Re: Safety option "--preserve-root" in chown/chgrp

[Jim Meyering]

While POSIX (now) actually specifies the desired behavior for rm, it
does not (yet) for chown or chgrp.

IMHO, it would be a welcome change to make chown and chgrp reject an
attempt to operate recursively on a root file system, even though
POSIX has not yet required that behavior. In a way, adding this
protection to chown and chgrp feels even more important than adding it
for rm: these tools typically process files at a significantly higher
rate than rm, so can inflict more damage in the time it might take an
interactive user to realize the error and hit ^C.

On Thu, Jun 18, 2020 at 3:14 PM Harald Koch <h.koch@c-works.de> wrote:
>
> Hello,
>
> first, thank you to all of you making it possible to bring Unix to everyone 
> of us!
> As a technical supporter, we see situations each day where we ask ourself how 
> this could happen. In the last seven days, we had to support our customers 
> who made big mistakes, and two times it was a very big effort to revert the 
> backups and make the system functional. These two situations both occured 
> (independently from each other) by changing permissions due to misconfigured 
> NFS and CIFS shares. The remote administrator tried to solve it by a simple 
> „chown“ or „chgrp“ recursively, which is wrong to solve the situation, but 
> that’s another point. The problem is, that they made a "chown -R www-data /" 
> - ok, bad idea afterwards.
> My colleague (here in CC) tries to find out how this could easily enhanced, 
> and found in the man pages the section:
>
>        --no-preserve-root
>               do not treat '/' specially (the default)
>
>        --preserve-root
>               fail to operate recursively on ‚/'
>
>
> So, there is an option to disallow this behavior. Would have been this set in 
> the call of chown, we would have saved much time (and customer’s money, which 
> flows into our pockets). The question is: if there is such a safety option, 
> why is it reverted to „by default unsafe“? In my understanding, it would be 
> better to have „--preserve-root“ be the default and to allow operation on „/" 
> only by option. I know this would have a big impact on existing scripts, but 
> I feel a bit disappointed by the administrator-friendlyness of these options. 
> It’s like having an airbag in a car, but you must enable it in exactly the 
> situation of an accident.
> How do you feel about this?
>
>
> Freundliche Grüße/Best regards,
>
> Harald Koch
>
> c-works GmbH
> Otto-Lilienthal-Str. 36
> 71034 Böblingen
>
> E-Mail: h.koch@c-works.de <mailto:h.koch@c-works.de>
> Tel.:  +49-(0)7031-714-9440
> Fax: +49-(0)7031-714-9442
>
> Geschäftsführer/Managing Director: Harald Koch
> Sitz und Registergericht/Domicile and Court of Registry: Stuttgart
> HRB-Nr./ Commercial Register No. 725882
>
> —
> Due to corona we moved to remote office, leading to possible telephone 
> quality degradation.
>
>