simont: A picture of me in 2016 (Default)
simont ([personal profile] simont) wrote2007-07-25 11:07 am
  • Add Memory
  • Share This Entry

rm -F

The build system at work occasionally generates entire directory trees full of files and directories with read-only permissions. Trying to delete such a directory is always a pain, because the procedure goes something like

  • rm -rf directory
  • rm gets EPERM on every file in a read-only subdirectory
  • swear
  • chmod -r +w directory
  • chmod tries to take the r permission away from the nonexistent file +w
  • swear
  • chmod -R +w directory
  • chmod now gets EPERM, because the previous invocation also successfully took the r permission away from directory
  • swear
  • chmod -R +rw directory
  • rm -rf directory

… and since I mostly try to avoid generating these directories in the first place, this happens just infrequently enough that the next time I've forgotten all the pitfalls and do pretty much the same thing again.

What I want is for rm to support the -F option, which is like -f except that it also authorises rm to temporarily restore write permission (if permitted to) on any directory from which the lack of it is preventing it from deleting a file. Or possibly it should only be allowed to do that if the directory is one it's planning to delete completely later in the operation anyway; that might be safer. But either way, the point is, if the Unix permissions system makes it possible in principle to arrange for the directory not to be there any more, then I want to be able to get rm to just do so, by any means necessary short of requesting the root password, and not bother me with trivial details of how.

Flat | Top-Level Comments Only
emperor: (Default)

[personal profile] emperor 2007-07-25 10:24 am (UTC)(link)
rm -FFS ? :-)
simont: A picture of me in 2016 (Default)

[personal profile] simont 2007-07-25 10:30 am (UTC)(link)
Since you mention it, I did have a clear idea about what -F should stand for. My official rationale is that it's the upper-case form of the existing -f, but really it stands for "F**KING DO IT THIS TIME!".
ext_8103: (geek)

[identity profile] ewx.livejournal.com 2007-07-25 10:27 am (UTC)(link)
Personally I think -f ought to do whatever it takes to remove the files, but it's probably too late for that.
gerald_duck: (duck and computer)

[personal profile] gerald_duck 2007-07-25 10:32 am (UTC)(link)
Thinking about it, I agree. Though I'm not in the habit of ending up with directories I own but can't modify, anyway.

Meanwhile, thinking about it I also have a nasty feeling in my waters: is rm -r secure? Particularly, what if someone suddenly replaces a subdirectory with a symlink to another point in the filesystem?

Hohum…

[identity profile] mooism.livejournal.com 2007-07-25 10:40 am (UTC)(link)
Doesn’t it just remove the symlink? I suppose a hard link would be different.
gerald_duck: (devil duck)

[personal profile] gerald_duck 2007-07-25 10:44 am (UTC)(link)
What I had in mind was:
  • rm -r starts deleting stuff
  • It determines that foo is a subdirectory
  • A Bad Person quickly does mv foo old-foo; ln -s /home/victim foo
  • rm -r descends into foo, which is now in reality the victim's home directory
  • It recursively deletes everything it finds there.
I suspect the GNU version, at least, checks this hasn't happened. But I'm not sure, and I really ought to know.

[identity profile] mooism.livejournal.com 2007-07-25 10:48 am (UTC)(link)
Oh, a race condition; argh.
cjwatson: (Default)

[personal profile] cjwatson 2007-07-25 11:09 am (UTC)(link) 
  /* There is a race condition in that an attacker could replace the nonempty
     directory, DIR, with a symlink between the preceding call to rmdir
     (in our caller) and the chdir below.  However, the following lstat,
     along with the `stat (".",...' and dev/ino comparison in AD_push
     ensure that we detect it and fail.  */


(coreutils-5.96/src/remove.c:remove_dir(); not quite current but I had it handy.)
Flat | Top-Level Comments Only