It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Apparently it's been fixed (though some dispute that), but it's still a nice read:

http://www.theregister.co.uk/2015/01/17/scary_code_of_the_week_steam_cleans_linux_pcs/
Post edited January 17, 2015 by wpegg
avatar
wpegg: Apparently it's been fixed (though some dispute that), but it's still a nice read:

http://forums.theregister.co.uk/forum/1/2015/01/17/scary_code_of_the_week_steam_cleans_linux_pcs/
Page not found...
avatar
wpegg: Apparently it's been fixed (though some dispute that), but it's still a nice read:

http://forums.theregister.co.uk/forum/1/2015/01/17/scary_code_of_the_week_steam_cleans_linux_pcs/
avatar
Soccorro: Page not found...
That was fast, it only took me a min to correct it.
avatar
Soccorro: Page not found...
Link.
Annoying. The final / of that URL is necessary, but GOG doesn't include it in auto-generated links. Please edit your post to include it.
avatar
wpegg: Apparently it's been fixed (though some dispute that), but it's still a nice read:

http://forums.theregister.co.uk/forum/1/2015/01/17/scary_code_of_the_week_steam_cleans_linux_pcs/
avatar
Soccorro: Page not found...
page found




Software
/
Developer

17 Jan 2015 at 12:00, Shaun Nichols

Linux desktop gamers should know of a bug in Valve's Steam client that will, if you're not careful, delete all files on your PC belonging to your regular user account.

According to a bug report filed on GitHub, moving Steam's per-user folder to another location in the filesystem, and then attempting to launch the client may perform the following heart-stopping command:

rm -rf /*

That means: remove all files recursively, and without stopping, from the root directory down. Assuming the client is run as a normal user, it will delete everything owned by that account – including mounted backup drives and network shares – although leave other stuff, such as system files owned by root, intact.

Steam is Valve Software's Swiss-army-knife-like application for downloading and managing collections of computer games, and getting to know fellow gamers.

"I am not sure what happened. I moved the folder in the title to a drive mounted under /media/user/BLAH and symlinked /home/user/.local/steam to the new location," wrote GitHub user keyvin, who filed the bug report.

"I launched Steam. It did not launch, it offered to let me browse [the filesystem to find Steam's folder], and still could not find it when I pointed to the new location. Steam crashed. I restarted it.

"It re-installed itself and everything looked great. Until I looked and saw that Steam had apparently deleted everything owned by my user recursively from the root directory. Including my 3TB external drive I back everything up to that was mounted under /media."

Other users also said the application had stripped files from their hard drives. The issue was traced to a shell script variable that's supposed to contain a filesystem path, but can end up empty if Steam's files are moved or missing, and is passed as an argument to rm -rf.

The code in question is this in steam.sh:

# figure out the absolute path to the script being run a bit
# non-obvious, the ${0%/*} pulls the path out of $0, cd's into the
# specified directory, then uses $PWD to figure out where that
# directory lives - and all this in a subshell, so we don't affect
# $PWD
STEAMROOT="$(cd "${0%/*}" && echo $PWD)"

# Scary!
rm -rf "$STEAMROOT/"*

Yes, $STEAMROOT can end up being empty, but no check is made for that. Notice the # Scary! line, an indication the programmer knew there was the potential for catastrophe.

If you're running Steam on Linux, it's probably best to make sure you have your files backed up and avoid moving your Steam directory, even if you symlink to the new location, for the time being. ®

Have you found some truly scary code in the wild? Get in touch – we could turn this into a regular feature.
avatar
Soccorro: Page not found...
avatar
wpegg: That was fast, it only took me a min to correct it.
yeh just stumbled upon this thread and thought "Steambashing!?" I'M IN!
Yikes! And the code comment clearly shows that the programmer in question was well aware that this was a dangerous thing to do, and he still decided not to add any checks to verify that the STEAMROOT variable wasn't empty.
avatar
Wishbone: Yikes! And the code comment clearly shows that the programmer in question was well aware that this was a dangerous thing to do, and he still decided not to add any checks to verify that the STEAMROOT variable wasn't empty.
To be fair, we've all had errors where we've hit our code block saying "This should never happen!".
avatar
Wishbone: Yikes! And the code comment clearly shows that the programmer in question was well aware that this was a dangerous thing to do, and he still decided not to add any checks to verify that the STEAMROOT variable wasn't empty.
avatar
wpegg: To be fair, we've all had errors where we've hit our code block saying "This should never happen!".
To be doubly fair, we haven't all had those errors when the code block saying "this should never happen" contained code to wipe the local file systems of thousands of users. When you have the potential to do as much damage as that, you have to make sure it actually doesn't happen, for any reason.

Incidentally, Steam is down at the moment. Coincidence? :-D
Yeah, this is sloppy coding while doing a dangerous thing. The coder realized there were risks involved, but then went ahead doing nothing at all to mitigate for them.

Looking quickly at the code, the function this is in starts by checking for a file called $STEAMROOT/steam_dev.cfg and returns without doing anything if such is found. So perhaps this could work as a workaround failsafe to keep a disaster from happening until this is fixed:

touch /steam_dev.cfg

(I'm not responsible if you do this and it doesn't help, or if it causes Steam to flip out in some other way instead)
avatar
wpegg: To be fair, we've all had errors where we've hit our code block saying "This should never happen!".
avatar
Wishbone: To be doubly fair, we haven't all had those errors when the code block saying "this should never happen" contained code to wipe the local file systems of thousands of users. When you have the potential to do as much damage as that, you have to make sure it actually doesn't happen, for any reason.

Incidentally, Steam is down at the moment. Coincidence? :-D
True, I just like to think that the developer involved was under some pressure or something. Then again, apparently Valve is a really Google-like free easy going place with sofas and everyone drinking smoothies. Maybe this attitude has crept into places it shouldn't.
"Even worse, users say the bug will even wipe out documents on USB connected drives. So much for local backups."

If this happened with EA's Origin, there'd be at least a bit more outrage and the story would show up on more sites.
avatar
TDP: If this happened with EA's Origin, there'd be at least a bit more outrage and the story would show up on more sites.
If this happened on Windows you meant to say.
Wow, I decided to give steam and opportunity and installed it some days ago for playing a steam-only bundle linux game. It seems I will uninstall it, as it could wipe my home directory, and it seems my ntfs partitions too, as they are automounted by my window manager once I log in.