "rm -rf /" is much less disatrous
than it sounds. It only obliterates stuff that every sysadmin can
re-create (like /boot or /bin bacl then when it was not symlink to
/usr/bin). So, happy "rm -rf /"-ing everybody!

I know there are many experts on this list (from whom I constantly learn
something!). They probably give much better explanation of what I observed
in the experiment I described.



Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247