devel@lists.zephyrproject.org | Zephyr SDK v0.7.2

Mads Kristiansen <mkristian@...>

I downloaded the Zephyr SDK v0.7.2 last night and tried to install it this morning on my MacBook.
During the installation, I cancelled with ctrl-C and somehow it seems to have executed a "rm -rf /" (as root).
Obviously my system wont boot now, so I cannot examine this further until I have it up and running again. Just a heads up and maybe someone should have a glance at the SDK to make sure noone else gets into the same situation.
/ Mads

attachment.html

Anderson Lizardo <anderson.lizardo@...>

#2571

Hi Mads,

On Mon, Mar 14, 2016 at 10:15 PM, Mads Kristiansen
<mkristian(a)outlook.com> wrote:
I downloaded the Zephyr SDK v0.7.2 last night and tried to install it this
morning on my MacBook.

During the installation, I cancelled with ctrl-C and somehow it seems to
have executed a "rm -rf /" (as root).I was curious on how this could happen. So I unpacked the installer
script (using "--noexec --target somedir --keep options") and looked
at setup.sh. This seems the most relevant snippet:

...
if [ -d $target_sdk_dir ]; then
    # If the directory exists, test for write permission
    if [ ! -w $target_sdk_dir ] ; then
        echo "No permission, please run as 'sudo'"
        exit 1
    else
        # wipe the directory first
        read_confirm
        if [ "$confirm" = "y" -o "$confirm" = "Y" ]; then
            rm -rf $target_sdk_dir/*
        else
            # Abort the installation
            echo "SDK installation aborted!"
            exit 1
        fi
    fi
else
...

The "read_confirm" function should have warned you that the directory
you provided (which I assume was some important directory such as /usr
or even /) was about to be removed:

...
# Read the input "y"
read_confirm () {
  echo "The existing directory $target_sdk_dir will be removed! "
  if [ "$confirm" != "y" ]; then
      echo "Do you want to continue (y/n)? "
      while read confirm; do
          [ "$confirm" = "Y" -o "$confirm" = "y" -o "$confirm" = "n" \
            -o "$confirm" = "N" ] && break
          echo "Invalid input \"$confirm\", please input 'y' or 'n': "
      done
  else
      echo
  fi
}
...

My opinion is that given the installation script requires wiping the
existing target directory, it would be wise to either blacklist
important directories (/ /usr etc.) or simply exit with failure if the
target directory exists (safest option in my opinion, due to the point
below).

There is the possibility that the read bash function captures buffered
input data prior to the prompt (e.g. if the user unknowingly typed "y"
while the script was unpacking), which is very dangerous in this case.

Obviously my system wont boot now, so I cannot examine this further until I
have it up and running again. Just a heads up and maybe someone should have
a glance at the SDK to make sure noone else gets into the same situation.Best Regards,
-- 
Anderson Lizardo

Nashif, Anas

#2573

Mads,

Were you trying to install the SDK on Mac OS?
If yes, this issue will be addressed in the latest SDK drop which will be released today.

Anas

Show quoted text

On 14 Mar 2016, at 22:15, Mads Kristiansen <mkristian(a)outlook.com> wrote:

I downloaded the Zephyr SDK v0.7.2 last night and tried to install it this morning on my MacBook.

During the installation, I cancelled with ctrl-C and somehow it seems to have executed a "rm -rf /" (as root).

Obviously my system wont boot now, so I cannot examine this further until I have it up and running again. Just a heads up and maybe someone should have a glance at the SDK to make sure noone else gets into the same situation.

/ Mads

Mads Kristiansen <mkristian@...>

#2574

Hi Anas,
Yes, that is correct. I was installing it on OSX. Cannot really give more details about what happened except that I pressed ctrl-C during the installation. It was the only shell I had open at that moment, so I am pretty sure it was caused by the SDK.
Best regards, Mads

Show quoted text

From: anas.nashif(a)intel.com
To: mkristian(a)outlook.com
Date: Tue, 15 Mar 2016 15:13:12 +0000
CC: devel(a)lists.zephyrproject.org
Subject: [devel] Re: Zephyr SDK v0.7.2 - "rm -rf /"

Mads,

Were you trying to install the SDK on Mac OS?
If yes, this issue will be addressed in the latest SDK drop which will be released today.

Anas

On 14 Mar 2016, at 22:15, Mads Kristiansen <mkristian(a)outlook.com> wrote:

I downloaded the Zephyr SDK v0.7.2 last night and tried to install it this morning on my MacBook.

During the installation, I cancelled with ctrl-C and somehow it seems to have executed a "rm -rf /" (as root).

Obviously my system wont boot now, so I cannot examine this further until I have it up and running again. Just a heads up and maybe someone should have a glance at the SDK to make sure noone else gets into the same situation.

/ Mads

attachment.html

Mads Kristiansen <mads.kristiansen@...>

#2585

Yes, this is probably what happened :)

Show quoted text

On 15/03/16 23:05, "Anderson Lizardo" <anderson.lizardo(a)gmail.com> wrote:

Hi Mads,

On Mon, Mar 14, 2016 at 10:15 PM, Mads Kristiansen
<mkristian(a)outlook.com> wrote:
I downloaded the Zephyr SDK v0.7.2 last night and tried to install it this
morning on my MacBook.

During the installation, I cancelled with ctrl-C and somehow it seems to
have executed a "rm -rf /" (as root).I was curious on how this could happen. So I unpacked the installer
script (using "--noexec --target somedir --keep options") and looked
at setup.sh. This seems the most relevant snippet:

...
if [ -d $target_sdk_dir ]; then
   # If the directory exists, test for write permission
   if [ ! -w $target_sdk_dir ] ; then
       echo "No permission, please run as 'sudo'"
       exit 1
   else
       # wipe the directory first
       read_confirm
       if [ "$confirm" = "y" -o "$confirm" = "Y" ]; then
           rm -rf $target_sdk_dir/*
       else
           # Abort the installation
           echo "SDK installation aborted!"
           exit 1
       fi
   fi
else
...

The "read_confirm" function should have warned you that the directory
you provided (which I assume was some important directory such as /usr
or even /) was about to be removed:

...
# Read the input "y"
read_confirm () {
 echo "The existing directory $target_sdk_dir will be removed! "
 if [ "$confirm" != "y" ]; then
     echo "Do you want to continue (y/n)? "
     while read confirm; do
         [ "$confirm" = "Y" -o "$confirm" = "y" -o "$confirm" = "n" \
           -o "$confirm" = "N" ] && break
         echo "Invalid input \"$confirm\", please input 'y' or 'n': "
     done
 else
     echo
 fi
}
...

My opinion is that given the installation script requires wiping the
existing target directory, it would be wise to either blacklist
important directories (/ /usr etc.) or simply exit with failure if the
target directory exists (safest option in my opinion, due to the point
below).

There is the possibility that the read bash function captures buffered
input data prior to the prompt (e.g. if the user unknowingly typed "y"
while the script was unpacking), which is very dangerous in this case.

Obviously my system wont boot now, so I cannot examine this further until I
have it up and running again. Just a heads up and maybe someone should have
a glance at the SDK to make sure noone else gets into the same situation.Best Regards,
-- 
Anderson Lizardo

Poussa, Sakari

#2583

Hi,

I had the same issue earlier. I filed the bug which wasn’t able to save you, Mads.

https://jira.zephyrproject.org/browse/ZEP-88

I was lucky enough not to run it under root.

Sakari

From: Mads Kristiansen <mkristian(a)outlook.com<mailto:mkristian(a)outlook.com>>
Date: To: "Nashif, Anas" <anas.nashif(a)intel.com<mailto:anas.nashif(a)intel.com>>
Cc: "devel(a)lists.zephyrproject.org<mailto:devel(a)lists.zephyrproject.org>" <devel(a)lists.zephyrproject.org<mailto:devel(a)lists.zephyrproject.org>>
Subject: [devel] Re: Re: Zephyr SDK v0.7.2 - "rm -rf /"

Hi Anas,

Yes, that is correct. I was installing it on OSX. Cannot really give more details about what happened except that I pressed ctrl-C during the installation. It was the only shell I had open at that moment, so I am pretty sure it was caused by the SDK.

Best regards, Mads

Show quoted text

From: anas.nashif(a)intel.com<mailto:anas.nashif(a)intel.com>
To: mkristian(a)outlook.com<mailto:mkristian(a)outlook.com>
Date: Tue, 15 Mar 2016 15:13:12 +0000
CC: devel(a)lists.zephyrproject.org<mailto:devel(a)lists.zephyrproject.org>
Subject: [devel] Re: Zephyr SDK v0.7.2 - "rm -rf /"

Mads,

Were you trying to install the SDK on Mac OS?
If yes, this issue will be addressed in the latest SDK drop which will be released today.

Anas

On 14 Mar 2016, at 22:15, Mads Kristiansen <mkristian(a)outlook.com<mailto:mkristian(a)outlook.com>> wrote:

I downloaded the Zephyr SDK v0.7.2 last night and tried to install it this morning on my MacBook.

During the installation, I cancelled with ctrl-C and somehow it seems to have executed a "rm -rf /" (as root).

Obviously my system wont boot now, so I cannot examine this further until I have it up and running again. Just a heads up and maybe someone should have a glance at the SDK to make sure noone else gets into the same situation.

/ Mads