[CentOS] How bad is "rm -rf /" ?

Wed Feb 3 02:07:16 UTC 2016
Gordon Messmer <gordon.messmer at gmail.com>

On 02/02/2016 04:57 PM, Valeri Galtsev wrote:
> Suppose I executed the command
> rm -rf /
> on my CentOS 7 box. After it did what it could, how much damage will be
> done to what I have (or _had_ rather ;-) on my hard drive?

In your experiment, rm processed /boot and /data first, and then /proc, 
where it hung removing one file.  There are two important details to 
consider.  First, that behavior doesn't appear to be standard.  If I run 
"rm -rf /proc" on other kernels, rm doesn't hang.  On systems running 
those kernels, rm will remove all of the files in the filesystem 
hierarchy.  Second, on systems running that kernel, no more data was 
removed because readdir('/') returned /proc before the directories that 
rm didn't process.

> and finally things started flying away, then the box locked with a bunch of
> rm: cannot remove "/proc/sys/fs...": permission denied

The box did not "lock".  Press Ctrl+c on the terminal, and rm will 
exit.  What happened is simply that rm tried to unlink a file in /proc, 
and the syscall didn't return.  I'm not sure why that happens, but it 
doesn't appear to be a feature.

> OK, now: how about stuff that in / comes alphabetically before /dev?

As I told you before, rm doesn't process directory trees in alphabetical 

> First, symlink /bin (pointing to /usr/bin) stayed intact! This is not what
> I expected, but I'm sure some clever person will explain that.

I did, in the previous thread.

> Second, I
> have two different partitions mounted as /boot and /data. Both of them are
> gone (though their mount points stayed intact).

Directory entry order is in unpredictable.  It's not possible to unlink 
a directory where a filesystem is mounted, which is why the mount point 
is intact, but its content is gone.

> By no means I am considering myself an expert, but what I see is pretty
> much what I expected. Namely, the kernel talks to hard drive via block
> device (or raw device whenever applicable).

That is incorrect, and a much simpler test can verify that.  First, rm 
-rf /dev/*, then remove any file, or write any file.  Reboot. Your 
changes will have been saved, demonstrating that /dev is not required 
after a filesystem is mounted.

Once you've completed that experiment, you can simulate the effect of rm 
-rf on different kernels by unmounting /proc and then issuing "rm -rfv 
--no-preserve-root /".  When it completes, your filesystem will be empty 
except for the handful of directories that are used for mount points.

> Therefore, once resembling
> device is deleted from /dev, there will be no more changes to the content
> on hard drive platters. So, all in all "rm -rf /" is much less disatrous
> than it sounds. It only obliterates stuff that every sysadmin can
> re-create (like /boot or /bin bacl then when it was not symlink to
> /usr/bin). So, happy "rm -rf /"-ing everybody!