Re: Zephyr SDK v0.7.2 - "rm -rf /"


Anderson Lizardo
 

Hi Mads,

On Mon, Mar 14, 2016 at 10:15 PM, Mads Kristiansen
<mkristian(a)outlook.com> wrote:
I downloaded the Zephyr SDK v0.7.2 last night and tried to install it this
morning on my MacBook.

During the installation, I cancelled with ctrl-C and somehow it seems to
have executed a "rm -rf /" (as root).
I was curious on how this could happen. So I unpacked the installer
script (using "--noexec --target somedir --keep options") and looked
at setup.sh. This seems the most relevant snippet:

...
if [ -d $target_sdk_dir ]; then
# If the directory exists, test for write permission
if [ ! -w $target_sdk_dir ] ; then
echo "No permission, please run as 'sudo'"
exit 1
else
# wipe the directory first
read_confirm
if [ "$confirm" = "y" -o "$confirm" = "Y" ]; then
rm -rf $target_sdk_dir/*
else
# Abort the installation
echo "SDK installation aborted!"
exit 1
fi
fi
else
...

The "read_confirm" function should have warned you that the directory
you provided (which I assume was some important directory such as /usr
or even /) was about to be removed:

...
# Read the input "y"
read_confirm () {
echo "The existing directory $target_sdk_dir will be removed! "
if [ "$confirm" != "y" ]; then
echo "Do you want to continue (y/n)? "
while read confirm; do
[ "$confirm" = "Y" -o "$confirm" = "y" -o "$confirm" = "n" \
-o "$confirm" = "N" ] && break
echo "Invalid input \"$confirm\", please input 'y' or 'n': "
done
else
echo
fi
}
...

My opinion is that given the installation script requires wiping the
existing target directory, it would be wise to either blacklist
important directories (/ /usr etc.) or simply exit with failure if the
target directory exists (safest option in my opinion, due to the point
below).

There is the possibility that the read bash function captures buffered
input data prior to the prompt (e.g. if the user unknowingly typed "y"
while the script was unpacking), which is very dangerous in this case.

Obviously my system wont boot now, so I cannot examine this further until I
have it up and running again. Just a heads up and maybe someone should have
a glance at the SDK to make sure noone else gets into the same situation.
Best Regards,
--
Anderson Lizardo

Join devel@lists.zephyrproject.org to automatically receive all group messages.