You know that one command that every idiot knows not to type? Yeah.
I was in a directory that I wanted to wipe, by typing rm -rf /*. For some unknown reason, I added /* to the end of the command. 10,000 iq, I know.
It started deleting stuff. I was like "huh, this seems like a lot of files. That folder had like 20 things in it. Wait, why is it deleting from the numbers application? Sh*t." I quickly terminated the terminal. (After about 5 seconds). I launched numbers. Everything is fine. I can't find a single thing wrong with the computer. My last time machine backup is a few months old, and before I updated to Catalina.
Any advice?
Best Answer
The good news: your system is working afterwards
The bad news: user installed apps and user data will be deleted
The command
rm -rf /*tries to remove all files in the whole root hierarchy. This is done with the privileges of the user executing it.An admin user will remove all admin user installed apps and his/her/* own files - including files installed to /usr/local/ (e.g. with brew). Additonally some files and folders in /private/tmp, /private/var/tmp and /private/var/run are removed.
A normal user will remove his/her/* own files and probably some files and folder in /private/tmp and /private/var/tmp.
BTW a good reason to configure at least a dual user setup: one admin user and a user for the day-to-day routine.
The reason why even
sudo rm ...can't remove system files/Apple's apps are Catalina's new security measures. Most parts of the file system are mounted read-only.Removal of files - if possible at all - is more or less alphabetical. In my test it started in /Applications, continued in /Library, /System, /System/Volumes/Data (and all subdirs like the "Users" folder) and finally finished in /usr/local.
If you have a normal Time Machine backup simply restore the last snapshot.
If you don't have Time Machine backup but localsnapshots enabled you will be able to restore the previous state of your Mac.
Local snapshots will be listed with the command:
You can restore your Mac either by doing everything manually (i.e. get snapshot name, make a temporary folder, mount the snapshot with mount_apfs there and restore everything with a lengthy and error-prone
tmutil restore ...command.The alternative way is the Time Machine GUI in Recovery Mode:
Choose "Restore from Time Machine Backup" in macOS Utilities and hit continue
Restore from Time Machine chit-chat and continue
Choose the name of your main system volume (here System, usually Macintosh HD) and continue
Choose the last snapshot before issueing the fatal rm command and continue. I made several snapshots because I forgot to make admin created app folders (lower- and uppercase) containing apps to detect whether they are deleted alphabetically (shell style: first uppercase then lower case) - they are not.
Restoring
Automatic reboot
Fun fact: thanks to APFS' snapshot tech restoring took 35 seconds while trying to remove all files almost 30 minutes.