Man Deletes His Entire Company With One Line of Bad Code

Reader JustAnotherOldGuy writes: Marco Marsala appears to have deleted his entire company with one mistaken piece of code. By accidentally telling his computer to delete everything in his servers, the hosting provider has seemingly removed all trace of his company and the websites that he looks after for his customers. Marsala wrote on a Centos help forum, "I run a small hosting provider with more or less 1535 customers and I use Ansible to automate some operations to be run on all servers. Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line. All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script)." The terse "rm -rf" is so famously destructive that it has become a joke within some computing circles, but not to this guy. Can this example finally serve as a textbook example of why you need to make offsite backups that are physically removed from the systems you're archiving?"Rm -rf" would mark the block as empty, and if the programmer hasn't written anything new, he should be able to recover nearly all of the data. Something about the story feels weird.

Three words

[MPAB]

Offsite, offline BACKUPS

Re:Three words

[Aighearach]

That's all great, but even a less complete, sloppy backup system would be an improvement here.

Another thing people don't understand about cloud hosting... you should still have your own self-managed, non-cloud server that holds your images and ideally runs your service during the low-traffic hours. Whatever your daily lowest traffic 6 hours is, in most cases, should be traditionally hosted. Cloud is super-duper-awesome-webscale for the peak traffic, no way around that if you have peak traffic hours.

Personally, I can re-deploy (including the latest database backup) from my dev workstation using a simple rake task.

Another problem is; relying on your hosting company for backups. Never do that. The same fire/earthquate/bash script/volcano that makes the backup necessary, would destroy it! Expect the hosting company to have insurance, don't expect them to care if your data gets lost. Especially if it "user error."

This has nothing to do with "PC/internet mentality" and everything to do with the latest anti-waterfall, anti-planning, 80% is all that matters mindset. Traditionally, this was easily solved because there was an engineering mindset.

Re: Three words

[GameboyRMH]

Addendum - just checked a CentOS server, and rm --help says that --preserve-root is enabled by default, and has to be overridden with --no-preserve-root.

Re:Three words

[flopsquad]

Offsite, offline BACKUPS

Would not have helped in this situation. His typo resulted in this command:

"rm -rf --no-preserve-root --write-zeroes --shred-mbr --exec-all-ssh-hosts --douse-hydrofluoric --high-velocity-eject-removable-media --carpet-bomb-offsite-backup --salt-earth"

Which, I mean, who hasn't accidentally done that? The keys are like right next to each other.

Re:Three words

[Megane]

Because he is a retard.

All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script

Clearly a case of a fool thinking that a sync (copying data to another place regularly) is a backup. It's not a backup if you can easily copy corrupted data to your only copy. Or, in this case, if you can easily delete the data from your "backup" copy.

Re:Three words

[billyoc903]

I have this aliased to 'sl'. Keeps me on my toes.

Re:Three words

[Triklyn]

... are you suggesting that there's someone out there that knows how to shoot a fireball out of a chopstick?

please elaborate on that

--no-preserve-root

[zopper]

Does he use --no-preserve-root by default? I think that it is there for many years. Of course, if his servers are running on something from 2004, then his rm might be without this safeguard...

Wasn't he trolling?

[anlag]

I saw the post on ServerFault, and while the original scenario could have happened, the OP's follow-up blunder to reverse the input and output parameters of dd when trying to preserve the disk seemed just a wee bit too unlikely. I looked at the article to see if there was any additional data to suggest this was real, but it seems entirely based on the SF thread. Until corroborated, I'm going to call bs.

Re:Wasn't he trolling?

[crunchygranola]

My operating theory is that the guy is constructing an alibi. Perhaps he has gotten wind of an investigation and wants to look like a hapless idiot and not someone engaged in destroying evidence.

Empathy

[The-Ixian]

I have that cold feeling in my stomach just reading this summary. ick.

I did something similar (though not quite so destructive) nearly 20 years ago when I was first learning Linux.

I my case I was trying to get rid of all the hidden files in root's (/root) home dir using 'rm -rf .*'

Guess what that did?

Yeah, that wasn't a highlight of my career...

Fun thing about TRIM

[CajunArson]

While this guy was most likely using traditional HDDs where block level recovery is a possibility, for those of you using SSDs that have TRIM properly enabled, don't expect to be able to recover deleted files from the same drive unless you are really really fast.

TRIM automatically zeros the blocks of deleted files and they are GONE aside from vague sci-fi and probably nonexistent NSA-type forensics.

Re:Fun thing about TRIM

[Rockoon]

When the OS sends a trim command, with it is information about what the logical sector should look like if an attempt is made to read it again. IIRC the options are zeros, ones, and random.

Without trim the ssd has to preserve the entire logical block device its emulating, ie if you have a 64GB drive then even if it only has 4KB of "files" on it, the device still has to preserve all 64GB because it doesnt even know what a file is, let alone that you deleted one.

With trim the ssd only has to preserve what the OS told it was important to preserve. So instead of preserving 64GB if data it only has to preserve your 4KB of data. Trim marks logical sectors as dont-preserve.

What the SSD will not do is overwrite trimmed physical sectors just because they were trimmed. In fact, that data could linger there for years even with a high amount of read/write activity because SSD's only erases entire physical blocks, not just the subsectors within blocks that were trimmed.

So recovering is not sci-fi. Recovery is a fact. What can't be done is recovering the data via commands that target the logical rather than physical device.

manishs

[Verdatum]

Manishs, you seem to actually critically read articles before posting them, and you actually provide insight after the summary. What is up with that?

Re:manishs

[msmash]

I hope you're not being sarcastic.

Re:manishs

[Verdatum]

I mean that I really do appreciate it. Keep up the good work!

Still value as a troll

[Minupla]

I collect these stories for people who I mentor. Even if they're trolls, they work as cautionary tales, because lots of people have had similar smaller scale disasters (as evidenced by posts in this thread) and it's healthy for mentees to get a taste of what can happen when you (for example) forget to error check your script parameters.

In a big way it doesn't matter if it's true or not, it could be true which makes it a teachable moment. I'm sure everyone who reads the story will run a mental checklist to see if they have a script somewhere that could EVER do it. Do they have their backups mounted when they should be rsyncing, etc.

Min

Corrections

[ledow]

Man ALLOWS his entire company to be wiped out in one command.

Man DESIGNS his entire company to be wiped out in one command.

Man SETS UP his entire company to be wiped out in one command.

Hint: I work in schools. Once I had a teacher delete their entire planning folder. Then (and DO NOT ask me why, because I don't understand it either), they emptied that folder from Recycle Bin. They rang up in the more embarrassed panic.

And then it was explained that we still had copies of that folder in:

a) Shadow Copies of the profile on the client.
b) Network Copies of the profile that they were logged in as (and which fortunately hadn't logged off once they realised what they did).
c) Shadow Copies of the profile folder on the server.
d) Copies of the profile folder on all the other servers.
e) Copies of all the servers on replica servers.
f) Copies of the server VM's and storage in a primary backup location.
g) Copies of the server VM's and storage in a secondary backup location.
h) Copies of the server VM's and storage in a tertiary backup location.
i) Several off-line and off-site copies of the server VM's and storage .
k) Random, casual backups all over the place.

And that's just for the crap that teachers think is important (i.e. a lesson plan they have to write every two weeks and which they can't re-use anyway).

Fuck knows what this guy was thinking, but there's no one one command ANYWHERE should be able to do that many actions, let alone dangerous actions that you haven't evaluated properly. Honestly, some of those machines don't even TURN ON until the backup window, and even the backup devices have rollback and shadow-copy-like functionality on top of whatever the backup software gives (incrementals, etc.). And several are DELIBERATELY offline for almost their entire lives and have entirely disparate credentials so no one command could ever affect them.

Not being funny, but we're talking a small school of 400 5-14 year olds here. He actually has more customers than I have users. And you just can't fuck about like that, so if he thinks he can, I honestly have zero sympathy and can only laugh.

rsnap is popular. Should pull from read-only accou

[raymorris]

Rsnap is a very popular backup system which uses network mounted drive as it's default/most common configuration. I constantly remind people on the rsnap mailing list about the existence of cryptolocker type malware.

A much safer way to do it is to have the backup system PULL backups using a read-only account. That way no command on the live system can touch the backups, and the backup system can't change anything on the live system - either accidentally or maliciously.

One solid backup / hot spare system that does it safely by default is Clonebox.

Chain of Mistakes

[Greyfox]

Recently the USPA was talking about stuff that kills skydivers. It's almost never just one mistake. It's a chain of mistakes where one single good decision anywhere in that chain would break the chain and prevent entirely preventable deaths. In the case of this story, if it had actually happened, which it didn't, the decisions made to violate best practices all along the chain (IE, running your bash scripts as root or as any user ID that has authority to delete anything on the file system, not pushing just pushing your backup data to isolated storage, not having numbered sequential backups, etc) would be so egregious that the story would simply be an example of Darwin at work. The conversation would go "Oh hey, did you hear about that guy who designed his system so badly that he was able to delete the whole fucking thing with one mistyped command? Yeah, the council of sysadmins voted to kill him. Said it was for the good of the species."

Old Saying

[Tablizer]

"To err is human. To really fuck things up, you need a computer."

I prefer that any bulk or query-based "delete" command ask for confirmation along with basic feedback. Example pseudo-code:

> delete *:*.*

You are about to delete 832 folders and 28,435 files.
Your choices are:
      1 - Proceed with deletion
      2 - List path details about the above folders and files
      3 - Cancel deletion
Your Choice: __

(end of example)

It may be slower and/or more resource intensive, but that's better than mass boo-boo's.

An optional command parameter could switch off verification, but verification should be the default. This is something Unix/Linux gets backward in my opinion: the default should be confirmation mode, not the other way around. In other words, a command switch should be required to switch off confirmation rather than requiring a command switch to turn confirmation on.

Typical SQL doesn't have a confirmation mode, so I usually do a verification query on the WHERE clause before running the actual:

-- check
SELECT count(*) FROM myTable
WHERE x > 7 AND foo='BAR'

-- actual, keeping same where-clause
DELETE FROM myTable
WHERE x > 7 AND foo='BAR'

I also often inspect at least some of the actual rows, not just the count. Thus, as a rule of thumb, do random spot-checks of actual data, and a total count before final command execution.

Re: What happened to NEWS for Nerds?

[Darinbob]

I make it a point to lump people into the category of "everyone". Then I can despise them all equally without picking and choosing favorites.