Disallow `rm` to remove `*`












6












$begingroup$


Note: If you googled this by the title of this question, don't use this script unless you know what it is supposed to do.



This is a script in bash 3+ that I have used for long for preventing rm * and rm -rf * from accidentally invoked and removing important files by mistake. I put it in my ~/.bash_aliases.



alias rm='set -f;rm'
rm(){
if [[ "$-" == *i* ]]
then
if [ "$1" = "*" ] || [ "$2" = "*" ] || [ "$1" = "./*" ] || [ "$2" = "./*" ]
then
echo "Abort: refusing to remove *, please go to the parent folder and do rm <folder_name>/*" 1>&2
set +f
return 1
fi
fi
set +f
/bin/rm -i $@
}

set +f


I would like to know whether there are any vulnerabilities and whether it can be improved.










share|improve this question











$endgroup$

















    6












    $begingroup$


    Note: If you googled this by the title of this question, don't use this script unless you know what it is supposed to do.



    This is a script in bash 3+ that I have used for long for preventing rm * and rm -rf * from accidentally invoked and removing important files by mistake. I put it in my ~/.bash_aliases.



    alias rm='set -f;rm'
    rm(){
    if [[ "$-" == *i* ]]
    then
    if [ "$1" = "*" ] || [ "$2" = "*" ] || [ "$1" = "./*" ] || [ "$2" = "./*" ]
    then
    echo "Abort: refusing to remove *, please go to the parent folder and do rm <folder_name>/*" 1>&2
    set +f
    return 1
    fi
    fi
    set +f
    /bin/rm -i $@
    }

    set +f


    I would like to know whether there are any vulnerabilities and whether it can be improved.










    share|improve this question











    $endgroup$















      6












      6








      6





      $begingroup$


      Note: If you googled this by the title of this question, don't use this script unless you know what it is supposed to do.



      This is a script in bash 3+ that I have used for long for preventing rm * and rm -rf * from accidentally invoked and removing important files by mistake. I put it in my ~/.bash_aliases.



      alias rm='set -f;rm'
      rm(){
      if [[ "$-" == *i* ]]
      then
      if [ "$1" = "*" ] || [ "$2" = "*" ] || [ "$1" = "./*" ] || [ "$2" = "./*" ]
      then
      echo "Abort: refusing to remove *, please go to the parent folder and do rm <folder_name>/*" 1>&2
      set +f
      return 1
      fi
      fi
      set +f
      /bin/rm -i $@
      }

      set +f


      I would like to know whether there are any vulnerabilities and whether it can be improved.










      share|improve this question











      $endgroup$




      Note: If you googled this by the title of this question, don't use this script unless you know what it is supposed to do.



      This is a script in bash 3+ that I have used for long for preventing rm * and rm -rf * from accidentally invoked and removing important files by mistake. I put it in my ~/.bash_aliases.



      alias rm='set -f;rm'
      rm(){
      if [[ "$-" == *i* ]]
      then
      if [ "$1" = "*" ] || [ "$2" = "*" ] || [ "$1" = "./*" ] || [ "$2" = "./*" ]
      then
      echo "Abort: refusing to remove *, please go to the parent folder and do rm <folder_name>/*" 1>&2
      set +f
      return 1
      fi
      fi
      set +f
      /bin/rm -i $@
      }

      set +f


      I would like to know whether there are any vulnerabilities and whether it can be improved.







      bash






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited yesterday







      Weijun Zhou

















      asked yesterday









      Weijun ZhouWeijun Zhou

      1615




      1615






















          2 Answers
          2






          active

          oldest

          votes


















          6












          $begingroup$

          The vulnerability I see is that only the first two arguments are checked. You could check all of them:



          rm() { 
          [[ $- == *i* ]] && for arg
          do
          if [[ $arg = "*" || $arg = "./*" ]]
          then
          # abort
          fi
          done
          # do the rm


          This kind of checking will miss other dangerous wildcards like ** or ?*. You can get safer checking by expanding * yourself, then see if the expanded arguments contain that same list of files:



          # alias not needed here; we want globs to be expanded
          rm() {
          declare -a star=(*)
          declare -a dotslashstar=(./*)
          if [[ "$@" == *"${star[@]}"* || "$@" == *"${dotslashstar[@]}"* ]]
          then
          # abort


          ... but then you can't (for example) empty a directory full of temp files with rm *.tmp, if *.tmp and * match the same thing.






          share|improve this answer









          $endgroup$









          • 2




            $begingroup$
            I love your idea of expanding * myself.
            $endgroup$
            – Weijun Zhou
            yesterday



















          4












          $begingroup$

          Double-quote variables used in command parameters



          This is a bug:




          /bin/rm -i $@



          What will happen if you try to delete file a b (with space in the name)?
          Most likely this:




          rm: a: No such file or directory
          rm: b: No such file or directory



          Always write "$@" instead of unquoted $@.



          Unfortunately, as you pointed out in a comment,
          this will cause another problem:
          arguments containing globs will be taken literally.
          In short, it's difficult to have the cake and eat it too.



          You could mitigate the problem by looping over the arguments,
          and if you detect a glob, then expand it yourself:



          for arg; do
          if [[ $arg == *[*?]* ]]; then
          expanded=($arg)
          echo rm -i "${expanded[@]}"
          else
          echo rm -i "$arg"
          fi
          done


          This still won't be perfect, because it doesn't handle the case when an argument contains both spaces and globs. A robust solution would take more effort, and not worth doing in Bash. (See this example delegating the hard work to Python.)



          Use command to bypass aliases



          Don't worry about the absolute path of commands. Use command to bypass aliases:



          command rm -i "$@"


          Redundant file descriptors



          In echo "Abort: ..." 1>&2, the file descriptor 1 is redundant, you can safely omit it.



          Preserving the user's environment



          This is a minor nitpick.
          When the alias is executed, it will do set +f,
          regardless of whatever was the original setting in the shell,
          which may not be the same.
          This is really just a minor nitpick, for the record.
          I wouldn't care about this tiny impractical detail either.






          share|improve this answer











          $endgroup$









          • 1




            $begingroup$
            I had an issue with patterns containing asterisk (e.g. rm -f .*.swp) and that's why I didn't quote $@. Your other advices are taken.
            $endgroup$
            – Weijun Zhou
            16 hours ago










          • $begingroup$
            @WeijunZhou That's a good point. See my updated answer.
            $endgroup$
            – janos
            27 mins ago











          Your Answer





          StackExchange.ifUsing("editor", function () {
          return StackExchange.using("mathjaxEditing", function () {
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
          });
          });
          }, "mathjax-editing");

          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "196"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f215069%2fdisallow-rm-to-remove%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          6












          $begingroup$

          The vulnerability I see is that only the first two arguments are checked. You could check all of them:



          rm() { 
          [[ $- == *i* ]] && for arg
          do
          if [[ $arg = "*" || $arg = "./*" ]]
          then
          # abort
          fi
          done
          # do the rm


          This kind of checking will miss other dangerous wildcards like ** or ?*. You can get safer checking by expanding * yourself, then see if the expanded arguments contain that same list of files:



          # alias not needed here; we want globs to be expanded
          rm() {
          declare -a star=(*)
          declare -a dotslashstar=(./*)
          if [[ "$@" == *"${star[@]}"* || "$@" == *"${dotslashstar[@]}"* ]]
          then
          # abort


          ... but then you can't (for example) empty a directory full of temp files with rm *.tmp, if *.tmp and * match the same thing.






          share|improve this answer









          $endgroup$









          • 2




            $begingroup$
            I love your idea of expanding * myself.
            $endgroup$
            – Weijun Zhou
            yesterday
















          6












          $begingroup$

          The vulnerability I see is that only the first two arguments are checked. You could check all of them:



          rm() { 
          [[ $- == *i* ]] && for arg
          do
          if [[ $arg = "*" || $arg = "./*" ]]
          then
          # abort
          fi
          done
          # do the rm


          This kind of checking will miss other dangerous wildcards like ** or ?*. You can get safer checking by expanding * yourself, then see if the expanded arguments contain that same list of files:



          # alias not needed here; we want globs to be expanded
          rm() {
          declare -a star=(*)
          declare -a dotslashstar=(./*)
          if [[ "$@" == *"${star[@]}"* || "$@" == *"${dotslashstar[@]}"* ]]
          then
          # abort


          ... but then you can't (for example) empty a directory full of temp files with rm *.tmp, if *.tmp and * match the same thing.






          share|improve this answer









          $endgroup$









          • 2




            $begingroup$
            I love your idea of expanding * myself.
            $endgroup$
            – Weijun Zhou
            yesterday














          6












          6








          6





          $begingroup$

          The vulnerability I see is that only the first two arguments are checked. You could check all of them:



          rm() { 
          [[ $- == *i* ]] && for arg
          do
          if [[ $arg = "*" || $arg = "./*" ]]
          then
          # abort
          fi
          done
          # do the rm


          This kind of checking will miss other dangerous wildcards like ** or ?*. You can get safer checking by expanding * yourself, then see if the expanded arguments contain that same list of files:



          # alias not needed here; we want globs to be expanded
          rm() {
          declare -a star=(*)
          declare -a dotslashstar=(./*)
          if [[ "$@" == *"${star[@]}"* || "$@" == *"${dotslashstar[@]}"* ]]
          then
          # abort


          ... but then you can't (for example) empty a directory full of temp files with rm *.tmp, if *.tmp and * match the same thing.






          share|improve this answer









          $endgroup$



          The vulnerability I see is that only the first two arguments are checked. You could check all of them:



          rm() { 
          [[ $- == *i* ]] && for arg
          do
          if [[ $arg = "*" || $arg = "./*" ]]
          then
          # abort
          fi
          done
          # do the rm


          This kind of checking will miss other dangerous wildcards like ** or ?*. You can get safer checking by expanding * yourself, then see if the expanded arguments contain that same list of files:



          # alias not needed here; we want globs to be expanded
          rm() {
          declare -a star=(*)
          declare -a dotslashstar=(./*)
          if [[ "$@" == *"${star[@]}"* || "$@" == *"${dotslashstar[@]}"* ]]
          then
          # abort


          ... but then you can't (for example) empty a directory full of temp files with rm *.tmp, if *.tmp and * match the same thing.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered yesterday









          Oh My GoodnessOh My Goodness

          1,179213




          1,179213








          • 2




            $begingroup$
            I love your idea of expanding * myself.
            $endgroup$
            – Weijun Zhou
            yesterday














          • 2




            $begingroup$
            I love your idea of expanding * myself.
            $endgroup$
            – Weijun Zhou
            yesterday








          2




          2




          $begingroup$
          I love your idea of expanding * myself.
          $endgroup$
          – Weijun Zhou
          yesterday




          $begingroup$
          I love your idea of expanding * myself.
          $endgroup$
          – Weijun Zhou
          yesterday













          4












          $begingroup$

          Double-quote variables used in command parameters



          This is a bug:




          /bin/rm -i $@



          What will happen if you try to delete file a b (with space in the name)?
          Most likely this:




          rm: a: No such file or directory
          rm: b: No such file or directory



          Always write "$@" instead of unquoted $@.



          Unfortunately, as you pointed out in a comment,
          this will cause another problem:
          arguments containing globs will be taken literally.
          In short, it's difficult to have the cake and eat it too.



          You could mitigate the problem by looping over the arguments,
          and if you detect a glob, then expand it yourself:



          for arg; do
          if [[ $arg == *[*?]* ]]; then
          expanded=($arg)
          echo rm -i "${expanded[@]}"
          else
          echo rm -i "$arg"
          fi
          done


          This still won't be perfect, because it doesn't handle the case when an argument contains both spaces and globs. A robust solution would take more effort, and not worth doing in Bash. (See this example delegating the hard work to Python.)



          Use command to bypass aliases



          Don't worry about the absolute path of commands. Use command to bypass aliases:



          command rm -i "$@"


          Redundant file descriptors



          In echo "Abort: ..." 1>&2, the file descriptor 1 is redundant, you can safely omit it.



          Preserving the user's environment



          This is a minor nitpick.
          When the alias is executed, it will do set +f,
          regardless of whatever was the original setting in the shell,
          which may not be the same.
          This is really just a minor nitpick, for the record.
          I wouldn't care about this tiny impractical detail either.






          share|improve this answer











          $endgroup$









          • 1




            $begingroup$
            I had an issue with patterns containing asterisk (e.g. rm -f .*.swp) and that's why I didn't quote $@. Your other advices are taken.
            $endgroup$
            – Weijun Zhou
            16 hours ago










          • $begingroup$
            @WeijunZhou That's a good point. See my updated answer.
            $endgroup$
            – janos
            27 mins ago
















          4












          $begingroup$

          Double-quote variables used in command parameters



          This is a bug:




          /bin/rm -i $@



          What will happen if you try to delete file a b (with space in the name)?
          Most likely this:




          rm: a: No such file or directory
          rm: b: No such file or directory



          Always write "$@" instead of unquoted $@.



          Unfortunately, as you pointed out in a comment,
          this will cause another problem:
          arguments containing globs will be taken literally.
          In short, it's difficult to have the cake and eat it too.



          You could mitigate the problem by looping over the arguments,
          and if you detect a glob, then expand it yourself:



          for arg; do
          if [[ $arg == *[*?]* ]]; then
          expanded=($arg)
          echo rm -i "${expanded[@]}"
          else
          echo rm -i "$arg"
          fi
          done


          This still won't be perfect, because it doesn't handle the case when an argument contains both spaces and globs. A robust solution would take more effort, and not worth doing in Bash. (See this example delegating the hard work to Python.)



          Use command to bypass aliases



          Don't worry about the absolute path of commands. Use command to bypass aliases:



          command rm -i "$@"


          Redundant file descriptors



          In echo "Abort: ..." 1>&2, the file descriptor 1 is redundant, you can safely omit it.



          Preserving the user's environment



          This is a minor nitpick.
          When the alias is executed, it will do set +f,
          regardless of whatever was the original setting in the shell,
          which may not be the same.
          This is really just a minor nitpick, for the record.
          I wouldn't care about this tiny impractical detail either.






          share|improve this answer











          $endgroup$









          • 1




            $begingroup$
            I had an issue with patterns containing asterisk (e.g. rm -f .*.swp) and that's why I didn't quote $@. Your other advices are taken.
            $endgroup$
            – Weijun Zhou
            16 hours ago










          • $begingroup$
            @WeijunZhou That's a good point. See my updated answer.
            $endgroup$
            – janos
            27 mins ago














          4












          4








          4





          $begingroup$

          Double-quote variables used in command parameters



          This is a bug:




          /bin/rm -i $@



          What will happen if you try to delete file a b (with space in the name)?
          Most likely this:




          rm: a: No such file or directory
          rm: b: No such file or directory



          Always write "$@" instead of unquoted $@.



          Unfortunately, as you pointed out in a comment,
          this will cause another problem:
          arguments containing globs will be taken literally.
          In short, it's difficult to have the cake and eat it too.



          You could mitigate the problem by looping over the arguments,
          and if you detect a glob, then expand it yourself:



          for arg; do
          if [[ $arg == *[*?]* ]]; then
          expanded=($arg)
          echo rm -i "${expanded[@]}"
          else
          echo rm -i "$arg"
          fi
          done


          This still won't be perfect, because it doesn't handle the case when an argument contains both spaces and globs. A robust solution would take more effort, and not worth doing in Bash. (See this example delegating the hard work to Python.)



          Use command to bypass aliases



          Don't worry about the absolute path of commands. Use command to bypass aliases:



          command rm -i "$@"


          Redundant file descriptors



          In echo "Abort: ..." 1>&2, the file descriptor 1 is redundant, you can safely omit it.



          Preserving the user's environment



          This is a minor nitpick.
          When the alias is executed, it will do set +f,
          regardless of whatever was the original setting in the shell,
          which may not be the same.
          This is really just a minor nitpick, for the record.
          I wouldn't care about this tiny impractical detail either.






          share|improve this answer











          $endgroup$



          Double-quote variables used in command parameters



          This is a bug:




          /bin/rm -i $@



          What will happen if you try to delete file a b (with space in the name)?
          Most likely this:




          rm: a: No such file or directory
          rm: b: No such file or directory



          Always write "$@" instead of unquoted $@.



          Unfortunately, as you pointed out in a comment,
          this will cause another problem:
          arguments containing globs will be taken literally.
          In short, it's difficult to have the cake and eat it too.



          You could mitigate the problem by looping over the arguments,
          and if you detect a glob, then expand it yourself:



          for arg; do
          if [[ $arg == *[*?]* ]]; then
          expanded=($arg)
          echo rm -i "${expanded[@]}"
          else
          echo rm -i "$arg"
          fi
          done


          This still won't be perfect, because it doesn't handle the case when an argument contains both spaces and globs. A robust solution would take more effort, and not worth doing in Bash. (See this example delegating the hard work to Python.)



          Use command to bypass aliases



          Don't worry about the absolute path of commands. Use command to bypass aliases:



          command rm -i "$@"


          Redundant file descriptors



          In echo "Abort: ..." 1>&2, the file descriptor 1 is redundant, you can safely omit it.



          Preserving the user's environment



          This is a minor nitpick.
          When the alias is executed, it will do set +f,
          regardless of whatever was the original setting in the shell,
          which may not be the same.
          This is really just a minor nitpick, for the record.
          I wouldn't care about this tiny impractical detail either.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 28 mins ago

























          answered 19 hours ago









          janosjanos

          98.3k12125350




          98.3k12125350








          • 1




            $begingroup$
            I had an issue with patterns containing asterisk (e.g. rm -f .*.swp) and that's why I didn't quote $@. Your other advices are taken.
            $endgroup$
            – Weijun Zhou
            16 hours ago










          • $begingroup$
            @WeijunZhou That's a good point. See my updated answer.
            $endgroup$
            – janos
            27 mins ago














          • 1




            $begingroup$
            I had an issue with patterns containing asterisk (e.g. rm -f .*.swp) and that's why I didn't quote $@. Your other advices are taken.
            $endgroup$
            – Weijun Zhou
            16 hours ago










          • $begingroup$
            @WeijunZhou That's a good point. See my updated answer.
            $endgroup$
            – janos
            27 mins ago








          1




          1




          $begingroup$
          I had an issue with patterns containing asterisk (e.g. rm -f .*.swp) and that's why I didn't quote $@. Your other advices are taken.
          $endgroup$
          – Weijun Zhou
          16 hours ago




          $begingroup$
          I had an issue with patterns containing asterisk (e.g. rm -f .*.swp) and that's why I didn't quote $@. Your other advices are taken.
          $endgroup$
          – Weijun Zhou
          16 hours ago












          $begingroup$
          @WeijunZhou That's a good point. See my updated answer.
          $endgroup$
          – janos
          27 mins ago




          $begingroup$
          @WeijunZhou That's a good point. See my updated answer.
          $endgroup$
          – janos
          27 mins ago


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Code Review Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          Use MathJax to format equations. MathJax reference.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f215069%2fdisallow-rm-to-remove%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          How to label and detect the document text images

          Vallis Paradisi

          Tabula Rosettana