--no-preserve-common-sense



  • Continuing the discussion from XSplit installer removes directory junctions:

    Here's a story from SO that I found quite amusing:

    Here's a an entertaining tragedy. This morning I was doing a bit of maintenance on my production server, when I mistakenly executed the following command:

    sudo rm -rf --no-preserve-root /mnt/hetznerbackup /

    I didn't spot the last space before / and a few seconds later, when warnings was flooding my command line, I realised that I had just hit the self-destruct button. Here's a bit of what burned into my eyes:

    So, the tool author adds a safety option specifically to protect against a certain class of accidental error, and for some unknown reason the user chooses to disable that feature, even though they very much did not want the thing that was protected against to happen? What will these crazy Linux people think of next?



  • Cargo cult thinking, probably.



  • Except for cargo cults to arise there actually had to be cargo coming through. Where would someone possibly have seen --no-preserve-root used in a context where it wasn't perfectly obvious that wasn't something you'd ever want to do?



  • Nice one. It remains a mystery why he felt the need to add --no-preserve-root switch. It feels like we aren't getting the whole story.



  • Yeah. I've just had the thought that maybe he did the typo first, then got an error message that he presumably didn't read, and just copy pasted the switch it mentioned into the command.

    Also I'm wondering if I made the wrong decision to cut off the quote where I did, because in a bit of confusing irony, the first line of output was:
    rm: cannot remove '/mnt/hetznerbackup': Is a directory
    is that because it doesn't have a trailing slash or what?



  • @Buddy said:

    is that because it doesn't have a trailing slash or what?

    The trailing / isn't required.

    This story doesn't seem to be the full information. Accidentally typing --no-preserve-root?! :wtf:


  • Winner of the 2016 Presidential Election

    I don't know what you guys are even complaining about.
    no-preserve-root clearly means: no, preserve root if you translate backwards from most URL-generators. So clearly, you'd use it if you wanted to preserve root
    If you wanted to not preserve root, you'd have to go dont-preserve-root.

    <!-- hidden :trollface: just in case -->

    Filed Under: imagine @accalia had was working on those flags shudder



  • @Kuro said:

    imagine @accalia had was working on those flags shudder

    That gets you npm isntall


  • sockdevs

    @Kuro said:

    Filed Under: imagine @accalia had was working on those flags shudder

    E_PARSE_ERROR

    What would i had was working?



  • It's totally realistic and could happen to anyone. One time, I wanted to delete an installer for an old version of 7zip, so I highlighted it, hit delete, then accidentally rebooted into DBAN and accidentally hit yes to all the warnings.



  • I hate when that happens. 3 times so far this week.. 😔



  • Man if only he had an undo button.


    I actually talked about this in a thread ages ago, but the problem is in the Linux world, you "train" people by having them do magical incantations. The command didn't work, so now add "sudo" to the beginning. Oh now it works! So I guess add "sudo" to everything is the best strategy! Because God forbid the command just automatically asks me to elevate like, hm, UAC would have!

    Which is a shitty shitty shitty way of running an everything. There's no safety feature, and you train your users to do things in the unsafe way because that's the only way shit works. Welcome to the land of ass, made by dicks.


  • Winner of the 2016 Presidential Election

    @blakeyrat said:

    Because God forbid the command just automatically asks me to elevate like, hm, UAC would have!

    Which will happen, in GUI.

    Core stuff like rm don't do that. Why? I'm assuming compatibility. sudo, as ubiquitous as it may seem when googling stuff, is not something every system will have installed by default. On many systems, by default, there is no way to do that other than logging in as root and doing stuff like that. IME the Ubuntu is a special snowflake when it comes to this, actually. It even disables the root account by default, for better or for worse.

    I guess you could alias all the basic commands and wrap them in a piece of code that checks for permissions and prompts for elevation as required, but I never saw that done so far.



  • @Onyx said:

    I guess you could alias all the basic commands and wrap them in a piece of code that checks for permissions and prompts for elevation as required, but I never saw that done so far.

    Of course not. That might take... effort.



  • Probably a better way to do that would be to install a filesystem that lets you roll back any change, any time. Guess what Linux has available, that nobody seems to have installed?


  • Winner of the 2016 Presidential Election

    You mean btrfs? Isn't Oracle using that, at least?

    Or am I missing a feature on any of the other ones?



  • @blakeyrat said:

    I actually talked about this in a thread ages ago, but the problem is in the Linux world, you "train" people by having them do magical incantations. The command didn't work, so now add "sudo" to the beginning. Oh now it works! So I guess add "sudo" to everything is the best strategy! Because God forbid the command just automatically asks me to elevate like, hm, UAC would have!

    Yeah, because Windows users totally don't click "Yes" in every single UAC dialog ever. Not at all. And they totally don't disable UAC altogether.



  • I'd heard that nilfs offered that, but when I went to search for it to find out more I got... distracted.



  • @Onyx said:

    Core stuff like rm don't do that. Why? I'm assuming compatibility.

    The reason is not just compatibility. It is because us server admins don't want rm and every other basic command to install a bucket load of GUI shared libraries just so that someone can have their pretty pop-up window.

    Plus, if you have ever had to repair a system that barely boots and you don't have the right kind of boot disk/CD handy or can't reboot, you are very thankful when the very simple programs like ls, cat, and rm at least work (and even ls is optional).

    Greybeard rant: If some users need crutches like pop-up windows to remind them what to do, then they can use GUI programs instead of the core CLI utilities. ;)

    PS: And it would be much better if more helper programs existed for novice users, rather than giving them magical incantations on forums to solve basic config problems.


  • Winner of the 2016 Presidential Election

    @quijibo said:

    The reason is not just compatibility. It is because us server admins don't want rm and every other basic command to install a bucket load of GUI shared libraries just so that someone can have their pretty pop-up window.

    Ummm... sudo doesn't pull GUI libraries along. gksu does, which was in the screenshot, yes, but I used that to demonstrate that there is a mechanism by which this is handled by default - in GUI, not necessarily in CLI.


  • area_deu

    @quijibo said:

    The reason is not just compatibility. It is because us server admins don't want rm and every other basic command to install a bucket load of GUI shared libraries just so that someone can have their pretty pop-up window.

    You can add text dialogs on GUI-less machines.
    whiptail is a thing, you know.



  • The problem with prompting for password is that most Unix-like systems, Linux included, optimize for corporate mainframe scenario, where most users have very limited rights. In other words, prompting for root password is stupid because the user doesn't know it. Not to mention sudo was originally meant for something completely different than "run this single command as administrator".



  • Also remember these simple commands often appear in shell scripts.The user may not know how to handle a confirmation request from the core of the shell script, and on the script side there's usually no easy way to check permissions beforehand.

    Also note rm (and probably others) do have a command line option too confirm each file removed. Some distributions turn this on by default for root, which leads to people always using rm -f as root...



  • Also zfs. Supports instant snapshots, practically for free.


  • Discourse touched me in a no-no place

    @Gaska said:

    Not to mention sudo was originally meant for something completely different than "run this single command as administrator".

    What was it? If it was picking grapefruit in California, I think it's kind-of failed comprehensively on that front.



  • SUDO(8)                   BSD System Manager's Manual                  SUDO(8)
    
    NAME
         sudo, sudoedit — execute a command as another user
    
    SYNOPSIS
         sudo -h | -K | -k | -V
         sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
         sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
              [command]
         sudo [-AbEHnPS] [-C num] [-g group] [-h host] [-p prompt] [-r role]
              [-t type] [-u user] [VAR=value] [-i | -s] [command]
         sudoedit [-AknS] [-C num] [-g group] [-h host] [-p prompt] [-u user] file
              ...
    
    DESCRIPTION
         sudo allows a permitted user to execute a command as the superuser or
         another user, as specified by the security policy.
    
         sudo supports a plugin architecture for security policies and input/out‐
         put logging.  Third parties can develop and distribute their own policy
         and I/O logging plugins to work seamlessly with the sudo front end.  The
         default security policy is sudoers, which is configured via the file
         /etc/sudoers, or via LDAP.  See the Plugins section for more information.
    

    The manual then proceeds to educate you on EBNF in order to describe the sudoers file.


  • Discourse touched me in a no-no place

    That's what I understand it to do too; the “run a single command as administrator without having to share out the root password” thing is the original use case; sudo was always intended to be a better su for a large set of common situations.

    The stuff with grapefruits was just amusing hyperbole. It's obviously about avocados. :neutral_face:


  • sockdevs

    @dkf said:

    It's obviously about avocados.

    Does that include the devil's avocado?



  • @PleegWat said:

    command line option too confirm each file removed.

    alias rm='rm -i' is generally the first thing that goes into any .bashrc/.cshrc/.whateverrc on any machine I use.



  • Original use case of sudo was "make it possible for some user to run some command on behalf of another user". The fact it's almost exclusively used for temporary root rights is kinda by accident. Also, su defaulting to root account has nothing to do with switching to root being almost always what the user wants.



  • @Onyx said:

    Ummm... sudo doesn't pull GUI libraries along. gksu does, which was in the screenshot, yes, but I used that to demonstrate that there is a mechanism by which this is handled by default - in GUI, not necessarily in CLI.

    Yes, I was picking on gksu and GUI programs in general, but the same principle applies with sudo. Either rm would have to pull in a sudo library, or parse the sudoers file (or heaven forbid, sudoers in LDAP). That is still more things to go wrong in a simple, core OS program. A higher-level wrapper or replacement for rm that can do such fancy things on a desktop or less-critical server is a much better approach.

    Also sudo is a setuid program, which it needs in order to elevate to root after it checks your password. And actually sudo runs as root before even asking for your password. Having many more programs run as setuid just so they could edit/remove system files after verifying a password increases the likelihood of there being a root exploit.

    More features can be nice, but they are also just more things to go wrong...



  • @HardwareGeek said:

    @PleegWat said:
    command line option too confirm each file removed.

    alias rm='rm -i' is generally the first thing that goes into any .bashrc/.cshrc/.whateverrc on any machine I use.

    Read a thing suggesting that was bad practice, as it can enable the development of bad habits. If you alias it as, say, rmi then if you ever enter that command into a shell without that alias, it will fail, which might be better a better outcome than success.



  • Why not sudo apt-get install trash-cli?



  • @Buddy said:

    it can enable the development of bad habits.

    That might be a very good point — if you had told me, like, 25 years ago. At this point, my habits — good and bad — are pretty deeply ingrained.

    That said, I'm generally pretty careful to make sure the files I specify are what I want to delete, especially since it seems like more often that not, I'm doing a rm -rf somedir, so -i won't save me if I screw up. No, I've never used -no-preserve-root in my life.



  • Ignoring the whole trash-cli vs rm vs a GUI delete tool, I count at least 4 WTFs here:

    1. the --no-preserve-root flag, which shouldn't ever be used... if you must use it, you might as well use gparted on your installation media to repartition/reformat.
    2. The -f in the options. You don't use force unless you absolutely need it
    3. Not trying ls /mnt/hetznerbackup / first, which would have displayed the contents of both /mnt/hetznerbackup and /.
    4. Not using tab completion, which would have auto-completed the directory name for you, including escaping any special characters.

    As for sudo, you need root permission to mess with /mnt by default so you need to sudo or su -c the command.


  • Discourse touched me in a no-no place

    @Gaska said:

    Original use case of sudo was "make it possible for some user to run some command on behalf of another user". The fact it's almost exclusively used for temporary root rights is kinda by accident.

    The original use case was running “allowing someone who isn't root to a program as root without the root password”. Really. It's implicit in the name. It sort of dropped out of the realization that the usage pattern of Unix systems was shifting slightly in the mid-'90s towards the case where systems had a primary user who would need to do some operations without requiring full admin access (as opposed to being shared systems and having a full-time administrator), and that having masses of setuid programs was going to be a security horror story. It's been well-engineered so as to support more things, but the core, original use case is that one.

    @Gaska said:

    Also, su defaulting to root account has nothing to do with switching to root being almost always what the user wants.

    su defaults to root because that's the only truly special account on the system. It can't default to any other (except to the useless what-the-current-account-is) because it has no idea what to default to. It's a simple-minded system that requires you to be explicit, much like many other tools.

    But I don't see why you started talking about su half way through a paragraph originally about sudo. They're very different programs, from different eras.



  • @dkf said:

    The original use case was running “allowing someone who isn't root to run a program as rootsomeone else without the roottarget account password”.

    FTFY. It's basically the same as you said, but your post is implying it's all about root priviledges (which it's not in general case, even though it is 99% of times).

    @dkf said:

    Really. It's implicit in the name

    "su" stands for "switch user", not "super user".

    @dkf said:

    But I don't see why you started talking about su half way through a paragraph originally about sudo. They're very different programs, from different eras.

    But people use it to accomplish the same goal - temporary root priviledges.



  • @powerlord said:

    The -f in the options. You don't use force unless you absolutely need it

    It annoys me you can't recursively delete without force.



  • @quijibo said:

    @Onyx said:
    Ummm... sudo doesn't pull GUI libraries along. gksu does, which was in the screenshot, yes, but I used that to demonstrate that there is a mechanism by which this is handled by default - in GUI, not necessarily in CLI.

    Yes, I was picking on gksu and GUI programs in general, but the same principle applies with sudo. Either rm would have to pull in a sudo library, or parse the sudoers file (or heaven forbid, sudoers in LDAP). That is still more things to go wrong in a simple, core OS program. A higher-level wrapper or replacement for rm that can do such fancy things on a desktop or less-critical server is a much better approach.

    Also sudo is a setuid program, which it needs in order to elevate to root after it checks your password. And actually sudo runs as root before even asking for your password. Having many more programs run as setuid just so they could edit/remove system files after verifying a password increases the likelihood of there being a root exploit.

    More features can be nice, but they are also just more things to go wrong...

    These two items share a simple solution - rm would have to re-invoke itself via sudo. I don't think it's a good idea though.



  • Why should a program know how to call another program that does a completely unrelated thing? And what would stop a malicious program from sending the password entered to a third party source before switching to root and fucking over the system?



  • It effectively impossible on CLI to tell what program you're entering your password into.

    If a program manages to trick you into restarting your shell with a manipulated LD_PRELOAD, it could just inject its own prompt next time you legitimately started sudo.


  • sockdevs

    @PleegWat said:

    with a manipulated LD_PRELOAD,

    to be fair the GUI can be compromied in exactly the same way, it's jsut harder to trick a user into restarting their X server than their shell (because that's more noticable)



  • You just have to fake the password-protected screensaver.


  • sockdevs

    that also works. you can load xscreensaver in demo mode with a manipulated LD_PRELOAD.

    still, my point is that exploit affects the GUI too.



  • GUI, CLI, even web pages... It's not possible to create 100% proof solution against those kinds of attack because they're psychologically based - the exploit needs only the user's stupidity to work, and relies only on the user's stupidity.



  • @riking said:

    The manual then proceeds to educate you on EBNF in order to describe the sudoers file.

    In computer science, Extended Backus–Naur Form (EBNF) is a family of metasyntax notations, any of which can be used to express a context-free grammar. EBNF is used to make a formal descrip

    You have got to be shitting me.


  • sockdevs

    @Gaska said:

    GUI, CLI, even web pages...

    yep.

    i just wanted to make that explicitly clear, lest someone who was skiming the topic read that and thought that that particular issue was CLI specific, because it isn't



  • @blakeyrat said:

    You have got to be shitting me.

    No. It's true. Except it's not sudo manual that has this, but sudoers - the thing used to control sudo permissions.



  • Linux: the OS by robots, for robots.



  • I would call it a great achievement in AI research if that was true. But since it's you who posted it, it's obviously not true.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.