X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.9 required=5.0	tests=AWL,BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: sourceware.org
Message-ID: <4D91E2A5.80806@gmail.com>
Date: Tue, 29 Mar 2011 14:46:13 +0100
From: Dave Korn <dave DOT korn DOT cygwin AT gmail DOT com>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: EXTERNAL: Virus that deletes everything under c:/cygwin?
References: <4D90B414 DOT 4040605 AT lmco DOT com> <468547 DOT 38757 DOT qm AT web52801 DOT mail DOT re2 DOT yahoo DOT com> <ims7q0$9pv$1 AT dough DOT gmane DOT org>
In-Reply-To: <ims7q0$9pv$1@dough.gmane.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On 29/03/2011 10:12, Thorsten Kampe wrote:
> * Dante Allegria (Mon, 28 Mar 2011 10:07:32 -0700 (PDT))
>> No, turns out it was because someone committed this into the nightly
>> build scripts:
>>    rm -rf $(DOES_NOT_EXIST)/*
>>
>> <sigh> Should cygwin's rm have some built-in safeguards for this? :)
> 
> Sure, it does. It's called "intelligent scripting" and it includes 
> setting "errexit" and "nounset" in bash or Z Shell. If you are scripting 
> and not using those above, then you got exactly what you deserved.

  Judging by those brackets being round rather than curly, I wouldn't have
thought we're dealing with a bash variable here but a makefile one, so nounset
isn't going to help if make just hands it a well-formed "rm -rf /*" command.

  As for "rm", it already does kind-of have safeguards against this, and
that's what the -f option is for - it turns them off.  So, what you'd really
need to avoid this problem is some kind of safeguards that can't possibly be
turned off... which would somewhat limit the general usability of "rm".

  That's why it doesn't have any built-in; but you can get the same effect by
replacing "rm" with a wrapper script in your build environment, and put any
safeguards you want (e.g.: disallow -f option, check for sane paths correctly
located under build dir, etc. etc.) into that.  You could use coding standards
and repository commit hooks to make sure that every script uses "$(RM)" rather
than invoking "rm" explicitly, and set that to point to your wrapper in some
central include file, and bingo.

  An alternative possibility: do all your builds in a chroot'ed jail.  Jails
may not be effective as security measures since it's possible to deliberately
break out of them, but they'd certainly work to protect against this kind of
unfortunate accident.

    cheers,
      DaveK






--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple