If you are root, and you issue
rm -rf /
Then how far can the command go? Can you recover data from this kind of an action? Even after the binaries are gone, would the running processes still be active? What would it take to make the same physical machine boot again? What files would you need to restore to make this happen?
I could try this on a VM and see, but I want to know the rationale behind what to expect if I do this.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
This command does nothing, at least on the OS I use (Solaris) with which this security feature was first implemented:
# rm -rf / rm of / is not allowed
On other *nix, especially the Linux family, if a recent enough Gnu rm is provided, you would need to add the --no-preserve-root option to enable the command to complete (or at least start).
How far would this command go is undefined. It depends on plenty of more or less unpredictable events. Generally, processes can run even after their binaries have been removed.
Method 2
Even with jlliagre’s excellent answer, remember this is still a pretty dangerous thing to do. Always double check where you are before doing things like rm -rf. It would be catastrophic if you were to do rm -rf * while in the /usr directory, for instance.
As to the rest of your questions, what you can recover pretty much depends on your backup procedures. In most *nix systems there is no simple way to recover files and directories once they have been deleted. Unlike the old DOS days where files were often still on the disk after a delete was performed, most systems these days do things that make recovery very difficult. This is one of the reasons that data recovery services are so expensive.
If you are using a VM, I recommend doing snapshots from time to time at the very least. But nothing can beat following a good backup plan.
Method 3
I just tried with Ubuntu 16 and vmware workstation and with the no-preserve-root option it erased the entire disk of my running linux system. after that was finished the whole vmware workstation app became unusably instable and even powering off or resetting the virtual machine from the application was impossible.
Killing the vmx was refused only a host reboot worked after that!
Method 4
As some people said, you can still use sudo rm -rf /* to remove anything. Without the asterisk works on the OS X too. Someone has made a footage on destroying OS X Yosemite like this, and I am sure that Linux based OS will experience much the same.
Things slowly begin getting irresponsive. I don’t think that everything got deleted, as the terminal froze while the process was happening, but it was enough to freeze the whole thing and do a force restart.
Attempting to reboot causes a single-user mode like boot screen with errors.
Method 5
One can’t simply destroy his/her system by issuing rm -rf / as root. Initially, the command will be issued under fail-safe mode, which will restrict the usage of rm on / but even with --no-preserve-root as an argument, the running system will not permit the removal of running processes from the disk; however, the rest of the programs and files will be removed, leaving an unusable system with (almost) no programs to run! Please check the screenshots tarred here, the command was issued in Arch Linux in Virtual Box: http://bit.ly/q9CsA4
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0