*NIX - Problem with Steam shellscript may delete user files

[40hz]

This from The Register:

Scary code of the week: Valve Steam CLEANS Linux PCs (if you're not careful)
Dodgy shell script triggers classic rm -rf /

17 Jan 2015 at 12:00, Shaun Nichols

Linux desktop gamers should know of a bug in Valve's Steam client that will, if you're not careful, delete all files on your PC belonging to your regular user account.
.
.
.
The issue was traced to a shell script variable that's supposed to contain a filesystem path, but can end up empty if Steam's files are moved or missing, and is passed as an argument to rm -rf.

Soon to be fixed no doubt - but still something to be aware of until it is. Full article here.
 

[ewemoa]

Woa.

[40hz]

^ Yeah. Except the first word that popped into my head wasn't 'woa.'

[Deozaan]

Yikes!

[TaoPhoenix]

As a newbie question, I am responding to these bits:

-----------

# Scary!
rm -rf "$STEAMROOT/"*

Yes, $STEAMROOT can end up being empty, but no check is made for that. Notice the # Scary! line, an indication the programmer knew there was the potential for catastrophe.

-----------------------

So is this a bug?! Or a hack?

How does a line like "rm -rf "$STEAMROOT/"*" even begin to have a legit purpose?

And then how does a programmer label something "scary" and do nothing about it?

I'm missing the meta-story here. Given the number of "blah" security reports on random "vulnerabilities", wouldn't this rocket to the top of someone's to-do list to investigate?

Did someone bulldoze the programmer, who then felt trapped and the best be could do was add "scary", counting on the tech media to somehow do an end-run fix?

[40hz]

So is this a bug?! Or a hack?

-TaoPhoenix (January 19, 2015, 01:05 PM)

Neither really.

It's a programming mistake. Or a bad call by a script coder. Period.

There's nothing intrinsically wrong with rm -rf/. It's just one more command. The same as rd /s/Q in Windows. It can be a handy way of cleaning out a lot of unneeded directories and files provided you know (a) exactly what you want to accomplish; and (b) exactly how the command actually works.

In this case, not having the '$STEAMROOT' directory where it was expected to be was the same as invoking the command with a wildcard. So instead of purging a specific directory, having a null value for $STEAMROOT meant the shell interpreter blew past it and went straight to / as its next valid criteria. Booyah! And blammo too!

I'm amazed whoever put that command in a script didn't realize that could happen. Especially since rm -rf/* is one of the first "killer commands  Linux users learn and repeatedly get warned about. My guess is that whoever did this is probably a Windows programmer by trade. Windows has some built-in safeguards when you run the rd command. That, however, is not the case in Linux, which assumes you know what you're doing when issuing commands within a terminal session.

[TaoPhoenix]

I'm amazed whoever put that command in a script didn't realize that could happen. Especially since rm -rf/* is one of the first "killer commands  Linux users learn and repeatedly get warned about. My guess is that whoever did this is probably a Windows programmer by trade. Windows has some built-in safeguards when you run the rd command. That, however, is not the case in Linux, which assumes you know what you're doing when issuing commands within a terminal session.

-40hz (January 19, 2015, 02:15 PM)

This is what I was trying to explore / express.

Valve isn't a three man op - they have a few bucks to their name.  So I'd think if they write Linux code, they'd presumably get a decently skilled Linux coder who is aware of the basics like this. Or if they have to have a "Windows programmer by trade" write the bulk of the code, they'd at least get a Linux guy to eyeball it for sanity.

I'm particularly disturbed that it was labeled "scary" - to me, that seems like something is missing from the programming "story", especially as you remarked how basic of an issue this is, this being in people's top lists of scary commands to be really careful of. I can't imagine anything I'd do for work that I'd notice as "scary", then ... not check it with a boss! Notice especially it's work, for a big company, not some well meaning guy just trying to write a nice little utility and getting it wrong. And the severity of what can go wrong is also a red flag for me.

[40hz]

^Well...it happened. Not much else we can say about it since we could only speculate endlessly as to why it happened. Somebody screwed up or wasn't thinking clearly. That's the centerpiece problem at the heart of everything from space shuttle explosions to checking account overdrafts.

Makes for a good cautionary tale if nothing else.

[TaoPhoenix]

^Well...it happened. Not much else we can say about it since we could only speculate endlessly as to why it happened.

-40hz (January 19, 2015, 02:37 PM)

Hehe I've been watching too much TV. We just call Homeland Security and have them haul the programmer and his boss in for interrogation upon threat of watching Barney episodes and make them tell us!

Why is it the little people are reduced to speculation?

[40hz]

Why is it the little people are reduced to speculation?

-TaoPhoenix (January 21, 2015, 05:14 AM)

LOL! Because we can't read minds; peer into the souls of others; know with certainty what the future will bring; or, define what's truly true like we've been told the big people can.