At some point you have to give something the ability to update and modify system components and even then it is extreemely unlikely that deleting everything starting with / is the intended behavior.
At some point you have to give something the ability to update and modify system components and even then it is extreemely unlikely that deleting everything starting with / is the intended behavior.
An EXTRA flag to rm could be required in order for it to be able to modify fundamental os files. This would eliminate nearly all accidents.
Though that requires rm to know what objects are fundamental. While there are some obvious static choices there are many others that are going to vary between installations. You could add extended attributes to indicate what is what, but that is an extra complication for distro maintainers. You could use the immutable flag though again that will be a faf for upgrades (remove flags, update files, replace flags). Once rm is protecting users in this way, there might be an expectation that other tools will too, but the time you get to this point rather than reinventing the while, perhaps just use something like selinux (I assume BSD has an equivalent capabilities based option?) and other existing control features.
rm having --preserve-root on by default is I think a simple mitigation that protects against the most common potential accidents than any of the above would protect from, and if something more than that is wanted then things like the immutable flag already exist and would cover far more than just rm.
You already have to login as root to modify fundamental os files and any modification can break things just as baldy as rm can.
I agree, but rm doesn't have to be the thing to modify system files.