Why is it possible to delete the entire file system?

Meet safe-rm, the “wrapper around the rm command to prevent accidental deletions”:

safe-rm prevents the accidental deletion of important files by replacing rm with a wrapper which checks the given arguments against a configurable blacklist of files and directories which should never be removed.

Users who attempt to delete one of these protected files or directories will not be able to do so and will be shown a warning message instead. (man safe-rm)

If the installation link above doesn’t work for you just use sudo apt install safe-rm instead. The default configuration already contains the system directories, let’s try rm /* for example:

$ rm /*
safe-rm: skipping /bin
safe-rm: skipping /boot
safe-rm: skipping /dev
safe-rm: skipping /etc
safe-rm: skipping /home
safe-rm: skipping /lib
safe-rm: skipping /proc
safe-rm: skipping /root
safe-rm: skipping /sbin
safe-rm: skipping /sys
safe-rm: skipping /usr
safe-rm: skipping /var
…

As you see, this would prevent you from deleting /home, where I suppose your personal files are stored. However, it does not prevent you from deleting ~ or any of its subdirectories if you try deleting them directly. To add the ~/precious_photos directory just add its absolute path with the tilde resolved to safe-rm’s config file /etc/safe-rm.conf, e.g.:

echo /home/dessert/precious_photos | sudo tee -a /etc/safe-rm.conf

---

For the cases where you run rm without sudo¹ and the -f flag it’s a good idea to add an alias for your shell that makes rm’s -i flag the default. This way rm asks for every file before deleting it:

alias rm='rm -i'

A similarly useful flag is -I, just that it only warns “once before removing more than three files, or when removing recursively”, which is “less intrusive than -i, while still giving protection against most mistakes”:

alias rm='rm -I'

The general danger of these aliases is that you easily get in the habit of relying on them to save you, which may backfire badly when using a different environment.

---

1: sudo ignores aliases, one can work around that by defining alias sudo='sudo ' though

Confirmation is already there, the problem is the -f in the command, that is --force; When user forces an operation it is supposed they know what they're doing (obviously a mistake could always append).

An example:

 rm -r ./*
 rm: remove write-protected regular file './mozilla_mvaschetto0/WEBMASTER-04.DOC'? N
 rm: cannot remove './mozilla_mvaschetto0': Directory not empty
 rm: descend into write-protected directory './pulse-PKdhtXMmr18n'? n
 rm: descend into write-protected directory './systemd-private-890f5b31987b4910a579d1c49930a591-bolt.service-rZWMCb'? n
 rm: descend into write-protected directory './systemd-private-     890f5b31987b4910a579d1c49930a591-colord.service-4ZBnUf'? n
 rm: descend into write-protected directory './systemd-private-890f5b31987b4910a579d1c49930a591-fwupd.service-vAxdbk'? n
 rm: descend into write-protected directory './systemd-private-890f5b31987b4910a579d1c49930a591-minissdpd.service-9G8GrR'? 
 rm: descend into write-protected directory './systemd-private-890f5b31987b4910a579d1c49930a591-ModemManager.service-s43zUX'? nn
 rm: descend into write-protected directory './systemd-private-890f5b31987b4910a579d1c49930a591-rtkit-daemon.service-cfMePv'? n
 rm: descend into write-protected directory './systemd-private-890f5b31987b4910a579d1c49930a591-systemd-timesyncd.service-oXT4pr'? n
 rm: descend into write-protected directory './systemd-private-890f5b31987b4910a579d1c49930a591-upower.service-L0k9rT'? n

It is different with --force option: I will not get any confirmation and files are deleted.

The problem is to know the command and its parameters, navigate more in the man of a command (also if the command is found in a tutorial) for examples: the first time I saw the command tar xzf some.tar.gz I'm asking myself, "what does xzf mean?"

Then I read the tar manpage and discovered it.

rm is a low level system tool. These tools are built as simply as possible as they must be present on any system. rm is expected to have well known behaviour, especially with regard to confirmation prompts so that it can be used in scripts.

Adding a special case to prompt on rm /* would not be possible as the rm command doesn't see it in this form. The * wildcard is expanded by the shell before being passed to rm, so the actual command which needs a special case would be something like rm /bin /boot /dev /etc /home /initrd.img /lib /lib64 /lost+found /media /mnt /opt /proc /root /run /sbin /srv /sys /tmp /usr /var /vmlinuz. Adding the code to check for this case (which will probably be different on diffferent linuxes) would be a complex challenge as well as being prone to subtle errors. The standard linux rm does have a default protection against system destruction by refusing to remove / without the --no-preserve-root option.

By default there are three protections against deleting your system in this way:

1. Permissions - regular users won't be able to remove important files. You bypassed this with sudo
2. Directories - by default rm will not remove directories. You bypassed this with the -r flag
3. Write protected files - by default, rm will ask for confirmation before deleting a write protected file (this would not have stopped all the damage, but may have provided a prompt before the system became unrecoverable). You bypassed this protection with the -f flag

To remove all the contents of a folder, rather than running rm /path/to/folder/*, do rm -rf /path/to/folder, then mkdir /path/to/folder as this will trigger the --preserve-root protection as well as removing any dotfiles in the folder