Steam on Linux bug can delete all user's files

No software bug is more egregious than one that can potentially wipe out users' precious files without warning or indication. Some Linux users are finding this out the hard way when they discovered that their Steam client was silently deleting files starting from the very root directory all the way into the deepest folders. While the system's files might remain intact because of how Linux security policies work, user data are left unprotected, making this serious flaw even more personal and frightening.

The small bit of good news is that this bug doesn't happen randomly and would require you to actually be a semi power Linux user of some sort to trigger it. It only happens when you try to move the Steam directory, located at ~/.local/share/Steam by default, somewhere else, like on a more spacious storage device, and then try to symlink (like "create shortcut") it to the original location. This seems to trigger Steam's automatic integrity detection which, in turn, triggers its reset mechanism and, along the way, will try to delete everything. User TcM1911 seems to have traced the root cause (no pun intended) in the following snippet of code.

Due to symlinking, the variable $STEAMROOT ends up as blank, so that later on the command "rm -rf $STEAMROOT/" will actually just read as "rm -rf /". Any seasoned Linux user will tell you how dangerous that command is, which is basically like deleting all the contents of your C:\ drive on Windows. Fortunately, thanks to how Linux works, it can only delete the files owned by the user, which means that the OS itself remains untouched and functional. That doesn't save the user's own files though, and any external storage attached to the computer at that time will also be effected.

The problem is somewhat easy enough to fix by simply checking whether or not $STEAMROOT is empty or invalid before proceeding with the command. Variations of that idea have been suggested in Valve's Github account, but Valve has yet to chime in on the issue.

One interesting note is that this side effect, if you could call it that, isn't really peculiar to Linux only. Steam's uninstallation guide does warn that if you had moved or installed the contents of the Steam folder somewhere else on Windows, it will delete everything there as well during the process. Meaning if you, for one reason or another, put all the contents of C:\Program Files\Steam\ inside C:\, uninstalling Steam will delete everything in C:\. Given how permissions work on Windows, that will have even more destructive consequences.

SOURCE: Valve (1), (2)

VIA: Neowin