More like this




Scary code of the week: Valve Steam CLEANS Linux PCs (if you're not careful)

Dodgy shell script triggers classic rm -rf /

Linux desktop gamers should know of a bug in Valve's Steam client that will, if you're not careful, delete all files on your PC belonging to your regular user account.

According to a bug report filed on GitHub, moving Steam's per-user folder to another location in the filesystem, and then attempting to launch the client may perform the following heart-stopping command:

rm -rf /*

That means: remove all files recursively, and without stopping, from the root directory down. Assuming the client is run as a normal user, it will delete everything owned by that account – including mounted backup drives and network shares – although leave other stuff, such as system files owned by root, intact.

Steam is Valve Software's Swiss-army-knife-like application for downloading and managing collections of computer games, and getting to know fellow players.

"I am not sure what happened. I moved the folder in the title to a drive mounted under /media/user/BLAH and symlinked /home/user/.local/steam to the new location," wrote GitHub user keyvin, who filed the bug report.

"I launched Steam. It did not launch, it offered to let me browse [the filesystem to find Steam's folder], and still could not find it when I pointed to the new location. Steam crashed. I restarted it.

"It re-installed itself and everything looked great. Until I looked and saw that Steam had apparently deleted everything owned by my user recursively from the root directory. Including my 3TB external drive I back everything up to that was mounted under /media."

Other users also said the application had stripped files from their hard drives. The issue was traced to a shell script variable that's supposed to contain a filesystem path, but can end up empty if Steam's files are moved or missing, and is passed as an argument to rm -rf.

The code in question is this in

# figure out the absolute path to the script being run a bit
# non-obvious, the ${0%/*} pulls the path out of $0, cd's into the
# specified directory, then uses $PWD to figure out where that
# directory lives - and all this in a subshell, so we don't affect
# $PWD
STEAMROOT="$(cd "${0%/*}" && echo $PWD)"

# Scary!
rm -rf "$STEAMROOT/"*

Yes, $STEAMROOT can end up being empty, but no check is made for that. Notice the # Scary! line, an indication the programmer knew there was the potential for catastrophe.

If you're running Steam on Linux, it's probably best to make sure you have your files backed up and avoid moving your Steam directory, even if you symlink to the new location, for the time being. ®

Have you found some truly scary code in the wild? Get in touch – we could turn this into a regular feature.

Sponsored: The Nuts and Bolts of Ransomware in 2016