Score:6

Ubuntu

Is "apt-get remove openssl -y" VERY DANGEROUS?

mathtick

7/26/24, 4:42 PM

Just ran this and it looks unancellable.

MUCH is being cleared out.

I simply want to remove and re-insall all ssl ssh apparatus.

There is horrible version mismatch.

3993

2 + 6

ssh

ssl

user535733

7/26/24, 4:45 PM

The dangerous part is the `-y`. You just told the system that you don't want a chance to review or cancel. Do not interrupt. When it finishes, install `ubuntu-desktop`, which should reinstall most of what was lost.

mathtick

7/26/24, 4:55 PM

Yes, the '-y' was an accident copy/paste. Can't believe Ubuntu upgrade has left in broken ssl ssh state. These are fundamental things. They should be packaged together I on Ubuntu surely.

marcelm

7/27/24, 10:26 AM

_"I 90% understand the risk scope of the command."_ - It seems you got bitten by the other 10% though ;) - _"I generally expect ssh and family to just work and I NEVER want to touch them."_ - Then don't remove important packages! I don't know what problem you were having before this command, but the problems you have after this command are entirely of your own making.

IMSoP

7/27/24, 10:54 AM

@mathtick While I agree that an extra guard against removing "critical" packages might be useful, there's always two problems with such measures: 1) someone has to define which actions are "extra dangerous", and there's always a lot of different ways you can mess up a running system; 2) there always needs to be a way of doing it when you _really_ need to - in this case, you already turned off two levels of protection with `sudo` and `-y`, so if there was a third level of protection you might still have turned that off accidentally as well.

Gilles 'SO- stop being evil'

7/28/24, 12:58 PM

@IMSoP There is an extra level which guards against uninstalling packages labelled as “essential”, which you can't do with just `apt-get remove -y`. But that only covers things that are truly critical, basically the minimum to boot to a local shell. It doesn't cover things that not everybody would want, such as an SSH server.

Gilles 'SO- stop being evil'

7/28/24, 1:00 PM

`apt-get remove openssl -y` does not remove SSH. Not that “remove and reinstall” is a good idea in the first place: whatever problem you're trying to solve, this probably won't resolve it, or if it does then `apt-get install --reinstall` would be a less risky way of resolving it.

Score:17

Ubuntu

mchid

7/27/24, 3:11 AM

You can easily reinstall the removed packages.

Apt has a history file. This file is /var/log/apt/history.log. Run the following command to view it in the terminal:

cat /var/log/apt/history.log

You will see a Start date, Commandline used, Requested-By username, etc.

So run:

grep -hA5 "remove openssl" /var/log/apt/history.log | grep "Remove"

This should print out the packages that were removed. The word "Remove" should only appear once, at the beginning of the list.

If this list appears to be what was removed, then proceed.

First, cd into your user's home directory and then send the list to a file named "removedpackages".

cd
grep -hA5 "remove openssl" /var/log/apt/history.log | grep "Remove" > removedpackages

Now we need to clean up the list before sending it to `apt`.

This command should print everything on a new line:

sed -e "s/ [a-z0-9(]/\n&/g" removedpackages

This should grep for only the package names (lines that begin with a blank space followed by a lower case letter or number).

sed -e "s/ [a-z0-9(]/\n&/g" removedpackages | grep '^ [a-z0-9]'

Now the packages should be listed in the form of packagename:amd64 or packagename:all or packagename:i386 etc.

If so, then send the list to a new file named removedlist.

sed -e "s/ [a-z0-9(]/\n&/g" removedpackages | grep '^ [a-z0-9]' > removedlist

Finally to reinstall the packages, send the contents of the file to `apt`.

sudo apt update
sudo apt install $(cat removedlist)

And remove your work files:

rm removedlist removedpackages

An explanation of the options used for:

sed -e "s/ [a-z0-9(]/\n&/g"

-e prints or echos the output instead of editing the file
s///g is the standard form of a substitute string
[a-z0-9(] match any blank space followed by a lowercase letter or number or open parenthesis.
\n& substitute with a new line \n before the match &.

Also:

For grep -hA5

-h says do not list the file name in the output and
A5 says to also list the 5 lines after the match

+ 4

mchid

7/27/24, 3:15 AM

And luckily, since you only removed the packages (as opposed to using purge), you should've retained your configuration files and everything should be back to normal. Although, I suggest opening a specific question about the mismatch problem and please remember to include the exact error, copied and pasted.

mathtick

7/27/24, 8:31 AM

Love this. Going to try to commit this "apt has history" to memory for exactly these scenarios.

hobbs

7/27/24, 2:40 PM

Lucky that apt uses gnutls, not openssl :)

Peter Green

7/28/24, 9:26 PM

Even if apt did use openssl, the "openssl" package only contains the application binaries, not the libraries. The libraries are in libssl<version>.

Score:11

Ubuntu

Levente

7/26/24, 5:26 PM

It's the operating system's command line interface.

In this environment, a lot of commands can become very dangerous, especially when they are being copy-pasted, and especially when unintended, or unaware options, such as -y are being left in them.

I seem to observe that a lot of people —novices, but on occasion, sysadmins alike— appear to learn to respect this environment only at their own, sometimes significant expenses.

In the meanwhile, I suggest relying on the apt-get command's --simulate or equivalent --dry-run options to review the impact of such commands without having to live with the consequences.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is "apt-get remove openssl -y" VERY DANGEROUS?