Linux specialist Kyle Kelley recently decided to see what happened if he launched a new Linux server and ran rm –rf / as root.
This command is the remove (delete) command, with the flags –rf indicating to run recursively down all folders and subfolders, and to force deletion even if the file is ordinarily read-only. The / indicates the command is to run from the top-most root directory in Linux.
This command – with these parameters – is the stuff of legend, or at least of practical jokes. While nobody would ever be foolish (one would hope) to run this command in a live environment, the threat of doing so has long been a Linux joke. It’s the Linux version of deleting all the files on your hard disk on a Windows computer – but in contrast to Windows it is actually surprising how usable a Linux system can still be after such a disaster – in the right hands.
Actually, as Kelley discovered, modern Linux implementations actively try to prevent such a disaster; the rm command now also requires the verbose flag --no-preserve-root to do this damage.
Both Kelley and Wolczko found the built-in functionality of the Linux shell to be a massive boon. So, for instance, even though /bin/ls may no longer exist you can still get a directory listing via echo * - this combines the shell’s built-in echo command and file-globbing to show the files which remain.
By using echo and the Linux I/O redirection operators it is possible to create new files, sending output to disk.
This isn’t limited to text strings; by using escape sequences of the form \xhh – where hh is a two-digit hexadecimal number – you can even write binary data direct to a file.
There is a catch; \x00 doesn’t write a zero byte as you might expect; instead it terminates the echo command. In this case you need to use an octal sequence with echo –ne $’\\0000’.
While this is tedious, if you have another system available and can make a hex dump of executable commands, you now have a way to recreate them on your damaged system using only the shell.
Of course, all still isn’t plain sailing. Your newly created file is not actually executable. Nevertheless, writing over an existing executable file can do the trick, because you can completely replace the contents and its executable bits will remain. Perhaps the chmod command might be the first command to recreate in this fashion.
Reddit user throw_away5046 provided a robust solution to getting an executable bit set, provided you have network access to another Linux system via /dev/tcp and can compile some custom C code.
With such power at your fingertips you can, and should, obtain BusyBox, the tiny swiss army knife of embedded Linux. With this one executable you can achieve the full gamut of a wide range of other valuable commands and utilities.
In fact, once Kelley was able to install BusyBox he had no difficulty in recreating the /bin folder, well on his way to rebuilding his trashed Linux system.
This experiment demonstrates the need to remain cool and calm under pressure. The first instinct for some in such a disaster may be to reboot, though it is dubious such a damaged system would reboot at all.
While the use of rm –rf / is surely apocryphal, there can be genuine disasters which occur such as a corrupted dynamic linker, meaning all dynamically-linked executables become unexecutable.
It is a testament to Linux and to the sharp minds of Linux users that in a seemingly impossible and catastrophic situation there can still be a means to get back to a usable system.