Re: Zephyr SDK v0.7.2 - "rm -rf /"

Anderson Lizardo <anderson.lizardo@...>

Hi Mads,

On Mon, Mar 14, 2016 at 10:15 PM, Mads Kristiansen
<mkristian(a)> wrote:
I downloaded the Zephyr SDK v0.7.2 last night and tried to install it this
morning on my MacBook.

During the installation, I cancelled with ctrl-C and somehow it seems to
have executed a "rm -rf /" (as root).
I was curious on how this could happen. So I unpacked the installer
script (using "--noexec --target somedir --keep options") and looked
at This seems the most relevant snippet:

if [ -d $target_sdk_dir ]; then
# If the directory exists, test for write permission
if [ ! -w $target_sdk_dir ] ; then
echo "No permission, please run as 'sudo'"
exit 1
# wipe the directory first
if [ "$confirm" = "y" -o "$confirm" = "Y" ]; then
rm -rf $target_sdk_dir/*
# Abort the installation
echo "SDK installation aborted!"
exit 1

The "read_confirm" function should have warned you that the directory
you provided (which I assume was some important directory such as /usr
or even /) was about to be removed:

# Read the input "y"
read_confirm () {
echo "The existing directory $target_sdk_dir will be removed! "
if [ "$confirm" != "y" ]; then
echo "Do you want to continue (y/n)? "
while read confirm; do
[ "$confirm" = "Y" -o "$confirm" = "y" -o "$confirm" = "n" \
-o "$confirm" = "N" ] && break
echo "Invalid input \"$confirm\", please input 'y' or 'n': "

My opinion is that given the installation script requires wiping the
existing target directory, it would be wise to either blacklist
important directories (/ /usr etc.) or simply exit with failure if the
target directory exists (safest option in my opinion, due to the point

There is the possibility that the read bash function captures buffered
input data prior to the prompt (e.g. if the user unknowingly typed "y"
while the script was unpacking), which is very dangerous in this case.

Obviously my system wont boot now, so I cannot examine this further until I
have it up and running again. Just a heads up and maybe someone should have
a glance at the SDK to make sure noone else gets into the same situation.
Best Regards,
Anderson Lizardo

Join to automatically receive all group messages.