How A Steam Bug Deleted Someone’s Entire PC

00:00

Welcome to the first episode of Issues Insights, a series where we look at some of the most

00:04

interesting issues out there, from Github to Gitlab, to proprietary issue trackers,

00:08

even to your favorite mailing lists - we’ll cover them all.

00:11

We expect to produce at least one episode of this series every 10 years, so buckle up

00:16

as we dive into today’s issue from Valve - the Linux version of Steam unintentionally

00:21

rm rf-ing or recursively force deleting someone’s entire computer!

00:27

Steam for Linux has changed a lot since 2015, but here is how it worked back in the day:

00:32

you first install steam, after which you can run the binary file called “steam”

00:36

found in the directory /usr/bin to start the client.

00:40

This binary does not contain the full steam application

00:43

but invokes files in the installation directory called STEAMROOT in each user’s home.

00:48

Before getting too deep, let’s take a high level view of the Linux file system, first there

00:53

is the root directory, which as we know contains everything.

00:56

Then, we see that /usr/bin contains user programs like steam, compared to /bin which usually

01:01

contains programs essential for the operating system to function.

01:05

The home directory, abbreviated as a ~ and located at /home/name works as you’d

01:11

expect and is where each user stores all their stuff.

01:14

In each user's home is the steam root directory where Steam installs itself and stores its games.

01:20

It also has an important script called steam.sh, which is what the steam binary invokes to

01:25

configure and launch steam.

01:27

After setting everything up, this script will then invoke the main executable called STEAMEXE.

01:33

All of three of these entry points can technically be used to start steam directly, just for

01:38

different purposes and with certain limitations.

01:40

Anyways, on January 14, 2015, Keyvin opened an issue on the steam-for-linux Github repo

01:46

stating the following:

01:48

>I moved the steam folder to a drive mounted somewhere else, and symlinked the original

01:53

>directory to the new location.

01:56

Symlinks or symbolic links are just special files which point to the file or directory

02:00

that they are linked to.

02:01

These are kind of like shortcuts, except symlinks are completely transparent to the application

02:06

layer as the operating system automatically resolves it to the target.

02:10

So you can kind of see what Keyvin was trying to do here - move the steam folder to a drive

02:14

with better performance or storage capacity, and create this symlink so applications can

02:19

still find that folder using the original path.

02:22

>Then I launched Steam.

02:25

>It did not launch.

02:26

>It offered to let me browse and still could not find it when I pointed to the new location.

02:31

>Steam crashed.

02:32

>I restarted it.

02:33

>It re-installed itself and everything looked great.

02:36

>Until I looked and saw that steam had apparently deleted everything owned by my user recursively

02:41

>from the root directory.

02:43

>Including my 3tb external drive I back everything up to.

02:47

Doofy then follows up with a reply, having encountered the same issue.

02:51

>This is terrible.

02:52

>I just lost my home directory.

02:54

>All I did was start steam.sh with the STEAM_DEBUG flag enabled.

02:58

If you recall, steam.sh is the helper script located in steamroot that can be used to start steam.

03:04

After a bit of digging in this script, they found a line which runs rm -rf for all the

03:08

contents of the steam root directory.

03:09

I think we’re all familiar with what the rm command and its options -rf do.

03:10

One line above this command was the comment “Scary” indicating this was a very scary operation.

03:16

Soon enough, TcM1911 chimed in with a hypothesis: this steamroot variable must have somehow

03:22

returned an empty string, causing the rm -rf argument to be the root directory.

03:27

Taking a closer look at STEAMROOT, this enclosing dollar sign and parentheses is a command substitution

03:33

where the output of the commands run inside will substitute the expression and thus be

03:37

assigned to STEAMROOT.

03:39

What is the output?

03:40

Well it’s going to be what is echoed or printed, in this case, the current working

03:44

directory signified by this PWD environment variable.

03:49

The working directory of a script is where it is run from, not where the script is located.

03:53

If you execute a script from the /tmp directory, the working directory returned by PWD will

03:58

be /tmp regardless of where the script is located.

04:00

So the strategy here is to change directory or cd to the directory of the script, and

04:05

then print the working directory.

04:07

We have another OS provided environment variable zero which refers to the path of the script

04:12

being executed.

04:13

Then, this percent signifies you want to remove the proceeding pattern from the end of the

04:18

pre-ceding string.

04:20

The pattern here is a forward slash, followed by a wildcard which matches anything.

04:23

So from the preceding string which is the path of the script, we start from the end

04:28

and delete the first slash we see, followed by everything after it.

04:32

In this case, we delete the name of the file, leaving us with… the STEAMROOT directory.

04:37

But this appears to work.

04:38

What causes it to return an empty string?

04:40

You see, if any part of this command fails prior to the echo, the command substitution

04:45

will output nothing and therefore nothing will be assigned to STEAMROOT so it will remain

04:50

Rcxdude notes that the command definitely fails in such a way when running the script

04:54

directly with bash like so.

04:56

Why is this the case?

04:58

Normally, when you run a script in Linux by invoking its path, the kernel will detect

05:02

that it is an interpreter script, since it starts with a shabang specifying which interpreter to use.

05:08

Then, it will invoke the interpreter with the script path as the first argument.

05:13

This first argument is what the environment variable zero we talked about previously refers to.

05:18

However, bash and similar shells allow you to run a script by passing a plain filename

05:23

into the command as long as it’s in the current directory.

05:27

This will start a new bash shell and run the script using the filename as the first argument,

05:32

which results in a dollar zero variable that is an invalid path.

05:36

Here is the phenomenon in action: we run the same script but in the second case, it only

05:41

prints a file name, not a valid path.

05:44

This causes the directory change command to error out and return no output, setting Steam

05:49

root as an empty string, causing rm -rf to delete the root directory’s contents.

05:54

At this point, most were satisfied, and began suggesting fixes, discussing how terrible

05:59

the code was, and wondering how it was possible for Keyvin to be so cool and collected.

06:03

But wait, this recursive deletion is in reset_steam(), why was that called in the first place?

06:10

reset_steam() is only invoked under two circumstances.

06:13

First, the user can intentionally pass the --reset flag into the script.

06:18

Given the bug report did not mention the reset flag, let’s take a closer look at the other case.

06:24

All of these conditions need to be met, as indicated by the “and” operator between each condition.

06:29

Only one of them is important, the rest is just housekeeping, so let’s get the obvious

06:33

ones out of the way first.

06:34

Initial launch just verifies there isn’t already a steam process running, so this is easily true.

06:40

Next, current status must not be set to this magic exitcode, which is just a variable to

06:44

ensure this doesn’t get stuck in an infinite loop.

06:47

Next, this steam starting file must exist, and it should exist given the steamconfig

06:53

folder has remained untouched, which would include the starting file.

06:56

Lastly, it confirms that the steam script is not out of date, which should be expected.

07:01

So the key condition which triggers reset_steam() is that this INSTALLED_BOOTSTRAP environment

07:06

variable has to be an empty string, the default value for an unset variable.

07:11

Before the reset_steam check, steam.sh should run the main executable STEAMEXE which sets

07:17

this variable to 1 after installing some bootstrap software.

07:21

The developers intended for reset_steam() to trigger if STEAMEXE failed to do this, indicating

07:27

something went wrong.

07:28

However in this case, nothing was wrong with STEAMEXE, it is just executed with a path

07:33

that is based on STEAMROOT, which we’ve already established is set incorrectly as

07:38

an empty string due to the other bug.

07:41

So steam.sh fails to run the main executable at all since it has the wrong path, the INSTALLED_BOOTSTRAP

07:47

environment variable is not exported and remains blank, all the conditions of the

07:51

if-statement are met, and then reset_steam() is called.

07:55

So now we know how to trigger the bug: run steam.sh inline with a shell like bash.

08:01

This explains what happened to Doofy, who clearly ran steam.sh, but how does this play

08:07

into Keyvin’s original account, who only mentioned launching the main steam binary?

08:07

Well, a valve employee had a hypothesis: Keyvin first moves steam to an NTFS drive, which

08:17

being made for Windows doesn’t play nice with the Linux filesystem and would strip

08:22

the executable bit in the version of Ubuntu used here.

08:26

This causes the steam binary to inevitably fail and crash as it cannot execute anything in the drive.

08:32

Then, he gets really annoyed and runs “bash steam sh”, and most importantly, he gets

08:37

amnesia and forgets he ever ran such a command.

08:41

Keyvin replies that he only ran steam normally, and he wasn’t even sure if that line

08:45

was the culprit, which makes sense given from his perspective he never ran steam.sh.

08:50

Furthermore, he recalls he may have mounted the drive with options to allow execution

08:55

of all files, which is reasonable given that ValveSoftware themselves have tutorials to

09:00

mount NTFS drives in this way.

09:03

And of course he is still very calm and collected.

09:06

However, the exact play-by-play actions cannot be confirmed since the computer with all of

09:10

its configurations was wiped.

09:13

So what now?

09:14

I suppose all we can do is guess, as I have my own never-seen-before-before theory to

09:18

how this happened:

09:22

So it all started on a stormy Wednesday evening, when Keyvin finished cooking up his lasagna

09:27

and heads to the computer room to work on his new gaming setup.

09:31

After setting everything up, he attempts to run steam.

09:34

But steam fails to run.

09:36

Not because the NTFS drive did not add the executable bit, but because Keyvin created

09:41

the symlink incorrectly in home/local, rather than home/local/share, where steamroot is

09:47

supposed to be.

09:48

This is a fairly easy typo to make, as he made the same mistake on the Github issue he created.

09:54

He realizes his mistake, and fixes the symlink, creating it in the proper folder, and re-runs steam.

10:01

While steam is still starting up, he absent-mindedly goes to clean up the incorrect symlink

10:05

because why not, and forgets that he ever did so.

10:08

But unbeknownst to him, he actually accidentally unlinks the correct symlink instead.

10:13

In a stunning race condition, he manages to do this in the literal microseconds after

10:18

steam.sh is invoked but before the assignment of STEAMROOT, and since the symlinked path

10:23

no longer exists, the directory change fails, and STEAMROOT remains an empty string.

10:29

And we’ve already established that if STEAMROOT is an empty string, the bug will trigger.

10:34

To fix the bug, various alterations to the STEAMROOT command such as using readlink or

10:39

dirname can guarantee a valid path is returned, and checks can be added to verify steamroot

10:45

is a real path.

10:46

Furthermore, bash has built in options which make the shell exit when a command fails,

10:51

so when the directory change or STEAMEXE execution fails, the script immediately ends instead

10:57

of proceeding with buggy behavior.

10:58

These are what ended up being the actual fix, but many disagreed that this was enough.

11:04

Some suggested to write all scripts in a real language like Python or Perl, or check for

11:08

typical Linux directories, lookup files from an internal database and only remove known files,

11:13

not writing untreated amateur hour code, never use rm -rf, use an empty file as a marker,

11:17

don’t use the wildcard, you should just lock this thread,

11:20

just don't delete user data, by the way here is my public domain script that has my preferred fix,

11:25

Valve has no idea how to linux, has this problem been fixed?

11:27

It’s still happening.

11:29

Question mark?

11:30

You know, we could talk for centuries about the ideal way to fix this, but sometimes you

11:34

don’t need to achieve perfection.

11:35

Anyways, it’s been like 8 years and the issue hasn’t resurfaced for anyone except this

11:40

guy, but he didn’t provide further evidence so we can mark this issue resolved.

11:44

See you in the next issue of issues insights.