Bug 16406 - possibility to delete the entire '/home' directory when building a package
Summary: possibility to delete the entire '/home' directory when building a package
Status: UNCONFIRMED
Alias: None
Product: R
Classification: Unclassified
Component: System-specific (show other bugs)
Version: R 3.1.3
Hardware: All Linux
: P5 major
Assignee: R-core
URL:
Depends on:
Blocks:
 
Reported: 2015-06-02 13:30 UTC by thomas.mendlik
Modified: 2015-06-02 13:30 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description thomas.mendlik 2015-06-02 13:30:41 UTC
It is possible (and unfortunately this actually happenend to me) to delete the whole home directory when calling "R CMD build" if a directory named "~" is in the package directory structure. Here is an example code to reproduce this behavior. WARNING: please only execute this if you use bash and/or have a backup of your home.

bash> ## For security reasons create a "dummy" home which can be deleted in /tmp
bash> mkdir /tmp/dummyhome/
bash> export HOME=/tmp/dummyhome/
bash> touch ~/thisfilewillperish.txt
bash> ls ~/
thisfilewillperish.txt
bash> ## And now create a package which will delete the home when being built
bash> R
R> dummyfun <- function() cat("doom awaits your data!\n")
R> package.skeleton(list = "dummyfun", name = "nastypackage")
R> q(save = "no")
bash> ## Creating a "~" directory causes the problem
bash> mkdir nastypackage/\~
bash> ## This deletes the /home 
bash> R CMD build nastypackage 
* checking for file ‘nastypackage/DESCRIPTION’ ... OK
* preparing ‘nastypackage’:
* checking DESCRIPTION meta-information ... OK
* checking for LF line-endings in source and make files
* checking for empty or unneeded directories
Removed empty directory ‘nastypackage/~/bla’
Removed empty directory ‘nastypackage/~’
* building ‘nastypackage_1.0.tar.gz’
bash> ls ~/
ls: cannot access /tmp/dummyhome/: No such file or directory

Without the export command the actual home directory would be gone... I think this should not be possible.

This is somewhat similar to an older bug:
https://stat.ethz.ch/pipermail/r-devel/2010-July/058041.html