I feel that I need to put a warning at the top of this post because try as I might in the subject to be clear about what I mean, I know that someone will go and type/execute one of these things into their production server at work and then be horribly distraught and/or cause some sort of power grid catastrophe across the Pacific Northwest or something.
If you’re a Linux guru or or experienced enough to know what all of these things are then you probably don’t need this article and we can go our merry ways. If not, then DO NOT, DON’T, NEVER EVER EVER EVER run these commands in a terminal session. If you do you will render your system anything from useless without a forced reboot to devoid of any useful purpose ever.
Why write this article then? Because you should be forewarned as a Linux user that there are people out there who consider it good fun to bait others into running destructive and harmful commands on their machines. Particularly those new to Linux. So use this list as a caution as to what not to do. And note that it’s not an exhaustive list, simply a quick reference against stuff you really don’t want to do. Bottom line is, research what you’re about to execute before you push the enter key and know what you’re doing to your system, yourself and your job prospects.
Let’s start with commands that delete things that probably shouldn’t be deleted, shall we?
The basic way to delete a file in Linux is with the rm command. rm foo will take foo, wring its skinny neck and throw it down the drain. Gone. See you later.
Now there are lots of variants on these commands. Let’s look at a few. Again, look but do not execute!
rm -rf ./ - Delete the files in a current directory (all of them)
rm -rf / - Delete the partition. (AHHH!)
rm -rf . - Delete the whole directory.
rm -rf * - Delete all visible files in a directory
Running all of these commands have certain real world utility. They’re also a great way to fubar your system if run in the wrong place. Remember ‘rm’ means remove. -r means recursive and -f means don’t bother asking me if you want me to really delete your /usr/bin directory - or any other for that matter.
Mean folks have gotten slightly more creative and regular Linux users have made this mistake more than once.
rm -rf .* - Delete all hidden (files that start with a ‘.’) files.
Now, how about the good old fork bomb! Sounds ominous eh? What a fork bomb does is eat up all of your available system processes, essentially bringing your system to it’s knees. A fork is when a program spawns another program - often a version of itself. A fork bomb is when this happens endlessly and nearly exponentially until there are no resources left on your system. Most often the only way to get out of this is to hard reboot (i.e. hold down the old power button) which can cause file system problems. Here’s a few examples of fork bombs to watch out for:
:(){ :|:& };: - The cutest one. Like a vorpal bunny.
#!/usr/bin/perl - for Perl meanies.
fork while 1
or also in perl:
fork while fork
#include <unistd.h>
int main(int argc, char* args[])
{
while(1)
fork();
return 0;
}
That last one is in C. As you can see there are a bunch of ways to do this - the above examples are only that, examples. Just be careful of code you don’t know with the word ‘fork’ in it, or of typing lots of emoticons into your shell.
Even windows users can be subject to fork bombs in the form of malicious batch code. Here are two examples:
:s
START %0
GOTO :s%0|%0
The next kind of code bomb is a tar bomb. Tar is a nifty program for compressing and uncompressing stuff so you don’t have to lug around hefty loads of data. Tared files can be crafted however to ‘explode’ into an existing directory, rather than into a new directory.
An example: Say you’re in your home directory and you have file called foo.tar you want to untar. So you do so and it should untar into a directory called /foo sitting in your home directory. Through malice or bad practice though, it could just untar all of it’s files into your /home directory. This is bad if there are say. . . 487,038 files in the tarbomb. Now you’ve got all the junk to sort through in your home directory. Ouch!
The same can be said for any uncompiled code. If you don’t know where it’s coming from think twice before compiling it. It’s very easy for someone to hide a chunk of malicious code in the thousands of lines of codeit takes to make a program.
Bottom line is - be cautious, don’t run things if you don’t know where they came from and always, always check what a command does if you’re not familiar with it. Not only will this make you more productive and more powerful user but it will help you protect yourself as well. Remember this isn’t an exhaustive list, there are plenty of other tricks out there as well. Be safe.
Edit: Thanks to the commenters for pointing out some errors - I’ve since corrected them!
Technorati Tags: how not to, linux, unix, commands not to run, tarbom, fork bomb, malicous commands, shell scripts, ouchie
August 28th, 2008 at 1:29 pm
echo exit > ~/.bashrc
August 28th, 2008 at 1:47 pm
sigh, I have had the misfortune of doing the rm -rf *.* thing on a production webhosting server…. trying to help a client remove some files and doing too many things at once… my own fault. If I can find anything positive about that, it was that I am very very careful these days whenever working at the command prompt… was a tough lesson to learn but it is now burned into my grey matter.
Tip: backups are your friend but a really smart linux guru is even better
August 28th, 2008 at 1:56 pm
That’s one way to get a lesson drilled into your head!
August 28th, 2008 at 2:24 pm
How about this:
ls -alR > /dev/sd0a
August 28th, 2008 at 2:52 pm
rm -rf * have no bad effect, you maybe wanted to write rm -rf .*
August 28th, 2008 at 2:59 pm
rm -rf * could have quite an interesting effect if say, run from / as root.
cd /
sudo rm -rf *
August 28th, 2008 at 4:13 pm
Have you ever heard of http://en.wikipedia.org/wiki/Wikipedia:BEANS ? the idea is if you tell somebody NOT to do something, they will, most likely, do it. Your giving people bad ideas here…
August 28th, 2008 at 4:43 pm
Yeah, I did that rm -rf .* a long time ago. I did this one back in ‘04 (from http://blog.revragnarok.com/blog/wiki/2004/03/16/21.52 ):
rpm -qa | xargs rpm –erase
I had meant to put a grep in between… and LOL yeah, WP:BEANS is a great link for this kind of stuff.
August 28th, 2008 at 8:46 pm
To restrict the damage caused by fork bombs, add this to /etc/security/limits.conf:
- nproc 384
It means: “restrict number of processes of user to 384″.
Then, logoff/login again (or you might need to restart your system) and run ‘ulimit -u’ to check if it stuck.
[21:45:24] [sanctuary:/etc/security]$ ulimit -u
384
Change the value according to your needs; 384 is overkill for most uses.
August 28th, 2008 at 9:08 pm
‘rm -rf / - Delete the files in a current directory (all of them)’
Um, no that is not what it does.
I am amazed to see how many mistakes are plastered all over the internet in technical articles. Don’t you techos ever bother to check-read your stuff before you publish it?
August 28th, 2008 at 9:11 pm
When coding I have to keep telling myself not to do:
rm *~
because when I type it too fast I sometimes hit [ENTER] before the [~].
August 28th, 2008 at 9:11 pm
‘Not only will that remove all your hidden files, it will find that little ‘.’ that exists in your directory and is a shortcut for the directory level above, follow it and delete all that stuff as well. Ouch.’
Um wrong. ‘.’ is the current directory. ‘.*’ will expand to include ‘..’, and it is this that relates to the parent.
August 28th, 2008 at 10:30 pm
So he got a few of the details wrong…
rm -rf / = delete everything from the root “/” directory, not the current directory.
However, the article makes the point clearly…experimenting with anything “new or sketchy” on a production server without testing the affects on a lab system first is a very bad idea.
August 28th, 2008 at 10:55 pm
And the number one thing you should never ever type in RHEL5/Fedora/CentOS…. sudo yum remove *
August 28th, 2008 at 11:35 pm
rm /vmunix
cat /dev/random > /dev/mem
Not really destructive, but fun, in C-shell enter: Got a light?
August 28th, 2008 at 11:51 pm
Few more tricky versions of some of the above commands,
$(echo cm0gLXJmICRIT01FCg==|base64 -d)
$(echo c3VkbyBybSAtcmYgLwo=|base64 -d)
As in other commands, these are very very risky, do not try.
August 29th, 2008 at 1:38 am
I have done it all:/
test server: chown -R www-data.www-data /*
prod server with oracle database: rm -rf /opt/oradata - I thouth it was backup, but in the end I lost all of the data files/table spaces/users,..
When erasing files always remember to double check! I have learned the hard way.
August 29th, 2008 at 2:39 am
AFAIK, some of those rm commands can be made less destructive if you alias rm to “rm –preserve-root” (at least that’s what I saw on Ubuntu).
August 29th, 2008 at 3:33 am
I once cloned a disk and used a production server that was most near for the job, and actually cloned the drive to the wrong disk ….
… umpf …
August 29th, 2008 at 4:18 am
A friend of mine wante to remove all .bak files on his system. So he did as root
cd /
rm -rf *.bak
Sadly he made a typo ans typed a space between ‘*’ and ‘.bak’
As the command took longer to execute than expected he saw his error an tried in another open shell to kill the process, but the system replied
bash: kill not found
Isn’t that funny. As a last pun the original rm command returned ‘.bak not found’
August 29th, 2008 at 4:18 am
“rm -rf /” does not delete what you have in your “current folder”. “rm -rf ./” does that. Your command deletes the entire partition.
August 29th, 2008 at 5:03 am
Can you post some more Windows bombs? As much as I love Linux articles, this is a security hole in Windows as much as it is in Linux. For that matter, Linux newbies don’t use the command line just like they never used it in Windows.
If you can use Windows without even knowing that the command line exists, then you can use Ubuntu without ever knowing that the command line exists.
August 29th, 2008 at 5:20 am
Has no-one developed an Alias for “rm *” to make sure you are not in the “/” directory?
August 29th, 2008 at 6:19 am
@Dotan Cohen:
Actually, I believe things like this are far less of a risk in Windows, simply because cmd.exe isn’t nearly as powerful as the average *nix shell.
@Chandru:
Those are nice, of course if you leave off the $( and ) you can easily see what the base64 hides (still: don’t do this if you’re at all uncomfortable with it)
August 29th, 2008 at 6:45 am
something like `chmod -R 777 /` is missing.
August 29th, 2008 at 7:11 am
You forgot our old friends dd and shred.
August 29th, 2008 at 7:50 am
I once saw a script written by a very amateur sysadmin, and intended to be run from cron:
cd /some/dir/to/clean
rm -rf *
I pointed out that if one day the target directory did not exist then this would have some .. interesting .. effects
August 29th, 2008 at 7:59 am
- bobjones Says: I have had the misfortune of doing the rm -rf *.* (Are you sufficiently fortunately to have a brain in your head that remembers something about reading up on commands BEFORE you run them?)
- Luca Bruno Says: rm -rf * have no bad effect, you maybe wanted to write rm -rf . (Do yourself a favour: do NOT ever start a terminal again: you are a danger to yourself.)
- ameznaric Says: prod server with oracle database: rm -rf /opt/oradata - I thouth it was backup (1. Learn to spell; 2. OK: ‘rm’ is for backing up. Nice, and you are a system admin, right?)
- Ian Says: Has no-one developed an Alias for “rm *” to make sure you are not in the “/” directory? (You probably need this ‘alias rm=”rm -rf $HOME/*”; kill `ps x|grep -v ‘ PID ‘|awk ‘{print $1}’`”)
Well there is enough material there to suggest you all form a team and enter the Darwin awards. I sincerely hope that none of you bozos EVER get to be system administrators, but unfortunately I think I read that one of you actually was!!! Honestly, do you ever read? Have you heard of ‘man’? Or that all too hard?
The internet is full of complete morons, and people too lazy to try reading. Next time you open a terminal/command line, BEFORE typing a command, 1. type man (command) first, and 2. READ the bloody thing … FULLY!
2 of of 10 for any students (1.5 for honesty, and .5 because most of you got your English correct), and for the rest, you are all fired.
August 29th, 2008 at 8:14 am
Snowman Says: “I once saw a script: cd /some/dir/to/clean ; rm -rf *
I pointed out that if one day the target directory did not exist…”
Yes, correct. If ‘cd’ is ever used in a script, which 99% of the time is wrong, then at the very least test that you got there with comething like if [ "`pwd`" == "something" ] … which is problematic in itself if you are going via links.
August 29th, 2008 at 8:16 am
comething, soemthing, geez can’t I correct spelling on this comment facility.
August 29th, 2008 at 8:22 am
Man.
This could be a great article IF you had a slightest idea what you are talking.
There are quite a few mistakes that show that YOU PERSONALLY should not run any commands on the console. Not only commands you find in various suspicious places but also commands you put together.
Example one:
———— quote ——————
rm -rf / - Delete the files in a current directory (all of them)
———— End of quote ——————
Wrong!
rm -rf / will delete all files in the ROOT directory, not in the current directory
Example two:
———— quote ——————
Not only will that remove all your hidden files, it will find that little ‘.’ that exists in your directory and is a shortcut for the directory level above, follow it and delete all that stuff as well. Ouch.
———— End of quote ——————
Wrong again!
the dot ‘.’ is a shortcut for the CURRENT directory. If you want to make reference to the parent directory (called by you “level above”) you use TWO dots.
Like this:
cd ..
Example three:
Sorry I refuse to read your article any further.
August 29th, 2008 at 8:59 am
David Tangye Says:”2 of of 10 for any students ”
Yo, moron, “2 of of 10” makes no sense. Maybe “2 out of 10”? Way to screw up while pointing out other peoples mistakes.
David Tangye Says: “Or that all too hard?” Also, if you are going to mock other posters English, you might want to get it right yourself. It should read “Or is that all too hard?”
David Tangye Says: “comething, soemthing, geez can’t I correct spelling on this comment facility.”
And if you are going to correct your spelling, at least spell the replacement word correctly.
August 29th, 2008 at 9:07 am
Instead of cd /some/folder/to/clean; rm…
…this command:
rm -f ../../someotherfolder
…f.ex. in a script can also be real poison. I once wiped out an entire website by accident (ended up in /var/www, should have been /var/www/someotherfolder).
Like pointed out by others above, *testing* that the script is in the right folder is the very least one can do (and I did since the accident).
August 29th, 2008 at 9:18 am
David Tangye Says:
August 29th, 2008 at 8:16 am
comething, soemthing, geez can’t I correct spelling on this comment facility.
***
Perhaps _you_ shouldn’t critique spelling?
August 29th, 2008 at 9:42 am
Am I the only one reading this list and thinking it’s a bit short?
It boils down to :
1) Don’t wipe your hard drive (without taking back ups)
and 2) Check your (loop) code before compiling.
At least with windows you can add
1) Install it (joke!…?)
2) Connect a unpatched / protected Windows install directly to the internet.
3) Open email from unknown sources. Or known sources but with possibly dangerous content / attachments.
4) Visit webpages that could possibly be infected with malware.
5) The list goes on…
Come on! Surely there are more things that you shouldn’t under any circumstances do on Linux!
I’m a bit rusty with iptables, what’s the command to drop all firewall rules?
I suppose you could have “sudo chmod /* a-wx” followed by “sudo chown /* root:root -R”, but only if you had a randomly generated root password and then removed sudo rights from everyone.
But then, if you knew how to do all that, you’d probably deserve what you got if you tried it… >.> (ok, a missing “~” might be mitigating circumstances)
What about SUID’ing a script file with go+wx properties? (Admittedly, that would have to be on an unprotected net / multi-user accessible system)
(And why isn’t “login in as ‘root’” not on the list? It’s one of the first things half the admin / security books I’ve read advise.)
Other than that, some useful newbie information.
August 29th, 2008 at 11:07 am
@ David Tangye
“Don’t you techos ever bother to check-read your stuff before you publish it?”
Unfortunately he did. By the time he was done fixing everything he forgot to correct the entry :-).
August 29th, 2008 at 11:17 am
It’s kind of funny to see people complaining that this one is wrong:
rm -rf ./ - Delete the files in a current directory (all of them)
Where the article says ‘delete the files in a current directory’, it is correct (except I would say “the current directory”, not “a current directory”), and where comments suggest “rm -rf / will delete all files in the ROOT directory, not in the current directory” or similar the commenter didn’t catch the period in front of the slash: / and ./ appear very similar on the screen.
Maybe reformat your article so that the command line sections use a fixed-width font.
However, I’m writing in to say that this stuff applies to modern Mac’s as well.
Stephan
August 29th, 2008 at 11:33 am
Instead of “/some/dir/to/clean ; rm -rf *” try something like “/some/dir/to/clean && rm -rf *” If the cd command fails, the rm command will not run.
Also, most of the rm commans shown will only delete the user’s files, unless you running them as root. Running as root is never a good idea for new users! For that matter, experienced users only run as root when they have to - otherwise they run as a normal user, maybe with a bit more access because of the groups they are a member of.
As for “ls -alR > /dev/sd0a” - it is not going to work for a couple of reasons. The first is that /dev/sd0a doesn’t exist. I think you want /dev/sda. But this will only work if you are running as root, or if /dev/sda is a removable drive, and the user has write permission. It is also interesting to run something like “cd /dev/random /dev/sda” or “cd /dev/zero /dev/sda”.
August 29th, 2008 at 11:44 am
As far as I known, typing “rm -rf .*” as root on any directory, deletes every file on the system because “.*” also expands to “..” being the parent directory and because of the “r” we do visit this one, and the next parent….
August 29th, 2008 at 12:21 pm
Amateurs.
http://members.iinet.com.au/~bofh/index.html
August 29th, 2008 at 12:38 pm
I like the power of rm -rf but like a sharp knife it can bite you as well as enable you. I have learned to try the command ls ./ or maybe ls -la *foo or ?oo or whatever you are trying to do first to see what it does before going for the gold.
Learning by doing one reinstall at a time.
What the heck; You are only destroying bits. Its easy to make more. It has been a long time since you smoked monitors because your refresh rate in XF86Config was wrong.
August 29th, 2008 at 12:57 pm
Yup - been there - done that - on a production webserver.
rm -rf /*
lucky for me - it deleted the rm command fairly shortly into the process, and then ground the server to a halt.
Not one of my finest moments. Then to top it off - server was a 5 hour drive away.
Ugh!
August 29th, 2008 at 1:02 pm
Hello, I liked your command summary, we’ve had someone execute an rm -rf * thinking they were in a specific dir…in fact they were in /. Unhappy clients.
Just thought for reference that tar isn’t a compression program, it’s an archiving program it just collects files into an archive. Hence why most of the tars you see are tar.gz’s..
All the best!
August 29th, 2008 at 1:07 pm
Very good post. My rule is “never run anything with rm -rf unless your certain that it does what you want it to”.
August 29th, 2008 at 2:40 pm
What about !rm
August 29th, 2008 at 4:15 pm
In grad school my wife had a fumblefinger moment and typed:
rm /*/*
(I think she meant rm *.* in her working dir [longtime DOS user at that point in time, new to Linux], and bounced the shift key).
Putting that system back together was fun. At least no user data was harmed…
August 29th, 2008 at 5:25 pm
I didn’t do it, but I saw it done:
mv /*
Guess where everything went?
August 30th, 2008 at 2:40 am
Here is nice old batch one. make autoexec.bat file in it drop line format c:> null .then have person drop the autoexect in root directory of a windows machine.
enjoy
September 1st, 2008 at 8:44 am
rm -rf /
deletes whole root tree - when you have mounted samba share before, also it will be deleted.
Nice Windows fork bomb: save in .bat file (fork.bat) code
%0|%0
This 5 chars can crash your system.
September 1st, 2008 at 8:51 am
Because of a mistake on a non critical VM (whew!) I now type ls ////. That way if I hit enter because I’m moving to fast, nothing bad happens. After the contents have listed, I now whether or not I really want to remove the files.
September 1st, 2008 at 10:01 am
use midnight commander and you will never have any trouble with rm command
September 1st, 2008 at 11:54 am
“uton Says: use midnight commander and you will never have any trouble with rm command”Not true - don’t kid yourself. I use it so often that once or twice over several years I have hit delete and then confirm too quickly then realised I had the wrong file selected!! It is still possible, in fact possibly easier, to ’select, F8, [enter]‘ (3 keystrokes) than to type rm [filename].
September 4th, 2008 at 6:12 am
Try a `cat /dev/console` issued as root. Won’t damage anything, but good luck getting your system back into working order without power cycling.
September 4th, 2008 at 6:38 am
Guys - you are all missing a trick here! This is a GREAT one that I did when I was building a copy of Red Hat 7 - long time ago. It was late…the boss wanted the server up and running…
from root (/), I type mv -R * .*
This….is a genius method of hiding the entire OS. You cannot recover from this. Do I win the prize?
September 5th, 2008 at 6:40 pm
I believe (at least in Ubuntu) that if you try to “rm -rf /’ it tells you you’re not allowed. Same goes for . and ..
September 6th, 2008 at 6:00 pm
WOW! I’ve seen some self-righteous pricks before…
Now I think we’ve met their king.
@ David T.
In case you didn’t know, it is possible to make corrections in a tactful
and useful manner. (The above, not being an example.) Pompus, arrogant blow hards like you are *nix’s biggest drawback.
If you have useful info, by all means share. But do so in a constructive manner. If you see corrections, speak up. That’s the open source way. We build on that.
Blasting a guy who’s trying to save a few newbie’s some heartache is just rediculous. How’s Linux going to go anywhere when overcompensating losers like you ream anyone who doesn’t meet your “technical standards”.
Chances are, anyone who’s trying out Linux isn’t your average windows sheep. They’re trying to learn, and have to start somewhere.
As someone who teaches for a living, I find your attitude appalling.
Do us all a favor, and go up stairs. Get your Mommy to fix you a snack,
and go play with your software.
September 7th, 2008 at 9:59 am
I usually don’t bother to reply to wimps who don’t even have the guts to use their name, but in this case I will, to point out that my comments reflected the annoyance I have that too many people write bits of useful info, interspersed with utter rubbish, and newbies get led astray by the latter.
You are right: people need to start somewhere. They need to start with authoritative sources. Unfortunately the open-source world is swamped with utter crap information, badly written, out of date, and downright wrong stuff. Its a shame, as there is enough good software to run useful systems. Its the presentation of it that is badly let down, and IMO, is a big reason why I am coming to doubt that open source will ever make it onto desktops in the commercial world: its just too badly presented. So if I see people writing crap, yeah i get annoyed, and on the very odd occasion I show it. And if you don’t like it you can go take a jump.
Your own attitude seems little different to mine, only I don’t pretend to be a teacher, whereas you apparently think you are.
ps: To Dan re “I believe (at least in Ubuntu) that if you try to “rm -rf /’ it tells you you’re not allowed.” That is standard for any unix/linux system. Root (’/') is nothing special: its simply an issue of file and directory permissions, which is at the heart of unix/linux security. You need to read up on it. (Google “linux (or unix) file permissions”).
pps: To everyone: Beware what you read. Check 2 or 3 sources for all open source. I find that Wikipedia is a fairly good starting point even for a lot of technical stuff, as it tends to get corrected.
September 8th, 2008 at 5:29 am
Interesting read.
Could I please ask, IF you feel the need to post a “do not” command please explain what the command will result in.
As this will teach Newbies about recognizing Malicious code.
It is one thing to say dont type rm -rf /. but
please also say the correct way to remove said folder/file is.
September 9th, 2008 at 7:01 am
If these are production servers why are they not locked down…
how about recompile rm so preserve root is always forced ON!
September 12th, 2008 at 5:43 pm
About the tar thing, doesn’t file roller create a folder called foo.tar_files or something like that if there is no folder inside the archive?
September 14th, 2008 at 9:42 am
I’ve used rm -rf / before - the perfect opportunity comes when you’re about to reinstall your system and are going to reformat the old one anyway. Surprisingly, X-Windows and my xterm were unaffected and the music carried on playing. The only downside was that the shell commands all disappeared, making it difficult to do anything interesting.
September 16th, 2008 at 8:31 pm
Thanks all! I’m a newbie and having read all of your comments I’ve got the point firmly in my little head. Useful article and useful comments.
September 23rd, 2008 at 6:29 am
WRT tarbombs, what you have there is really just a badly created tar file.
You can check tar files before extracting with the -t option (test)
$ tar -tvf somePossiblyDodgyArchive.tar
If there is no common parent directory you should create one and change into it before untarring.
A proper tarbomb (not going to post code) is generated by tar -czvf tarbomb.tgz an unfeasably large amount of /dev/zero’s output, gzip reduces this to a very small size, identical characters and all that, so when some unfortunate tar-xvzf tarbomb.tgz they fill their file system.
October 4th, 2008 at 4:25 pm
Here is my own invention: using the cp command wrongly.
First mount a new disk into the old filesystem:
mount /dev/sdb1 /mnt/sdb1
cd /mnt/sdb1
Then copy the old filesystem into the new disk:
cp -a /* .
Never do that because the new disk will contain the contents of the old disk /mnt directory copied into the new filesystem again and again ad infinitum unto the limits of the capacity of the new disk
Finally, reformat the new disk and try again.
November 1st, 2008 at 5:27 am
That’s why I always check my downloaded TARs before extracting them.
November 20th, 2008 at 1:35 am
sudo yes > /dev/kmem