Linux – Why is “chmod -R 777 /” destructive

chmodlinuxpermissions

This is a Canonical Question about File Permission and Why 777 is "destructive".

I'm not asking how to fix this problem, as there are a ton of references of that already on Server Fault (reinstall OS). Why does it do anything destructive at all?

If you've ever ran this command you pretty much immediately destroy your operating system. I'm not clear why removing restrictions has any impact on existing processes. For example, if I don't have read access to something and after a quick mistype in the terminal suddenly I now have access well… why does that cause Linux to break?

Best Answer

First of all a minor terminology nitpick: chmod doesn't remove permissions. It CHANGES them.

Now the meat of the issue -- The mode 777 means "Anyone can read, write or execute this file" - You have given permission for anyone to do (effectively) whatever the heck they want.

Now, why is this bad?

You've just let everyone read/modify every file on your system.
- Kiss password security goodbye (anyone can read the shadow file and crack your passwords, but why bother? Just CHANGE the password! It's much easier!).
- Kiss security for your binaries goodbye (someone can just write a new login program that lets them in every time).
- Kiss your files goodbye: One user misdirects rm -r / and it's all over. The OS was told to let them do whatever they wanted!
You've pissed off every program that checks permissions on files before starting.
sudo, sendmail, and a host of others simply will not start any more. They will examine key file permissions, see they're not what they're supposed to be, and kick back an error message.
Similarly ssh will break horribly (key files must have specific permissions, otherwise they're "insecure" and by default SSH will refuse to use them.)
You've wiped out the setuid / setgid bits on the programs that had them.
The mode 777 is actually 0777. Among the things in that leading digit are the setuid and setgid bits.
Most programs which are setuid/setgid have that bit set because they must run with certain privileges. They're broken now.
You've broken /tmp and /var/tmp The other thing in that leading octal digit that got zero'd is the sticky bit -- That which protects files in /tmp (and /var/tmp) from being deleted by people who don't own them.
There are (unfortunately) plenty of badly-behaved scripts out there that "clean up" by doing an rm -r /tmp/*, and without the sticky bit set on /tmp you can kiss all the files in that directory goodbye.
Having scratch files disappear can really upset some badly-written programs...
You've caused havoc in /dev /proc and similar filesystems
This is more of an issue on older Unix systems where /dev is a real filesystem, and the stuff it contains are special files created with mknod, as the permissions change will be preserved across reboots, but on any system having your device permissions changing can cause substantial problems, from the obvious security risks (everyone can read every TTY) to the less-obvious potential causes of a kernel panic.
Credit to @Tonny for pointing out this possibility
Sockets and Pipes may break, or have other problems Sockets and pipes may break entirely, or be exposed to malicious injection as a result of being made world-writeable.
Credit to @Tonny for pointing out this possibility
You've made every file on your system executable
A lot of people have . in their PATH environment variable (you shouldn't!) - This could cause an unpleasant surprise as now anyone can drop a file conveniently named like a command (say make or ls, and have a shot at getting you to run their malicious code.
Credit to @RichHomolka for pointing out this possibility
On some systems chmod will reset Access Control Lists (ACLs)
This means you may wind up having to re-create all your ACLs in addition to fixing permissions everywhere (and is an actual example of the command being destructive).
Credit to @JamesYoungman for pointing out this possibility

Will the parts of the system which are already running continue to run? Probably, for a while at least.
But the next time you need to launch a program, or restart a service, or heaven forbid REBOOT the box you're in for a world of hurt as #2 and #3 above will rear their ugly heads.

Related Solutions

Chmod -R 777 / on ubuntu – numerous problems

I would actually consider doing a full reinstall of the system. Even if you manage to get most permissions right and that things seem to work there will most likely be some special permissions laying around, just waiting to cause trouble.

Alternatively I'd compare the permission with a second, possibly freshly installed, machine. Shouldn't be to hard together with your favorite scripting language.

Ubuntu – Undoing chmod 777

There's an easy way to back up and restore permissions amd ownerships of a directory tree using the ACL tools. It works even if you don't have ACLs enabled on the filesystem.

getfacl -R >saved-permissions
setfacl --restore=saved-permissions

Most permission issues will cause a “permission denied” error message to appear somewhere, either on the console or in some log file.

A powerful tool to investigate file access issues is strace. It shows the system calls made by a process. The output can be difficult to understand, but it's relatively easy to see what files the program is trying to access and why it can or cannot find what it wants. Usage examples:

strace -s9999 -o myprogram.strace myprogram  # trace myprogram
strace -s9999 -fF ...                        # also trace subprocesses
strace -s9999 -p12345                        # connect to running process by PID
strace -s9999 -efile ...                     # only show filesystem calls
strace -eaccess,open,stat,lstat              # only show common file access calls

Best Answer

Related Solutions

Chmod -R 777 / on ubuntu – numerous problems

Ubuntu – Undoing chmod 777

Related Topic