I just ran rm -rf /*, but nothing happened
The good news: your system is working afterwards
The bad news: user installed apps and user data will be deleted
The command rm -rf /*
tries to remove all files in the whole root hierarchy. This is done with the privileges of the user executing it.
An admin user will remove all admin user installed apps and his/her/* own files - including files installed to /usr/local/ (e.g. with brew). Additonally some files and folders in /private/tmp, /private/var/tmp and /private/var/run are removed.
A normal user will remove his/her/* own files and probably some files and folder in /private/tmp and /private/var/tmp.
BTW a good reason to configure at least a dual user setup: one admin user and a user for the day-to-day routine.
The reason why even sudo rm ...
can't remove system files/Apple's apps are Catalina's new security measures. Most parts of the file system are mounted read-only.
Removal of files - if possible at all - is more or less alphabetical. In my test it started in /Applications, continued in /Library, /System, /System/Volumes/Data (and all subdirs like the "Users" folder) and finally finished in /usr/local.
If you have a normal Time Machine backup simply restore the last snapshot.
If you don't have Time Machine backup but localsnapshots enabled you will be able to restore the previous state of your Mac.
Local snapshots will be listed with the command:
tmutil listlocalsnapshots /
You can restore your Mac either by doing everything manually (i.e. get snapshot name, make a temporary folder, mount the snapshot with mount_apfs there and restore everything with a lengthy and error-prone tmutil restore ...
command.
The alternative way is the Time Machine GUI in Recovery Mode:
- Reboot to Recovery Mode (cmd-R while booting)
-
Choose "Restore from Time Machine Backup" in macOS Utilities and hit continue
-
Restore from Time Machine chit-chat and continue
-
Choose the name of your main system volume (here System, usually Macintosh HD) and continue
-
Choose the last snapshot before issueing the fatal rm command and continue. I made several snapshots because I forgot to make admin created app folders (lower- and uppercase) containing apps to detect whether they are deleted alphabetically (shell style: first uppercase then lower case) - they are not.
-
Restoring
-
Automatic reboot
Fun fact: thanks to APFS' snapshot tech restoring took 35 seconds while trying to remove all files almost 30 minutes.