Hi!

I would like to prevent some programs being run as root, for example vmware.

/usr/bin/vmware is owned by root and the group vmware, with me as the only member. I did "chmod 050 /usr/bin/vmware", but even after that, root can execute it!

Why?

Thanx for help

Konstantin

when you say "me" as the only member who are you? root or a normal user?
are you sure root is not a member of the vmware group? typing "groups" when logged in as root will tell you.

In the long run you cannot prevent root from running the file. just dont run it as root! unless there are other users with root access. You cannot stop these users running anything if they have full root privileges.

why do you want to prevent root running vmware?

As long as ANY of ugo has x root will be able to run it,
whether root is group member or not.


Cheers,
Tink

joelkeeble: Sorry for confusing. When I said "me" I meant "me as normal user". I'm sure that root is not a member of vmware group. I know that everyone who has root access can do anything and one can't prevent it. All I wanted is to prevent me to run a command as root without being aware of it! VMware was just an example :-)

Thnkster: That would explain that behavior! It seems that I have no possibility to achieve what I want to!

You could get in the habit of using the "sudo" command to perform things as root.
It is setup using the "visudo" program. If you read the examples in the /etc/sudoers file and read the sudoers man page, you can learn how to prohibit certain commands from being executed.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
This will prevent arron and shanty from running "sudo /usr/bin/more" and "sudo /usr/bin/vi"

Already using it lot, but with sudo I have the problem, that I still have the non-root environment. The /root/.bashrc configuration doesn't get loaded!

Why not put some funky stuff in your ~/.bashrc file so that you know when you are root e.g change the colour of the prompt put root in bold read letters.

If you have specific programs you don't want to run as root you could alias the command to warn you. you could write a script or just alias the command to "ls" either way you then know you are root.

I can think of lots of different approaches.

remove the path in your .bashrc to any commands you dont want to be able to run, then to run them you will have to type the whole path.

Being the root user you are supposed to know what you are doing this is one of the reasons root has such control e.g. you can delete the entire root partition using "rm -r /" and you will be given no warning. Yes this is dangerous but only if you are not aware of what you are doing!

You can add a time out line to your .profile file that will log you out of root after 30 sec (or however long you like).

if its just the environment you worry about then you can source roots environment as a normal user.

". /root/.profile"
". /root/.bashrc"
"sudo vmware"

Create a wrapper for sudo that loads your environment first and warns you that you are about to run a command.

Personally I just dont log on as root unless I have a specific command to run. I check the command first then "su -" , run the command and "ctrl + d" to logout. Just be careful, but if you dont trust yourself try some of the above ideas.

When you use sudo, you need to include the full path to the command. This is by design. Either the sudoers man page or the comments in the sudoers command itself explain the security issues.

Guess that makes sense. I don't personally use sudo. I have not yet managed to damage any of my production servers using the root account(fingers crossed).

I think that the best use of sudo is to allow a group to perform admistrative functions without having to share the root password. Also, sudo commands are logged.