A script to prevent damage from rm -rf malware

May 18, '04 10:05:00AM

Contributed by: jk806

After reading about the malware / Trojan Horse business that has been flying around lately, I realized that there is a fairly easy way to protect against this kind of thing. I wrote a script which duplicates a folder (like a user's Home directory) using hard links. The result is a complete backup of your home directory that takes up very very little additional space, because it is actually pointing to the contents of your original files. The practical upshot of running the script is that if you accidentally run (or some unfriendly software runs for you) rm -rf ~, then it will still remove the contents of your home directory ... but you will have a full backup of your files exactly as they were before running the command. I've called the script shadowmirror, and it works like this. You run it periodically to keep all the files in backup directory in sync:

 shadowmirror /Users/yourUserName /Users/backups/yourBackupName 
This will make sure everything in your home directory is backed up. It does not remove any files you might have deleted, though, unless you run it like this:
 shadowmirror -d /Users/yourUserName /Users/backups/yourBackupName 
This will remove any files that are in the backup that you have removed from your home directory. So, if you run the first version nightly, and the second version weekly, or monthly, you will always have a fairly up-to-date backup of your home directory with very little cost in disk space. For example, a 20GB home directory required about 58M of drive space. Using this has the added benefit of giving you a way to recover files that you yourself may have accidentally deleted. Some things to note: [robg adds: Due to the length of this script, I have uploaded it to the macosxhints' file collection; click here to view and copy the source. Remember to make the file executable (chmod +x shadowmirror) and store it somewhere on your path. I have not tested this script, but the idea of using hard links for a live backup is a good one, I think...]

Comments (39)


Mac OS X Hints
http://hints.macworld.com/article.php?story=2004051417271981