0

I'm a system integrator(evidently noob), and today i've made my first scan with rkhunter, a tool that look into the system for check the presence of rootkits. After that scan i -foolishly- decided to remove the files inside /tmp/ directory, because rkhunter made some warning related to files inside it.

The sequence of commands i gave was : 

cd /tmp/
ls
cd tracker-lese/
ls
ls -la
cd ..
rm * .
ls -la
rm -fr * /tmp/

Explaination : I was root, i mooved inside /tmp/ directory, i listed the content, I tryed to understand what was the content of tracker-lese/ directory, i went back to the /tmp/ directory, /!\ i did a rm * . that i beleaved it did nothing(but maybe is where im missing understanding), and then i did a forced, recursive rm

After that impulsive operation , system began having troubles, and after reboot i could not login into the machine anymore.

Edit: output of the command ls -ld /tmp/

drwxr-xr-x 6 root root 4096 Apr 8 19:19 /tmp/
lese
  • 192
  • 2
  • 8
  • Exactly what changes did you make? – Michael Hampton Apr 08 '14 at 17:01
  • I exaclty removed all files inside /tmp/ directory. I update the question to be more clear – lese Apr 08 '14 at 17:05
  • Um, it looks like you moved one directory up from /tmp and then ran `rm * . ` there. That's the root, chief. – mfinni Apr 08 '14 at 18:21
  • Looks like you didn't copy the command correctly to the question. What I see is one long `cd` command, which would ignore all but the first argument. Inserting `;` into the most obvious places in that command would have you in the `/` directory when executing the `rm` command. That would have wiped out the entire file system and not even let you log in. – kasperd Apr 08 '14 at 18:24
  • @mfinni, no i didnt made a rm of the root. – lese Apr 08 '14 at 18:29
  • The updated version of the sequence of commands would still have you in `/` when executing the `rm` command. `/tracker-lese` would usually not exist, but it makes no difference as `cd ..` would bring you to `/` from either of the two directories. I am still not convinced the sequence of commands is right, because it would have left you with a blank system on which you could not login or run any other commands. – kasperd Apr 08 '14 at 18:29
  • Kasperd sorry, i didnt copied and pasted, i rewrote it by hand here making a mistake, forget the first slash. The exact command i wrote IS : cd tracker-lese/ when i was inside the /tmp directory – lese Apr 08 '14 at 18:31

2 Answers2

2

The arguments you gave to rm told it to remove everything in the current directory except from hidden files (*) as well as the /tmp directory with all contents (/tmp/).

To know what the consequences of that command may have been, we need to know two things. Which user did you run the command as, and what was the current directory.

If you executed the command from your home directory, and you were not logged in as root, the damage would be limited to losing contents of your home directory. In that case you could create a new user or copy over the standard contents for a new home directory from /etc/skel.

If you ran the command as root, you would not only have removed all contents of /tmp but the /tmp directory as well. That could cause many applications to fail. You can create a new /tmp directory by running mkdir -m 1777 /tmp as root. What other damage you would have done by running that rm command as root depends on what your current directory was.

kasperd
  • 29,894
  • 16
  • 72
  • 122
  • you are a pro man, huge skills inside your lines. "Unfortunately" I was root when executed that command. I was exactly inside the /tmp/ directory. Anyway i feel is better that i was root, because it was more grave for me to loose my data inside the home of my user, that to compromise the system, because i installed OS in separated partitions, also my last resource is to reinstall the / , keeping my /home and /var – lese Apr 08 '14 at 17:43
  • 1
    If you were indeed in the /tmp directory when you executed the command, the damage should be very limited. In that case the mkdir command I suggested should be enough to recover your system. – kasperd Apr 08 '14 at 18:00
  • but the /tmp directory is still there bro, i'll update the main question to put the commands that show where i was, but im almost sure i was inside /tmp/ – lese Apr 08 '14 at 18:09
  • There is a couple of possible reasons why the /tmp directory would still exist. It could have been you did not have permission to remove it. It could also have been that it was a busy mount point. Another possibility to consider is that it may have been created again by some other process, it may have been created with incorrect permissions. Two commands that can provide additional clues are `ls -ld /tmp` and `grep /tmp /proc/mounts`. So far I am not sure if a reboot of the machine would help or make the problem worse. – kasperd Apr 08 '14 at 18:16
  • that make sense man, because inside /tmp/ dir there is now 2 new directory, created after i made the demage. probably u right and /tmp was recreated by some process. I posted the output of ls -ld /tmp/ in the main question. grep command failed because there is no /proc/mounts inside /tmp/ – lese Apr 08 '14 at 18:39
  • 1
    It appears you do have a /tmp directory, but the permissions are incorrect. Fixing those permissions should help. The command to fix the permissions would be `chmod 1777 /tmp/`. – kasperd Apr 08 '14 at 18:44
  • Kasperd, you are the man. Im really gratefull to you, not ""only"" for the solution, but also for the skills you demostrated, making me hope to gain at least half of your knowledge one day. Thankyou again – lese Apr 08 '14 at 18:49
1

After remaking the /tmp dir with mode of 1777, the next thing I'd look at is the permissions on your .Xauthority file; make sure it's owned by you, not root i.e.

chown you:you ~/.Xauthority

If that doesnt work, try reconfiguring lightdm with

dpkg-reconfigure lightdm

Reboot, and (hopefully) relogin

edit: From you're edit, you need to do a chmod 1777 /tmp

metacom
  • 196
  • 6