Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • September 25, 2016, 09:04:30 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: *NIX - Problem with Steam shellscript may delete user files  (Read 2965 times)

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
*NIX - Problem with Steam shellscript may delete user files
« on: January 18, 2015, 08:59:06 AM »
This from The Register:

Quote
Scary code of the week: Valve Steam CLEANS Linux PCs (if you're not careful)
Dodgy shell script triggers classic rm -rf /

17 Jan 2015 at 12:00, Shaun Nichols


Linux desktop gamers should know of a bug in Valve's Steam client that will, if you're not careful, delete all files on your PC belonging to your regular user account.
.
.
.
The issue was traced to a shell script variable that's supposed to contain a filesystem path, but can end up empty if Steam's files are moved or missing, and is passed as an argument to rm -rf.

Soon to be fixed no doubt - but still something to be aware of until it is. Full article here.
 :tellme:

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,841
    • View Profile
    • Donate to Member
Re: *NIX - Problem with Steam shellscript may delete user files
« Reply #1 on: January 18, 2015, 06:30:39 PM »
Woa.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
Re: *NIX - Problem with Steam shellscript may delete user files
« Reply #2 on: January 18, 2015, 08:45:02 PM »
^ Yeah. Except the first word that popped into my head wasn't 'woa.'

31451391.jpg
« Last Edit: January 21, 2015, 02:32:07 PM by 40hz »

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 7,640
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: *NIX - Problem with Steam shellscript may delete user files
« Reply #3 on: January 19, 2015, 12:35:46 PM »
Yikes!


TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,548
    • View Profile
    • Donate to Member
Re: *NIX - Problem with Steam shellscript may delete user files
« Reply #4 on: January 19, 2015, 01:05:19 PM »

As a newbie question, I am responding to these bits:

-----------

# Scary!
rm -rf "$STEAMROOT/"*

Yes, $STEAMROOT can end up being empty, but no check is made for that. Notice the # Scary! line, an indication the programmer knew there was the potential for catastrophe.

-----------------------

So is this a bug?! Or a hack?

How does a line like "rm -rf "$STEAMROOT/"*" even begin to have a legit purpose?

And then how does a programmer label something "scary" and do nothing about it?

I'm missing the meta-story here. Given the number of "blah" security reports on random "vulnerabilities", wouldn't this rocket to the top of someone's to-do list to investigate?

Did someone bulldoze the programmer, who then felt trapped and the best be could do was add "scary", counting on the tech media to somehow do an end-run fix?


40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
Re: *NIX - Problem with Steam shellscript may delete user files
« Reply #5 on: January 19, 2015, 02:15:34 PM »
So is this a bug?! Or a hack?

Neither really.

It's a programming mistake. Or a bad call by a script coder. Period.

There's nothing intrinsically wrong with rm -rf/. It's just one more command. The same as rd /s/Q in Windows. It can be a handy way of cleaning out a lot of unneeded directories and files provided you know (a) exactly what you want to accomplish; and (b) exactly how the command actually works.

In this case, not having the '$STEAMROOT' directory where it was expected to be was the same as invoking the command with a wildcard. So instead of purging a specific directory, having a null value for $STEAMROOT meant the shell interpreter blew past it and went straight to / as its next valid criteria. Booyah! And blammo too! :tellme:

I'm amazed whoever put that command in a script didn't realize that could happen. Especially since rm -rf/* is one of the first "killer commands  Linux users learn and repeatedly get warned about. My guess is that whoever did this is probably a Windows programmer by trade. Windows has some built-in safeguards when you run the rd command. That, however, is not the case in Linux, which assumes you know what you're doing when issuing commands within a terminal session.

« Last Edit: January 20, 2015, 10:46:58 AM by 40hz »

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,548
    • View Profile
    • Donate to Member
Re: *NIX - Problem with Steam shellscript may delete user files
« Reply #6 on: January 19, 2015, 02:28:59 PM »
I'm amazed whoever put that command in a script didn't realize that could happen. Especially since rm -rf/* is one of the first "killer commands  Linux users learn and repeatedly get warned about. My guess is that whoever did this is probably a Windows programmer by trade. Windows has some built-in safeguards when you run the rd command. That, however, is not the case in Linux, which assumes you know what you're doing when issuing commands within a terminal session.

This is what I was trying to explore / express.

Valve isn't a three man op - they have a few bucks to their name.  So I'd think if they write Linux code, they'd presumably get a decently skilled Linux coder who is aware of the basics like this. Or if they have to have a "Windows programmer by trade" write the bulk of the code, they'd at least get a Linux guy to eyeball it for sanity.

I'm particularly disturbed that it was labeled "scary" - to me, that seems like something is missing from the programming "story", especially as you remarked how basic of an issue this is, this being in people's top lists of scary commands to be really careful of. I can't imagine anything I'd do for work that I'd notice as "scary", then ... not check it with a boss! Notice especially it's work, for a big company, not some well meaning guy just trying to write a nice little utility and getting it wrong. And the severity of what can go wrong is also a red flag for me.


40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
Re: *NIX - Problem with Steam shellscript may delete user files
« Reply #7 on: January 19, 2015, 02:37:57 PM »
^Well...it happened. Not much else we can say about it since we could only speculate endlessly as to why it happened. Somebody screwed up or wasn't thinking clearly. That's the centerpiece problem at the heart of everything from space shuttle explosions to checking account overdrafts.

Makes for a good cautionary tale if nothing else. ;D

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,548
    • View Profile
    • Donate to Member
Re: *NIX - Problem with Steam shellscript may delete user files
« Reply #8 on: January 21, 2015, 05:14:42 AM »
^Well...it happened. Not much else we can say about it since we could only speculate endlessly as to why it happened.

Hehe I've been watching too much TV. We just call Homeland Security and have them haul the programmer and his boss in for interrogation upon threat of watching Barney episodes and make them tell us!

Why is it the little people are reduced to speculation?

:P

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,763
    • View Profile
    • Donate to Member
Re: *NIX - Problem with Steam shellscript may delete user files
« Reply #9 on: January 21, 2015, 06:56:06 AM »
Why is it the little people are reduced to speculation?

LOL! Because we can't read minds; peer into the souls of others; know with certainty what the future will bring; or, define what's truly true like we've been told the big people can. ;D

« Last Edit: January 21, 2015, 08:02:13 AM by 40hz »