--no-preserve-common-sense
-
Continuing the discussion from XSplit installer removes directory junctions:
Here's a story from SO that I found quite amusing:
Here's a an entertaining tragedy. This morning I was doing a bit of maintenance on my production server, when I mistakenly executed the following command:
sudo rm -rf --no-preserve-root /mnt/hetznerbackup /
I didn't spot the last space before
/
and a few seconds later, when warnings was flooding my command line, I realised that I had just hit the self-destruct button. Here's a bit of what burned into my eyes:So, the tool author adds a safety option specifically to protect against a certain class of accidental error, and for some unknown reason the user chooses to disable that feature, even though they very much did not want the thing that was protected against to happen? What will these crazy Linux people think of next?
-
Cargo cult thinking, probably.
-
Except for cargo cults to arise there actually had to be cargo coming through. Where would someone possibly have seen --no-preserve-root used in a context where it wasn't perfectly obvious that wasn't something you'd ever want to do?
-
Nice one. It remains a mystery why he felt the need to add
--no-preserve-root
switch. It feels like we aren't getting the whole story.
-
Yeah. I've just had the thought that maybe he did the typo first, then got an error message that he presumably didn't read, and just copy pasted the switch it mentioned into the command.
Also I'm wondering if I made the wrong decision to cut off the quote where I did, because in a bit of confusing irony, the first line of output was:
rm: cannot remove '/mnt/hetznerbackup': Is a directory
is that because it doesn't have a trailing slash or what?
-
is that because it doesn't have a trailing slash or what?
The trailing
/
isn't required.This story doesn't seem to be the full information. Accidentally typing
--no-preserve-root
?!
-
I don't know what you guys are even complaining about.
no-preserve-root
clearly means:no, preserve root
if you translate backwards from most URL-generators. So clearly, you'd use it if you wanted to preserve root
If you wanted to not preserve root, you'd have to godont-preserve-root
.Filed Under: imagine @accalia had was working on those flags shudder
-
-
Filed Under: imagine @accalia had was working on those flags shudder
E_PARSE_ERROR
What would i had was working?
-
It's totally realistic and could happen to anyone. One time, I wanted to delete an installer for an old version of 7zip, so I highlighted it, hit delete, then accidentally rebooted into DBAN and accidentally hit yes to all the warnings.
-
I hate when that happens. 3 times so far this week.. 😔
-
Man if only he had an undo button.
I actually talked about this in a thread ages ago, but the problem is in the Linux world, you "train" people by having them do magical incantations. The command didn't work, so now add "sudo" to the beginning. Oh now it works! So I guess add "sudo" to everything is the best strategy! Because God forbid the command just automatically asks me to elevate like, hm, UAC would have!
Which is a shitty shitty shitty way of running an everything. There's no safety feature, and you train your users to do things in the unsafe way because that's the only way shit works. Welcome to the land of ass, made by dicks.
-
Because God forbid the command just automatically asks me to elevate like, hm, UAC would have!
Which will happen, in GUI.
Core stuff like
rm
don't do that. Why? I'm assuming compatibility.sudo
, as ubiquitous as it may seem when googling stuff, is not something every system will have installed by default. On many systems, by default, there is no way to do that other than logging in asroot
and doing stuff like that. IME the Ubuntu is a special snowflake when it comes to this, actually. It even disables theroot
account by default, for better or for worse.I guess you could alias all the basic commands and wrap them in a piece of code that checks for permissions and prompts for elevation as required, but I never saw that done so far.
-
I guess you could alias all the basic commands and wrap them in a piece of code that checks for permissions and prompts for elevation as required, but I never saw that done so far.
Of course not. That might take... effort.
-
Probably a better way to do that would be to install a filesystem that lets you roll back any change, any time. Guess what Linux has available, that nobody seems to have installed?
-
You mean
btrfs
? Isn't Oracle using that, at least?Or am I missing a feature on any of the other ones?
-
I actually talked about this in a thread ages ago, but the problem is in the Linux world, you "train" people by having them do magical incantations. The command didn't work, so now add "sudo" to the beginning. Oh now it works! So I guess add "sudo" to everything is the best strategy! Because God forbid the command just automatically asks me to elevate like, hm, UAC would have!
Yeah, because Windows users totally don't click "Yes" in every single UAC dialog ever. Not at all. And they totally don't disable UAC altogether.
-
I'd heard that nilfs offered that, but when I went to search for it to find out more I got... distracted.
-
Core stuff like rm don't do that. Why? I'm assuming compatibility.
The reason is not just compatibility. It is because us server admins don't want rm and every other basic command to install a bucket load of GUI shared libraries just so that someone can have their pretty pop-up window.
Plus, if you have ever had to repair a system that barely boots and you don't have the right kind of boot disk/CD handy or can't reboot, you are very thankful when the very simple programs like ls, cat, and rm at least work (and even ls is optional).
Greybeard rant: If some users need crutches like pop-up windows to remind them what to do, then they can use GUI programs instead of the core CLI utilities. ;)
PS: And it would be much better if more helper programs existed for novice users, rather than giving them magical incantations on forums to solve basic config problems.
-
The reason is not just compatibility. It is because us server admins don't want rm and every other basic command to install a bucket load of GUI shared libraries just so that someone can have their pretty pop-up window.
Ummm...
sudo
doesn't pull GUI libraries along.gksu
does, which was in the screenshot, yes, but I used that to demonstrate that there is a mechanism by which this is handled by default - in GUI, not necessarily in CLI.
-
The reason is not just compatibility. It is because us server admins don't want rm and every other basic command to install a bucket load of GUI shared libraries just so that someone can have their pretty pop-up window.
You can add text dialogs on GUI-less machines.
whiptail
is a thing, you know.
-
The problem with prompting for password is that most Unix-like systems, Linux included, optimize for corporate mainframe scenario, where most users have very limited rights. In other words, prompting for root password is stupid because the user doesn't know it. Not to mention sudo was originally meant for something completely different than "run this single command as administrator".
-
Also remember these simple commands often appear in shell scripts.The user may not know how to handle a confirmation request from the core of the shell script, and on the script side there's usually no easy way to check permissions beforehand.
Also note rm (and probably others) do have a command line option too confirm each file removed. Some distributions turn this on by default for root, which leads to people always using
rm -f
as root...
-
Also zfs. Supports instant snapshots, practically for free.
-
Not to mention sudo was originally meant for something completely different than "run this single command as administrator".
What was it? If it was picking grapefruit in California, I think it's kind-of failed comprehensively on that front.
-
SUDO(8) BSD System Manager's Manual SUDO(8) NAME sudo, sudoedit — execute a command as another user SYNOPSIS sudo -h | -K | -k | -V sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] sudo [-AbEHnPS] [-C num] [-g group] [-h host] [-p prompt] [-r role] [-t type] [-u user] [VAR=value] [-i | -s] [command] sudoedit [-AknS] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ... DESCRIPTION sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. sudo supports a plugin architecture for security policies and input/out‐ put logging. Third parties can develop and distribute their own policy and I/O logging plugins to work seamlessly with the sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers, or via LDAP. See the Plugins section for more information.
The manual then proceeds to educate you on EBNF in order to describe the
sudoers
file.
-
That's what I understand it to do too; the “run a single command as administrator without having to share out the root password” thing is the original use case;
sudo
was always intended to be a bettersu
for a large set of common situations.The stuff with grapefruits was just amusing hyperbole. It's obviously about avocados.
-
-
command line option too confirm each file removed.
alias rm='rm -i'
is generally the first thing that goes into any .bashrc/.cshrc/.whateverrc on any machine I use.
-
Original use case of
sudo
was "make it possible for some user to run some command on behalf of another user". The fact it's almost exclusively used for temporary root rights is kinda by accident. Also,su
defaulting to root account has nothing to do with switching to root being almost always what the user wants.
-
Ummm... sudo doesn't pull GUI libraries along. gksu does, which was in the screenshot, yes, but I used that to demonstrate that there is a mechanism by which this is handled by default - in GUI, not necessarily in CLI.
Yes, I was picking on gksu and GUI programs in general, but the same principle applies with sudo. Either rm would have to pull in a sudo library, or parse the sudoers file (or heaven forbid, sudoers in LDAP). That is still more things to go wrong in a simple, core OS program. A higher-level wrapper or replacement for rm that can do such fancy things on a desktop or less-critical server is a much better approach.
Also sudo is a setuid program, which it needs in order to elevate to root after it checks your password. And actually sudo runs as root before even asking for your password. Having many more programs run as setuid just so they could edit/remove system files after verifying a password increases the likelihood of there being a root exploit.
More features can be nice, but they are also just more things to go wrong...
-
@PleegWat said:
command line option too confirm each file removed.
alias rm='rm -i'
is generally the first thing that goes into any .bashrc/.cshrc/.whateverrc on any machine I use.Read a thing suggesting that was bad practice, as it can enable the development of bad habits. If you alias it as, say,
rmi
then if you ever enter that command into a shell without that alias, it will fail, which might be better a better outcome than success.
-
Why not
sudo apt-get install trash-cli
?
-
it can enable the development of bad habits.
That might be a very good point — if you had told me, like, 25 years ago. At this point, my habits — good and bad — are pretty deeply ingrained.
That said, I'm generally pretty careful to make sure the files I specify are what I want to delete, especially since it seems like more often that not, I'm doing a
rm -rf somedir
, so-i
won't save me if I screw up. No, I've never used-no-preserve-root
in my life.
-
Ignoring the whole trash-cli vs rm vs a GUI delete tool, I count at least 4 WTFs here:
- the
--no-preserve-root
flag, which shouldn't ever be used... if you must use it, you might as well usegparted
on your installation media to repartition/reformat. - The -f in the options. You don't use force unless you absolutely need it
- Not trying
ls /mnt/hetznerbackup /
first, which would have displayed the contents of both/mnt/hetznerbackup
and/
. - Not using tab completion, which would have auto-completed the directory name for you, including escaping any special characters.
As for
sudo
, you needroot
permission to mess with/mnt
by default so you need tosudo
orsu -c
the command.
- the
-
Original use case of sudo was "make it possible for some user to run some command on behalf of another user". The fact it's almost exclusively used for temporary root rights is kinda by accident.
The original use case was running “allowing someone who isn't root to a program as root without the root password”. Really. It's implicit in the name. It sort of dropped out of the realization that the usage pattern of Unix systems was shifting slightly in the mid-'90s towards the case where systems had a primary user who would need to do some operations without requiring full admin access (as opposed to being shared systems and having a full-time administrator), and that having masses of setuid programs was going to be a security horror story. It's been well-engineered so as to support more things, but the core, original use case is that one.
Also, su defaulting to root account has nothing to do with switching to root being almost always what the user wants.
su
defaults to root because that's the only truly special account on the system. It can't default to any other (except to the useless what-the-current-account-is) because it has no idea what to default to. It's a simple-minded system that requires you to be explicit, much like many other tools.But I don't see why you started talking about
su
half way through a paragraph originally aboutsudo
. They're very different programs, from different eras.
-
The original use case was running “allowing someone who isn't root to run a program as
rootsomeone else without theroottarget account password”.
FTFY. It's basically the same as you said, but your post is implying it's all about root priviledges (which it's not in general case, even though it is 99% of times).Really. It's implicit in the name
"su" stands for "switch user", not "super user".But I don't see why you started talking about su half way through a paragraph originally about sudo. They're very different programs, from different eras.
But people use it to accomplish the same goal - temporary root priviledges.
-
The -f in the options. You don't use force unless you absolutely need it
It annoys me you can't recursively delete without force.
-
@Onyx said:
Ummm... sudo doesn't pull GUI libraries along. gksu does, which was in the screenshot, yes, but I used that to demonstrate that there is a mechanism by which this is handled by default - in GUI, not necessarily in CLI.
Yes, I was picking on gksu and GUI programs in general, but the same principle applies with sudo. Either rm would have to pull in a sudo library, or parse the sudoers file (or heaven forbid, sudoers in LDAP). That is still more things to go wrong in a simple, core OS program. A higher-level wrapper or replacement for rm that can do such fancy things on a desktop or less-critical server is a much better approach.
Also sudo is a setuid program, which it needs in order to elevate to root after it checks your password. And actually sudo runs as root before even asking for your password. Having many more programs run as setuid just so they could edit/remove system files after verifying a password increases the likelihood of there being a root exploit.
More features can be nice, but they are also just more things to go wrong...
These two items share a simple solution - rm would have to re-invoke itself via sudo. I don't think it's a good idea though.
-
Why should a program know how to call another program that does a completely unrelated thing? And what would stop a malicious program from sending the password entered to a third party source before switching to root and fucking over the system?
-
It effectively impossible on CLI to tell what program you're entering your password into.
If a program manages to trick you into restarting your shell with a manipulated LD_PRELOAD, it could just inject its own prompt next time you legitimately started sudo.
-
with a manipulated LD_PRELOAD,
to be fair the GUI can be compromied in exactly the same way, it's jsut harder to trick a user into restarting their X server than their shell (because that's more noticable)
-
You just have to fake the password-protected screensaver.
-
that also works. you can load xscreensaver in demo mode with a manipulated LD_PRELOAD.
still, my point is that exploit affects the GUI too.
-
GUI, CLI, even web pages... It's not possible to create 100% proof solution against those kinds of attack because they're psychologically based - the exploit needs only the user's stupidity to work, and relies only on the user's stupidity.
-
The manual then proceeds to educate you on EBNF in order to describe the sudoers file.
In computer science, Extended Backus–Naur Form (EBNF) is a family of metasyntax notations, any of which can be used to express a context-free grammar. EBNF is used to make a formal descrip
You have got to be shitting me.
-
GUI, CLI, even web pages...
yep.
i just wanted to make that explicitly clear, lest someone who was skiming the topic read that and thought that that particular issue was CLI specific, because it isn't
-
You have got to be shitting me.
No. It's true. Except it's notsudo
manual that has this, butsudoers
- the thing used to controlsudo
permissions.
-
Linux: the OS by robots, for robots.
-
I would call it a great achievement in AI research if that was true. But since it's you who posted it, it's obviously not true.