On 02/02/2016 04:57 PM, Valeri Galtsev wrote: > Suppose I executed the command > rm -rf / > on my CentOS 7 box. After it did what it could, how much damage will be > done to what I have (or _had_ rather ;-) on my hard drive? In your experiment, rm processed /boot and /data first, and then /proc, where it hung removing one file. There are two important details to consider. First, that behavior doesn't appear to be standard. If I run "rm -rf /proc" on other kernels, rm doesn't hang. On systems running those kernels, rm will remove all of the files in the filesystem hierarchy. Second, on systems running that kernel, no more data was removed because readdir('/') returned /proc before the directories that rm didn't process. > and finally things started flying away, then the box locked with a bunch of > rm: cannot remove "/proc/sys/fs...": permission denied The box did not "lock". Press Ctrl+c on the terminal, and rm will exit. What happened is simply that rm tried to unlink a file in /proc, and the syscall didn't return. I'm not sure why that happens, but it doesn't appear to be a feature. > OK, now: how about stuff that in / comes alphabetically before /dev? As I told you before, rm doesn't process directory trees in alphabetical order. > First, symlink /bin (pointing to /usr/bin) stayed intact! This is not what > I expected, but I'm sure some clever person will explain that. I did, in the previous thread. > Second, I > have two different partitions mounted as /boot and /data. Both of them are > gone (though their mount points stayed intact). Directory entry order is in unpredictable. It's not possible to unlink a directory where a filesystem is mounted, which is why the mount point is intact, but its content is gone. > By no means I am considering myself an expert, but what I see is pretty > much what I expected. Namely, the kernel talks to hard drive via block > device (or raw device whenever applicable). That is incorrect, and a much simpler test can verify that. First, rm -rf /dev/*, then remove any file, or write any file. Reboot. Your changes will have been saved, demonstrating that /dev is not required after a filesystem is mounted. Once you've completed that experiment, you can simulate the effect of rm -rf on different kernels by unmounting /proc and then issuing "rm -rfv --no-preserve-root /". When it completes, your filesystem will be empty except for the handful of directories that are used for mount points. > Therefore, once resembling > device is deleted from /dev, there will be no more changes to the content > on hard drive platters. So, all in all "rm -rf /" is much less disatrous > than it sounds. It only obliterates stuff that every sysadmin can > re-create (like /boot or /bin bacl then when it was not symlink to > /usr/bin). So, happy "rm -rf /"-ing everybody! No.