diff --git a/build-vm-ec2 b/build-vm-ec2
index 84b34741b..e440825fb 100644
--- a/build-vm-ec2
+++ b/build-vm-ec2
@@ -131,7 +131,7 @@ vm_detach_swap_ec2() {
 
 vm_fixup_ec2() {
     # No way to handle this via init= parameter here....
-    rm -rf "$BUILD_ROOT/sbin/init"
+    buildroot_rm /sbin/init
     echo "#!/bin/sh"               >  "$BUILD_ROOT/sbin/init"
     echo 'exec /.build/build "$@"' >> "$BUILD_ROOT/sbin/init"
     chmod 0755 "$BUILD_ROOT/sbin/init"
@@ -146,6 +146,7 @@ vm_fixup_ec2() {
     if ! test -e "$BUILD_ROOT/boot/grub/menu.lst"; then
 	assert_dirs boot/grub
 	mkdir -p "$BUILD_ROOT/boot/grub"
+	buildroot_rm /boot/grub/menu.lst
 	echo "serial --unit=0 --speed=9600"                                                   >  "$BUILD_ROOT/boot/grub/menu.lst"
 	echo "terminal --dumb serial"                                                         >> "$BUILD_ROOT/boot/grub/menu.lst"
 	echo "default 0"                                                                      >> "$BUILD_ROOT/boot/grub/menu.lst"
diff --git a/build-vm-lxc b/build-vm-lxc
index 459483988..f6d642372 100644
--- a/build-vm-lxc
+++ b/build-vm-lxc
@@ -44,7 +44,7 @@ lxcsh() {
 vm_startup_lxc() {
     lxc_get_id
     LXCCONF="$BUILD_ROOT/.build.lxc.conf"
-    rm -rf "$LXCCONF"
+    buildroot_rm .build.lxc.conf
     vm_startup_lxc_$LXC_TYPE
     BUILDSTATUS="$?"
     test "$BUILDSTATUS" != 255 || BUILDSTATUS=3
@@ -71,7 +71,7 @@ vm_startup_lxc_standalone() {
             ;;
     esac
     # XXX: do this always instead of leaking the hosts' one?
-    rm -rf "$BUILD_ROOT/etc/mtab"
+    buildroot_rm /etc/mtab
     echo "rootfs / rootfs rw 0 0" > "$BUILD_ROOT/etc/mtab"
     lxc-destroy -n "$LXCID" >/dev/null 2>&1 || true
     mkdir -p "$LXCROOTFS"
@@ -94,8 +94,8 @@ vm_startup_lxc_standalone() {
            cleanup_and_exit 1
            ;;
     esac
-    if ! [ -r "$BUILD_ROOT/.build/_exitcode" ]; then
-        echo "'$BUILD_ROOT/.build/_exitcode' not found"
+    if ! [ -r "$BUILD_ROOT/.build/_exitcode" -a ! -L "$BUILD_ROOT/.build/_exitcode" ]; then
+        echo "'$BUILD_ROOT/.build/_exitcode' not found or symlink"
         return 3
     fi
     exitcode=$(cat $BUILD_ROOT/.build/_exitcode)
@@ -149,6 +149,7 @@ vm_startup_lxc_libvirt() {
 	</domain>
 	EOF
     # XXX: do this always instead of leaking the hosts' one?
+    buildroot_rm /etc/mtab
     echo "rootfs / rootfs rw 0 0" > $BUILD_ROOT/etc/mtab
     # could LOGFILE be used instead?
     lxcsh create --console $LXCCONF | sed -ure 's/\x0d//g;:redo /.\x08/{s/.\x08//; b redo}'
@@ -156,8 +157,8 @@ vm_startup_lxc_libvirt() {
     if [ "$exitcode" -gt 0 ]; then
         return $exitcode # libvirt errors
     fi
-    if ! [ -r "$BUILD_ROOT/.build/_exitcode" ]; then
-        echo "'$BUILD_ROOT/.build/_exitcode' not found"
+    if ! [ -r "$BUILD_ROOT/.build/_exitcode" -a ! -L "$BUILD_ROOT/.build/_exitcode" ]; then
+        echo "'$BUILD_ROOT/.build/_exitcode' not found or symlink"
         return 3
     fi
     exitcode=$(cat $BUILD_ROOT/.build/_exitcode)
diff --git a/build-vm-zvm b/build-vm-zvm
index 24c9dcab0..893ec314b 100644
--- a/build-vm-zvm
+++ b/build-vm-zvm
@@ -342,8 +342,10 @@ vm_initrd_obs_modules_zvm() {
     current_kernel_version=$(ls lib/modules)
     # copy modules from kernel that is installed to the buildsystem:
     mkdir -p "$TEMPDIR/lib/modules/$3"
+    assert_dir_path "lib/modules/${3}"
     while read module; do
         (cd ${BUILD_ROOT}/lib/modules/${3}; \
+	    assert_dir_path "lib/modules/${3}/${module%.xz}"
             rsync -a --relative $module ${TEMPDIR}/lib/modules/$3)
     done < <(cd $TEMPDIR/lib/modules/${current_kernel_version}; \
             find . -name "*.xz")
@@ -366,8 +368,7 @@ vm_fixup_zvm() {
     # have to copy kernel/initrd and run zipl to be able to IPL
     # have to set init_script before unmounting, thus doing it statically for now.
     zvm_init_script="/.build/build"
-    assert_dirs boot boot/zipl
-    mkdir -p $BUILD_ROOT/boot
+    assert_dir_path boot/zipl
     mkdir -p $BUILD_ROOT/boot/zipl
     vm_kernel="/.build.kernel.kvm"
     test -e "${BUILD_ROOT}${vm_kernel}" -a ! -L "${BUILD_ROOT}${vm_kernel}" || cleanup_and_exit 1 "${vm_kernel} does not exist"
@@ -377,8 +378,11 @@ vm_fixup_zvm() {
     vm_initrd="${vm_initrd}-${kernel_version}"
     # copy initrd to build worker:
     echo "copy $vm_initrd to $BUILD_ROOT"
+    rm -rf "${BUILD_ROOT}/boot/${vm_initrd}"
     cp -a "${vm_initrd}" "${BUILD_ROOT}/boot"
     # finally, install bootloader to the worker disk
+    # XXX/TODO: does zipl read or write ${BUILD_ROOT}${vm_initrd}? Either
+    # rm -rf the file or check for a symlink
     zipl -t "$BUILD_ROOT/boot/zipl" -i "${BUILD_ROOT}${vm_kernel}" \
          -r "${BUILD_ROOT}${vm_initrd}" \
 	 --parameters "${zvm_param} init=$zvm_init_script rootfsopts=noatime"
diff --git a/common_functions b/common_functions
index 31a22b246..a13f2ffa6 100755
--- a/common_functions
+++ b/common_functions
@@ -154,3 +154,32 @@ buildroot_umount() {
     umount -n "$BUILD_ROOT/$d" 2>/dev/null || true
 }
 
+# rm that makes sure the file is gone
+buildroot_rm() {
+    rm -rf "$BUILD_ROOT/$1"
+    test -e "$BUILD_ROOT/$1" && cleanup_and_exit 1 "could not remove $BUILD_ROOT/$1"
+}
+
+
+assert_dirs() {
+    local d rl
+    if test -z "$1" ; then
+       set usr sbin usr/bin usr/sbin etc .build .init_b_cache .init_b_cache/scripts .init_b_cache/rpms .preinstall_image proc proc/sys proc/sys/fs proc/sys/fs/binfmt_misc sys dev dev/pts dev/shm mnt
+    fi
+    for d in "$@" ; do
+	if test -L "$BUILD_ROOT/$d" ; then
+	    rl="$(readlink "$BUILD_ROOT/$d")"
+	    test "$d" = sbin -a "x$rl" = "xusr/sbin" && continue
+	    test "$d" = sbin -a "x$rl" = "xusr/bin" && continue
+	    test "$d" = usr/sbin -a "x$rl" = "xbin" && continue
+	    cleanup_and_exit 1 "$d: illegal symlink to $rl"
+	else
+	    test -e "$BUILD_ROOT/$d" -a ! -d "$BUILD_ROOT/$d" && cleanup_and_exit 1 "$d: not a directory"
+	fi
+    done
+}
+
+assert_dir_path() {
+    test "$1" != "${1%/*}" && assert_dir_path "${1%/*}"
+    assert_dir "$1"
+}
diff --git a/init_buildsystem b/init_buildsystem
index ec892d5b9..2583b2dc6 100755
--- a/init_buildsystem
+++ b/init_buildsystem
@@ -203,24 +203,6 @@ preinstall_image_filter() {
     done
 }
 
-assert_dirs() {
-    local d rl
-    if test -z "$1" ; then
-       set usr sbin usr/bin usr/sbin etc .build .init_b_cache .init_b_cache/scripts .init_b_cache/rpms .preinstall_image proc proc/sys proc/sys/fs proc/sys/fs/binfmt_misc sys dev dev/pts dev/shm mnt
-    fi
-    for d in "$@" ; do
-	if test -L "$BUILD_ROOT/$d" ; then
-	    rl="$(readlink "$BUILD_ROOT/$d")"
-	    test "$d" = sbin -a "x$rl" = "xusr/sbin" && continue
-	    test "$d" = sbin -a "x$rl" = "xusr/bin" && continue
-	    test "$d" = usr/sbin -a "x$rl" = "xbin" && continue
-	    cleanup_and_exit 1 "$d: illegal symlink to $rl"
-	else
-	    test -e "$BUILD_ROOT/$d" -a ! -d "$BUILD_ROOT/$d" && cleanup_and_exit 1 "$d: not a directory"
-	fi
-    done
-}
-
 preinstall_setup() {
     cd "$BUILD_ROOT" || cleanup_and_exit 1
     rm -rf build-preinstall