Lately, I've been hearing system administrators and managers ask about solutions to keep people from accidentally removing their data. These are very smart and dedicated people asking for a solution so that data isn't lost either by accident or on purpose. A wild idea I've heard to solve the problem is getting rid of user access to the rm command. Is this truly a crazy idea?
Frustration
Lately, in my day job, I’ve been getting questions from very smart, dedicated, and resource constrained administrators who have users who either accidentally, or sometimes absentmindedly, remove data. The problem they are facing is that the user removes the data, most likely using rm, and then realizes they actually needed the data. Of course, they ask the administrator to recover the data or restore it from a backup, which may or may not be possible (sometimes the requests are, shall we say, “impassioned”). If the recovery doesn’t happen fast enough or if the user is not getting enough attention then the users do what is natural to them, they escalate the request through their management chain, indicating the importance of the data. Consequently, the administrators have to drop everything they are doing and spend a great deal of time recovering the data (if they can). This means that other tasks fall by the wayside and administrator frustration builds (and from the comments/requests, it seems as though the frustration level is pretty high).
The requests for solutions are coming from many different places so this isn’t a single administrator with a single user asking for this capability. Actually, I think this is an age-old question from administrators that one admin described as, “how do we help the users from hurting themselves?”
Being an engineer I like to look for solutions so I started examining the request from several angles and then asked questions hoping to clarify the issues. Perhaps this problem is looking for more of a policy solution? Or perhaps it is a problem requiring a technical solution? Or is it both?
Policy Problem?
One of the common themes I encountered during my discussions was that whatever policies were created and communicated by administrators, sometimes upper management intervened and countered the policies. Sometimes this happened infrequently, typically for a critical project and a critical piece of data, but more often than not, it followed the old adage “the squeaky wheel gets the grease.” While I didn’t conduct a scientific survey one thing I did notice was that when the problem made it to upper levels of management, managers were not aware of the policies that had been set and publicized. To my mind this pointed to one possible solution to the problem – developing policies in conjunction with management while addressing the resource implications of the policies.
To begin the development of policies, one should assume that users will erase data by accident and will need it restored. The resource implications can be quantified based on past experience, data growth, and other factors. Will it require additional staff? Will it require additional hardware? Then the conclusions are presented to management. During the discussion management should be made aware of the impact of restoring or recovering data and the impact of users erasing data. Then a “management approved” policy is established and communicated to the user base and any changes to resources is resolved.
I think this approach can help alleviate the problem because management is fully aware of the resource implications of whatever the decision is, and perhaps even more importantly, users are made aware of the policies. The subtle context is that the entire management hierarchy is now aware of the policies so that using the “squeaky wheel” approach will have little impact on operations (although there will always be exceptions).
Technical Problem?
If you are reading this article, you are likely to be more technically focused which typically means that you like to find technical solutions to problems. I think there might be something of a technical solution to the problem discussed in this article – getting rid of user access to rm directly. But before you write a comment to this article stating that the title is inflammatory (hey, you’re reading this article – right?), please read on to understand my point.
I first started using Unix on an old VAX in 19.., er, a long time ago. We didn’t have much disk space, but perhaps more importantly, it was a new operating system to everyone. Using Unix one could interactively log into a system sitting in front of a terminal rather than submit jobs to the big mainframe (that really dates me doesn’t it?). This was a shift in how we worked which meant there was an associated period of learning. One of things people had to learn was how to erase files when they were finished including the deadly options for rm, “-r”, “-f”, and “-rf *”.
To help people during the adjustment period, one of the things the administrators did was to “alias” the rm command. So when you used rm what actually happened was that the data was moved to a temporary disk location instead of actually being erased. So if you had an “oops” moment, you could go get the files yourself, if you knew the location, or you could send an email to the administrator and they would do it for you. Since disk space was expensive, the data only lived in the temporary disk location for a certain period of time and then it was removed. But this could save your bacon in a pinch and it saved mine on several occasions.
So my thought is to do exactly this – alias the rm command to something else, most likely mv, so that the data is not actually erased, but moved to a different location. Then a cron job or a daemon is used to erase the files based on some policies (e.g. oldest files are erased if a certain usage level is reached (“high water” mark) and/or the files have reached a certain age). It takes disk resources to do this because you need a target location for storing the data but that can be part of the resource planning mentioned in the previous section.
The question is, how easy is it to alias rm? If you read the manpage for rm you will see that there are a few options.
- -f, –force ignore nonexistent files, never prompt
- -i prompt before every removal
- -I prompt once before removing more than three files, or when removing recursively. Less intrusive than -i, while still giving protection against most mistakes
- –interactive[=WHEN] prompt according to WHEN: never, once (-I), or always (-i). Without WHEN, prompt always
- –one-file-system when removing a hierarchy recursively, skip any directory that is on a file system different from that of the corresponding command line argument
- –no-preserve-root do not treat “/” specially
- –preserve-root do not remove “/” (default)
- -r, -R, –recursive remove directories and their contents recursively
- -v, –verbose explain what is being done
- –help display this help and exit
- –version output version information and exit
Some of these options are fairly rare in my experience but since they are part of the tool, then they need to be considered.
The next thing to examine is the manpage for mv. It too has a few options:
- –backup[=CONTROL] make a backup of each existing destination file
- -b like –backup but does not accept an argument
- -f, –force do not prompt before overwriting
- -i, –interactive prompt before overwrite
- –strip-trailing-slashes remove any trailing slashes from each SOURCE argument
- -S, –suffix=SUFFIX override the usual backup suffix
- -t, –target-directory=DIRECTORY move all SOURCE arguments into DIRECTORY
- -T, –no-target-directory treat DEST as a normal file
- -u, –updatev move only when the SOURCE file is newer than the destination file or when the destination file is missing
- -v, –verbose explain what is being done
- –help display this help and exit
- –version output version information and exit
There is some similarity between options for the two commands but it will likely take some work to have mv “imitate” rm. Perhaps a bash, python, or perl script can parse the command line and then use mv to perform the operations.
An alternative is create a very simple rm command that drops many of the lesser used options and then aliases mv to rm. This does create some restrictions for the users, but I think if this was put into production, then you would quickly find the small number of users who needed some specific options in rm.
Using mv as a substitute for rm is not a perfect solution and you might be able to find some difficult corner cases. For example, if a user rm-ed a file using the aliased rm command, it would be copied to the temporary disk storage and could be recovered (copied back). If the user then created a new file with the exact same name and then used rm to erase that file, then the first file that is on the temporary storage would be overwritten. Perhaps this is acceptable, perhaps it is not (this could be part of a policy).
However, as part of the “new” rm you could compensate for this scenario by using the a different path to the copied data. You could add a time stamp to the front of the user’s directory path to create a unique path. Just use the time when the command is executed (seconds since epoch) as the unique identifier at the head of the user’s path. But, this creates some potential problems because users may not know when they ran the command meaning that the administrator will have to search for all occurrences of the files within the user’s directory tree and then ask the user which one(s) they wanted restored. This isn’t an intolerable situation since it’s fairly easy to use find to locate the file, but it does add some work for the administrator (adding administrator resources to the planning).
One thing this approach cannot help with are applications that erase or remove files as part of their processing. If this happens, the only real alternative is to have a second copy of the data somewhere. But this scenario should be brought to the attention of management so that policies can be developed (e.g. have two copies of all data at all times, or telling users that there is no recourse if this happens).
One thing I haven’t touched on yet, are backups. Backups can be beautiful things that save your bacon, but they are somewhat limited as I’m sure all administrators are aware. Backups happen at certain intervals whether they are full or incremental backups. In between backups, users create, change, and remove data that backups miss. Backups may be able to restore data but only if the data has, in fact, been backed up. Also, how many times have administrators tried to restore a file from a backup, only to discover that the backup failed or the media, most likely tape, is corrupt? Fortunately, this scenario is becoming more rare, but it still happens (be sure to check your backup logs and be sure to test a data restoration on a small amount of data every so often).
So backups can help with data recovery but they are not perfect. Moreover, given the size of file systems, it may be impossible to do full backups, at least in an economical way. So you may be restricted to performing a single full backup when the system is first installed and then doing incremental backups for the life of the system. However, even for Petabyte size file systems this may be very difficult to accomplish and it may be require more hardware than can be afforded.
Using backups in combination with aliasing the rm command can offer some data protection and perhaps reduce that likelihood that, “users will hurt themselves.”
Summary
Normally having users remove data and then yell about getting it recovered quickly is a fairly rare occurrence. I talk to a great number of administrators and this scenario was something they rarely encountered and if they did, they either restored the data and/or talked to the user to help educate them or help develop scripts or tools to help alleviate the problems. But in the last 3-6 months, I’ve been hearing a fairly consistent but increasing “hum of discontent” from administrators about users erasing data who then employ the technique of becoming a squeaky wheel to get management’s attention to quickly recover the erased data. In these discussions, the majority of the administrators feel that this problem is only going to get worse because of more users and more data. So they are looking for solutions (since this is Linux Magazine, they are naturally looking for solutions on Linux).
I see two aspects to the problem. The first is a policy aspect where upper level management needs to be brought into discussions to develop appropriate policies. But as part of this people need to remove emotion from the discussions and present real data on the frequency of the data restoration requests and how much work it requires and how much it disrupts normal operations. In essence, the discussion, like many other discussions, should be around resource allocation and associated benefits. But the benefit of having upper management involved is that there is agreement on the policies at the highest levels. Then they can be published to all users with the implication that management is very aware of the issues surrounding data recovery so no more squeaky wheels will be tolerated (score one for the administrators).
The second aspect, which really accompanies the first, is a technical aspect. Are they any tools to help easily restore or recover erased data or basically prevent a user from accidentally erasing data? (“hurting themselves” was the phrase I heard several time). Backups can help but they are only part of the solution (IMHO). Going back to my early UNIX education, I remember the administrators set up the system so that if you used the rm command, the data was moved to a temporary disk location where I could go copy it back if I acted quickly. After a period of time the data was erased from the temporary disk storage (presumably via a cron job or daemon).
I think that using something like this approach, aliasing the rm command so that the data is actually moved to a temporary disk location, coupled with normal backups, could help alleviate some of the problems administrators are having. It will take some work to write the scripts that would implement such a solution, but it’s not that difficult. Then you just need some sort of temporary disk based storage and you are off to the races. Plus, the size of the temporary storage is adjustable so if you need more space, it’s fairly easy to add more hardware, but it does cost money.
So does this make the argument for abolishing user access to the rm command? I think the answer is unique to each system, the administrators, and the users. In many cases this approach can really help users quickly recover needed files, but it takes work to develop the scripts (and test them). However, it can help reduce the workload on administrators. I personally think this is a very useful approach for larger systems but again, the choice is yours.
Jeff Layton is an Enterprise Technologist for HPC at Dell. He can be found lounging around at a nearby Frys enjoying the coffee and waiting for sales (but never during working hours).
Comments on "Should We Abolish User Access to rm?"
try http://pages.stern.nyu.edu/~marriaga/software/libtrash/ to make the effects of unlink and overwrites reversible. Or you could try
Google’s https://code.google.com/p/safe-rm/
Just a thought, but if a user can not delete data that is no longer needed, would you not have a storage problem eventually. You know you always have a pack rat or two that use a tremendous amount of storage. Now everyone will be a pack rat. Accidents do happen but people also need to realize that you reap what you sow and they need to pay attention or wait.
I have had to recover deleted file a few times. I never had a problem with someone complaining about the time it took to recover a file. They where always appreciative when the file could be recovered.
Data recovery is part of an admins job. As is eating user complaints to an extent. Both suck, but then again it is a job.
The solution to this problem comes from planning and foresight. Deploying any system on which Users will store their data means that ‘rm’ is going to become a problem for support staff. Personally, I would recommend using LVM and snapshots to preserve the integrity of the data on the system – this in addition to any normal backup scheme.
Once one is aware of the ‘normal’ rate of change (additions/deletions/) in the data on the system, the size of the snapshot volume can be estimated, allocated, and put to good use.
And the Users data is protected.
You left out one solution. Snapshots. A NetApp does them. So does ZFS. I think BTRFS will also.
A NetApp does a snapshot every 15 minutes, every hour, every day, every week, every month and keeps them for 1 hr, 1 day, 7 days, 5 weeks, 1 year. It takes up about 10% of the storage.
I ran a site with 100 users for 5 years and never had to restore from tape.
Policy and education are key too. Some users thing backups are archives. Backups are to replace the current data with the most recent if something goes wrong. Archives are to go back to a specific point in time.
Here are a few things worth saying — about traditional filesystems, at least:
Jerry
I think it is foolish for admins to rm rm. It seems the underlying complaint here is that the admins want to free themselves from the burden of recovering lost files. So give the users the ability to recover the files themselves. One way to do this is to give them a versioning file system. So that they can go back and look at any version of file they want. Delete, wouldn’t entirely remove the file, only remove it from immediate view.
Taking away a users ability to rm a file would be like banning cars because there are a few car accidents. Cars are obviously very useful. It sounds like the admins don’t want to be in the collision repair business. That’s fine.
I have been having fun experimenting with new filesystem ideas by using webdav to build psuedo filesystems using web-development tools like mysql and php.
How many articles, or versions of articles, have been lost from wikipedia? How hard is it for anyone to recover an article from a previous date?
I still occasionally miss the old Netware 3.1 days. Deleted files were kept around automatically, and you could easily recover several previous versions of a file, no matter /how/ they were deleted (as long as the volume wasn’t too full, causing the stale files to be re-allocated for free space). Saved my bacon many a time…
I actually like the idea of aliasing the rm command and moving the records to a temporary directory. Allowing cron to delete the job at specific intervals would mean the data would be caught on backups. Depending on policies you could be able to restore data for 3-6 months even more. Obviously not a strong solution for every industry since there would be legal caveats concerning certain types of retention.
A google search showed several links to undelete programs/procedures for various filesystems. The ideal solution would be a user undelete command, no?
That would mean that rm would still have to be aliased to send the file to a temporary place since rm in it’s raw form destroys the inode from the table and completely removes data.
a file system that supports versioning might be a better solution then rm rm.
do gnome/kde use ‘rm’ at the backend? … this solution seems like a windows policy – where by the front end’s for doing things are obscured but it is still possible to get around them.
I agree with the comments that recommend a versioning filesystem. Unfortunately, I haven’t seen many, and of they tend to be difficult to use/manage.
Does anyone have a recommendation for a good versioning filesystem?
Take a look at log-structured filesystems, especially NILFS.
http://en.wikipedia.org/wiki/Log-structured_file_system
http://en.wikipedia.org/wiki/NILFS
Aliasing ‘rm’ to ‘mv’ seems like overkill. If you can’t trust the user with ‘rm’ then don’t give them command-line access. And attacking the problem this way only solves one small part of your sysadmin headaches while introducing all sorts of new headaches. What are you going to tell your users when they ask you to recover a file that they accidentally overwrote using the ‘mv’ command?
mv bad-data my-valuable-dataAre you then going to alias ‘mv’ to something? Then what happens when then open their valuable data in an editor and then mess it up by saving cookie recipes over it? These seem just as likely to happen as an accidental ‘rm’. The aliass solution seems like a slippery slope to maintaining lots of little half-baked solutions, each with their own unanticipated consequences.
If the backup directory for the ‘rm’ alias is on a different filesystem then ‘mv’ becomes a copy operation, which is obviously much slower than a move or delete operation.
As for users not being able to remember when they deleted a file, add the following to the user’s .bashrc and they will be able to see the date and time of each of their commands in the history.
# save history with date and time stamps in ISO 8601 format
export HISTTIMEFORMAT="%FT%T "
We once did a file remove to a hidden directory, something like a trashcan, and had the option to setup a permanent delete date, or number of days using a very simple script with aliasing the user rm to this script. The other script we added was recover the so deleted files.
I know I read about a Linux command or program that someone developed that was exactly like the old Novell Netware system. It didn’t actually delete the file but moved it to another area and over time the oldest files were eventually deleted or you could set disk space free limits so it would free up space sooner than the date expire. Seems to me that this would be the perfect thing in this case. If you have users deleting files then you could replace the rm command with this and accidentally deleting files would be less of an issue.
Netware had a really nice file deletion prevention system. It recorded all the permissions/etc. for the file and allowed you to easily restore it the original location or an alternate location all from a kind of text selectable list/menu. If I remember correctly users could load up a program and undelete their own files as well. A Linux program that did something similar seems to be what your asking for and probably wouldn’t be a bad feature for some of the distros to include especially for multi-user systems in a college or business environment.
Safedelete sounds like the type of program you are looking for but it hasn’t been updated since 2001 from what I can tell. It may still work just fine but I haven’t tried it in a very long time. The newest version I can find right now is 1.3b from 2001. If I remember correctly it is very similar to what Netware had built in. You alias the rm command to safedelete it shows in the docs. It is setup to run in a multi-user environment according to the docs. Users can undelete their own files as well. It has commandline, ncurses and TKgui versions.
“SafeDelete adds a grace period to the rm command, by saving files to an alternate directory (like a trashcan or recycle bin) before actually removing them. Files in the alternate directory are given new names so multiple files can be saved without worrying about clobbers. The undelete command will restore a file to its original directory along with its original permissions, timestamps, etc. Undelete has both a command line and an ncurses interface (which displays a scrollable list of all the files you can recover). SafeDelete also features a utility which will permanently delete files from the trash as they age.”
Here are a few other similar programs:
giis-ext4 (actively developed) http://www.giis.co.in/
athena-delete (hasn’t been touched since 1995)
recover (no update since 2002)
e2undel (no update since 2004)
WHAT??? ! You give users shell access ?
Already stated, but a versioning file-system, or if that is not possible, a timestamping backup-system with user-access is the way to go.
I’ve seen several open-source backup-solutions that even has user-websites where the user him/herself can go and restore accidental removed or overwritten files and folders. An internal web-site, which allows the user to download files from old backups, or move whole directory-trees from backup to current workspaces.
Aliasing rm doesn’t change a thing if files are removed from GUI, ftp, samba-shares or by other means. Syscall-trapping solutions still can’t save you from all cases of overwrite. A proper incremental backup-system can.
I wanted to post and first thank everyone for their input. Your comments/ideas/experiences are very valuable. But I also wanted to jump into the conversation as well :)
I’ve got some comments on what people have said and some points to make as well (hey – I’m never shy to comment :) ).
Let me start with the comments about using versioning file systems. I have used VMS in my past and to be honest – I really liked the versioning file system. It kept you on your toes because you had to pay attention to versions and deleting versions and housekeeping chores, but the versioning capability did save my bacon more than once.
But the people I’ve been speaking with are actually looking for something that is more generic (i.e. independent of the file system). While versioning file systems are out there, it doesn’t quite scratch the overall itch, although it might scratch the specific itch of some people.
The second comment I wanted to make was about snapshots and backups. I have talked to these people about using snapshots at periodic intervals to capture the “state” of the file system. However, what concerned people was that you have to take frequent snapshots so that you can capture changes. The implication is that you need space to hold the snapshot (which varies) and you need to “freeze” the file system while taking the snapshot. The systems they have vary in size, but some of the larger ones are approaching 1PB in size. These systems are very busy, so freezing an entire system while taking a snapshot wasn’t something they really wanted to do (but it is an option).
A quick third comment as well. These admins are really good. They have many, many years of experience and have seen, and tried, different approaches to solving this problem. A small number of admins saying they were having problems is understandable, but what amazed me was that I was hearing this pretty much across the board from all admins I spoke to some degree. So these are very smart and capable people who couldn’t find a good solution but probably tried some things that didn’t work. They are really not lazy either (lazy admins usually last a few weeks and then the users eat them for breakfast one day). Their requests and comments led to the article. If I hadn’t seen a general trend over a period of time I wouldn’t have written about it – in other words, there is something going on here.
I agree that aliasing “rm” is not without it’s pitfalls. As one person pointed out, unless you emulate it exactly, it could break scripts. Morever, if you tried to change rm to a small degree you will have user problems that have to be addressed. So it’s not easy. However, at the same time I don’t think the idea is without merit.
Having a mechanism for users who have just slapped their forehead after saying “rm -rf *” to quickly recover their data is PDV (Pretty Darn Valuable). But as @noahspurrier pointed out, they could easily overwrite data when recovering from a temp directory. We can’t make everything fool proof but the general sense I was getting is that this was a problem looking for a solution and people were willing to try things even if there was some risk in it.
Again – thanks everyone for the comments! I hope you found them as useful as I have. Please keep them coming.
Thanks!
Jeff
Interesting ideas. The reason I have been playing with the webdav protocol is because I can get “in the way” of the file operations. My psuedo filesystem built this way wouldn’t have to take snapshots because it sees the individual file actions taking place as http method calls. And you can hide the versioning interface until someone asks for it. So a folder looks like a normal folder. You read and write files to it. If you overwrite “vaulable data” with “bad data”, then you can go explore the versioning history and go find your “valuable data”. I was also thinking of a decay mechanism so that really old history would start to be lost, if the user wanted this behavior. To really save space, maybe the system would do delta compression so that a series of changes are kept small.
I live in a CAD world where we save several versions of a file while we work on it and then publish an “official” released revision of a file. A versioning history would have a series of official released revisions A, B, C… interspersed with temporary file saves. The official revisions are very important to maintain, whereas the intermittent file saves are not as meaningful once a new official revision is released. So I could code a behavior to strip away the less meaningful data and preserve the stuff I do want.
oh and behind the scenes I was going to store files using an md5 hash or something. that way if someone transfers a huge file folder structure over to this system I could easily find duplicates even if they have different filenames.
how about rm -i
What about gtk-trash?
It doesn’t do everything that trash does, but users who are used to “delete == move to trash” will be expecting “rm == move to trash”.
Of course, anything that removes the default method of things will confuse users when they are on any unmodified system.
I hate to be the one with the simple answer, but the answer is a clear “NO” to me. 1000 scenarios supporting many different arguments fly through my head, but a clear “NO” still seems to pop out. Maybe 30+ years of it being there w/o question and the clear separation of root & non-root accounts could be swaying my decision. BTW, I’m sure this question has come up in the past, and it’s still there. That, too, tells me something.
I personally use an alias to a simple script. The script checks the number of command line args: if 1, then it calls rm; if > 1, then it prints the args and prompts the user before calling rm. That way if a wildcard expression accidentally matches more than one file, I’ll catch it.
There is one UNIX version that contains such a incremental backup tool. On this system, recovering deleted data is straightforward. The tool name is TimeMachine, the UNIX version is named OS X and is made by that company who has a partly eated fruit for its logo, Apple. Time Machine saved my day more than once.
how about an old school solution, alias the users you are worried about to move the files from their location to a scratch location. Which has a cleanup routine that removes files after 3 days.
Remove the alias from application users or trusted users or just run /usr/bin/rm to truely remove files.
why shouldn’t we remove brain too, in order to prevent people from being stupid ?
It’s very simple to find out any topic on net as compared to textbooks, as I found this post at this web site.
Have a look at this rm compatible script for `trash’:
http://www.daniel-rudolf.de/bash/rmtrash
# SHORT DESCRIPTION:
# Put files (and directories) in trash using the `trash’ command in a way
# that is, otherwise as `trash’ itself, compatible to GNUs `rm’.
#
#
# DEPENDENCIES:
# – `trash’, provided by the package `trash-cli’
and the same for rmdir:
http://www.daniel-rudolf.de/bash/rmdirtrash
>> However, what concerned people was that you have to take frequent snapshots so that you can capture changes. The implication is that you need space to hold the snapshot (which varies) and you need to “freeze” the file system while taking the snapshot
Maybe time for you to read up on how this actually works; I think you misunderstand the technology. For example, read about how DataONTAP deduplicates data, and how that mechanism is used to provide live snapshots that use very, VERY little space. Much less than you would think. Another poster said about 10%. my experience is 10-15% space of the FS is used to store changes on a fairly active filesystem going 4 weeks. ZFS is very similar.
solved problem, ask Rob Pike
http://man.cat-v.org/plan_9/1/yesterday
As this has been a need since virtually the beginning of “rm”, I think it should be an option, and am actually surprised it’s not already.
-m, –move [directory] move the file to directory instead of unlinking