6

As many of you know, the >> operator appends the output of a command to whatever you put after it.

I know that it can be used to overwrite or add data onto files, but I also know that it can be used in a malicious way: If a drive or partition is used as the output, the command's output gets written directly to the drive, which can damage that drive or partition.

For example, from my understanding, appending >> /dev/sda to a command would append the output of the command directly onto the existing data in /dev/sda.

Out of curiosity, I set up a Ubuntu VM amd tried this for fun. This machine's virtual drive is /dev/vda, has /dev/vda1 as its boot partition, has /dev/vda2 as its root partition, and does not have a separate partition for /home.

Now here comes the fun part:

  • When I ran echo "Hello world" >> /dev/vda (as root) in the VM and then restarted it, nothing seemed to have been damaged. It booted up just fine on restart and everything seemed to work afterwards.
  • However, when I ran echo "Hello world" >> /dev/vda1 (also as root) in the same VM and then restarted it, it wouldn't boot.

So I already know why writing the output to vda1 was bad (it damaged the boot partition). My question is: Why does appending the output to /dev/vda not seem to do anything, but appending the output to /dev/vda1 harm it? Is it because /dev/vda2 is located "after" /dev/vda1 and so passing vda results in the command output being written to vda2?

1 Answers1

8

I think you boot in UEFI mode. It means that the boot process does not look into the very head end of the drive.

If you boot in BIOS mode (alias CSM alias legacy mode), the very first bytes on a drive should contain the master boot record, MBR. Very close to the head is also the partition table stored.

When using >> on a block device, it does not append, instead it writes to the head of the drive. See the following demo, where /dev/sdc is a USB pendrive.

$ sudo bash -c 'echo "Hello world" >> /dev/sdc'
$ sudo dd if=/dev/sdc bs=12 count=1
Hello world
1+0 poster in
1+0 poster ut
12 byte kopierade, 0,00127171 s, 9,4 kB/s

If my description is correct, you would damage the process, if you write a longer chunk of data to the head end (long enough to overwrite the partition table and not only the MBR).

In a drive that is set set up for BIOS boot, writing to the head of the drive will damage the boot process because the MBR is damaged.

Edit 1:

Writing in the same way to the head end of a partition with a FAT32 file system shows that the file system is damaged:

$ lsblk -o model,name,size,fstype,label,mountpoint /dev/sdc
MODEL   NAME    SIZE FSTYPE LABEL MOUNTPOINT
Voyager sdc     7,5G              
        ├─sdc1  256M vfat         
        └─sdc2  512M vfat

$ sudo dd if=/dev/sdc1 bs=12 count=1
�X�mkfs.fat1+0 poster in
1+0 poster ut
12 byte kopierade, 0,00118622 s, 10,1 kB/s


$ sudo bash -c 'echo "Hello world" >> /dev/sdc1'


$ lsblk -o model,name,size,fstype,label,mountpoint /dev/sdc
MODEL   NAME    SIZE FSTYPE LABEL MOUNTPOINT
Voyager sdc     7,5G

        ├─sdc1  256M

        └─sdc2  512M vfat


$ sudo dd if=/dev/sdc1 bs=12 count=1
Hello world
1+0 poster in
1+0 poster ut
12 byte kopierade, 0,00118594 s, 10,1 kB/s

Edit 2:

Partition #2 is untouched and you may want to see the hexdump and not only the ugly representation of non-ascii characters:

$ sudo dd if=/dev/sdc2 bs=12 count=1 | hexdump -C
1+0 poster in
1+0 poster ut
12 byte kopierade, 0,00129779 s, 9,2 kB/s
00000000  eb 58 90 6d 6b 66 73 2e  66 61 74 00              |.X.mkfs.fat.|
0000000c
sudodus
  • 6,421
  • 1
    Surely whether the MBR is at the first 512 bytes of the drive depends on if you have formatted it using MBR or GPT and not on how you boot, right? – terdon Oct 26 '23 at 15:35
  • @terdon, Please correct me if I am wrong: "Yes, I should have written 'where it reads at boot' or something similar. You can have a master boot record in the head end of a GPT and boot in BIOS mode, but there will be additional details in the small bios_grub partition (details that were previously stored after the MBR and partition table but before the first partition)." – sudodus Oct 26 '23 at 15:44
  • 1
    I don't know enough to correct you, I just know that whether we have an MBR or not depends on how the disk is set up, not how the machine is booted. If I take a disk out of a BIOS system and put it into an EFI one, that doesn't make any changes to the disk. – terdon Oct 26 '23 at 15:55
  • OK, @terdon, I modified the text. Do you think it is good enough now? – sudodus Oct 26 '23 at 16:03
  • As I said, I don't know enough to be sure. My understanding, however, is that the boot mode is irrelevant, what is relevant is the disk and if it is GPT or MBR. Yes, EFI systems seem to require GPT, but that doesn't mean that GPT requires EFI. I'll let someone more knowledgeable than I am sort it out. – terdon Oct 26 '23 at 16:16
  • @terdon, I just tested with a BIOS boot system in a GPT disk, and writing 'Hello World' to the head end stopped it from booting. So I am sure that BIOS boot reads at the very head end of the drive both with MSDOS partition table and GPT. Some people use 'MBR' in the meaning of MSDOS partition table, but I think it is correct only to use 'MBR' for the few bytes at the head end, where there is information where to find data to continue the boot process. - Anyway, I am looking forward to someone more knowledgeable [than we] to sort it out :-) – sudodus Oct 26 '23 at 16:30
  • See this link: https://en.wikipedia.org/wiki/Master_boot_record - From the sector layout table we can conclude that 'Hello World' plus CR, 12 bytes overwrite the boot signature and part of the partition nr 4 entry (if any). – sudodus Oct 26 '23 at 16:49
  • 1
    @sudodus, probably only writes over the bootstrap code area at the start of the sector, not the signature at the end, right? (And that's an NL or LF, not a CR) – ilkkachu Oct 26 '23 at 19:12
  • 1
    That's right @ilkkachu , I read the layout table backwards (stupid mistake), so my previous comment should be corrected to 'See this link: https://en.wikipedia.org/wiki/Master_boot_record - From the sector layout table we can conclude that 'Hello World' plus NL, 12 bytes overwrite the bootstrap code area'. – sudodus Oct 26 '23 at 19:23
  • 1
    @terdon If you boot in legacy mode, whether the partition table is GPT or MBR is irrelevant, because the bootloader that was overwritten by "Hello World" is the code that cares about the partition table format. Legacy-mode booting from the PoV of BIOS is essentially "load first sector and execute it", and the bootloader that's in that first sector is the one that cares about how to continue the process. It may assume an MBR in its same loaded sector or it may assume a GPT that it must first load. – JoL Oct 26 '23 at 22:20
  • 1
    @terdon: GPT disks normally have a "protective MBR" in the first 512-byte sector, with a partition table that covers the whole disk. Legacy tools will see this and think the whole disk is used, not free for partitioning. That MBR can also be bootable in 16-bit legacy BIOS mode, with a real bootloader or a dummy one that just prints a message. (The "signature" indicating a bootable MBR boot sector is 2 bytes at the end of the first 512-byte sector of the whole disk. How is a MBR signature stored on a hard-disk?) – Peter Cordes Oct 27 '23 at 03:59
  • 1
    https://wiki.osdev.org/GPT describes the layout of a GPT disk, with the first 512 bytes being an MBR. The MBR partition-table is part of the 512-byte first sector, so the space for executable code+data in a first-stage MBR is less than the 510 bytes left after subtracting the boot signature; even less w. BPB. https://wiki.osdev.org/Partition_Table shows the 4 entries start at offset 446 (bytes) for the first one. The "protective" MBR on a GPT disk will have that layout in the first sector, again so it looks like a full (and optionally bootable) disk to legacy BIOSes and formatting tools. – Peter Cordes Oct 27 '23 at 04:03