LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 09-01-2009, 11:58 PM   #1
muditcse@yahoo.com
LQ Newbie
 
Registered: Mar 2008
Posts: 22

Rep: Reputation: 15
Thumbs down disabling command


Hi,

I want that no user (ofcourse other than root) be able to run 'rm -rf' command on my server.How to make entry for this in sudoers or tell me the other method.

mudit
 
Old 09-02-2009, 12:53 AM   #2
RaptorX
Member
 
Registered: Jun 2009
Location: Emden, Germany
Distribution: Slackware 12.2, Slax 6.1
Posts: 254

Rep: Reputation: 37
well you have several ways to do that:

1) you can create an alias for the rm -rf command which executes nothing.

2) you can actually create a dummy script and replace rm (in which case you should rename rm to something else so YOU can use it?)

3) if you dont want them to delete a specific folder and/or its contents then try the sticky bit... like this: chmod 1755 dir/ (the 1 makes it that people can write in that folder but cannot delete what does not belong to their user:group, so they wont be able to delete what other user or groups have created in that folder except for root of course, the folder /tmp is a perfect example of that)

from wikipedia:
Quote:
"The most common use of the sticky bit today is on directories, where, when set, items inside the directory can be renamed or deleted only by the item's owner, the directory's owner, or the superuser; without the sticky bit set, any user with write and execute permissions for the directory can rename or delete contained files, regardless of owner. Typically this is set on the /tmp directory to prevent ordinary users from deleting or moving other users' files. This feature was introduced in 4.3BSD in 1986 and today it is found in most modern Unix systems.

The sticky bit can be set using the chmod command and can be set using its octal mode 1000 or by its symbol t (s is already used by the setuid bit). For example, to add the bit on the directory /usr/local/tmp, one would type chmod +t /usr/local/tmp. Or, to make sure that directory has standard tmp permissions, one could also type chmod 1777 /usr/local/tmp.

In Unix symbolic file system permission notation, the sticky bit is represented by the letter t in the final character-place. For instance, on Solaris 8, the /tmp directory, which by default has the sticky-bit set, shows up as:

Code:
 $ ls -ld /tmp
 drwxrwxrwt   4 root     sys          485 Nov 10 06:01 /tmp
If the sticky-bit is set on a file or directory without the execution bit set for the others category (non-user-owner and non-group-owner), it is indicated with a capital T:

Code:
 # ls -l test
 -rw-r--r--   1 root     other          0 Nov 10 12:57 test
 # chmod +t test; ls -l test
 -rw-r--r-T   1 root     other          0 Nov 10 12:57 test
"
And anything else that you can think of along those lines.

--
if the questions help you please press the thank button below. =)
 
Old 09-02-2009, 04:29 AM   #3
kenneho
Member
 
Registered: May 2003
Location: Oslo, Norway
Distribution: Ubuntu, Red Hat Enterprise Linux
Posts: 655

Rep: Reputation: 40
There another possibility too. It doesn't prevent users from running "rm -fr", but prevent deleting the whole disk: I haven't tried it myself, but I guess it should work:

Assumin you have ordinary users on your system, they will have to run "sudo" to delete files that they don't own themselves. Then you can modify /etc/sudoers to prevent users from running "rm -fr".
 
Old 09-02-2009, 07:06 AM   #4
linuxlover.chaitanya
Senior Member
 
Registered: Apr 2008
Location: Nagpur, India
Distribution: Cent OS 5/6, Ubuntu Server 10.04
Posts: 4,627

Rep: Reputation: Disabled
There is another possibility but do it on your own risk. rm command resides in /bin and has read and execute permissions for others. It is owned by root. Remove the permissions for others. BUT do it on your own risk though you can change the permissions later on.
 
Old 09-02-2009, 09:40 AM   #5
Laurens73
Member
 
Registered: Aug 2009
Location: Zeewolde, Flevoland NL
Distribution: Debian squeeze (Gnome) on netbooks; Debian Lenny on servers and Debian wheezy (XFCE) on new laptops
Posts: 144

Rep: Reputation: 23
With all do respect, I think in all cases sudoers still can omit the blocking of the command because root can still do an rm -rf. You also have to block the sudo su - command to prevent sudoers becoming root.
 
Old 09-02-2009, 10:16 AM   #6
b0uncer
Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
If there are several users on the system (especially then), sudo should be configured so that only certain commands (those that are really needed) can be run using sudo and nothing else. The typical approach that some users cannot use sudo at all and some can run whatever they want is bad, because it's the equivalent of having several users with root privileges in addition to those who are only ordinary users. So remove all access to sudo except for those specific commands you want those other people to run.

If you're trying to prevent people from breaking up your system, "disabling" rm is not enough (and people should still be able to use it -- it's essential). Think about what they can do with dd, mv and shred for example.
 
Old 09-02-2009, 12:01 PM   #7
RaptorX
Member
 
Registered: Jun 2009
Location: Emden, Germany
Distribution: Slackware 12.2, Slax 6.1
Posts: 254

Rep: Reputation: 37
Quote:
Originally Posted by b0uncer View Post
If you're trying to prevent people from breaking up your system, "disabling" rm is not enough (and people should still be able to use it -- it's essential). Think about what they can do with dd, mv and shred for example.
Actually a valid point... shred, dd and mv are very powerful ways to delete files beside rm -rf.
 
Old 09-02-2009, 01:25 PM   #8
i92guboj
Gentoo support team
 
Registered: May 2008
Location: Lucena, Córdoba (Spain)
Distribution: Gentoo
Posts: 4,036

Rep: Reputation: 372Reputation: 372Reputation: 372Reputation: 372
In my opinion, and unless you users are really novice, this is a waste of time.

Aliases can by bypassed by escaping the command with \, and in addition there are shells that have rm as a builtin, like busybox. You probably have busybox installed, and if the system-wide rm is not fully functional, they will soon find that an alias rm='busybox rm' is their best friend. Even if it's not installed by default (which would be rare nowadays) the user can always install and use his/her own shell. And if there's no compiler, a binary rpm can be used, then they can spawn their own shell and use that instead of yours.

No user is going to stand writing 'y' 100 times to erase a folder. And anyway, they can do that in a graphical filemanager, or just do "yes | rm *", there's really not much point in trying to limit that. Anyway, it's their own stuff which they will screw if they do something wrong.
 
Old 09-03-2009, 01:52 AM   #9
muditcse@yahoo.com
LQ Newbie
 
Registered: Mar 2008
Posts: 22

Original Poster
Rep: Reputation: 15
...

hi all,
thanks for reply.
1)No stickty bit...since all users belogs to same group and also username is same...

Actually there is a CVS directory on my server and i want no user can run rm -rf on that server.I think sudo will be best...

give your views please,,,

regards.
mudit
 
Old 09-03-2009, 09:13 AM   #10
lazlow
Senior Member
 
Registered: Jan 2006
Posts: 4,362

Rep: Reputation: 171Reputation: 171
mudit

Allowing more than one user to use the same username is a good way to get into trouble in a hurry. One (of the many) advantages to having one account per users is that you can hold those users accountable for their specific actions. When people know that their actions can be tracked back to them specifically they are much more careful about what they do (far fewer issues to deal with). This also allows you to split the users into different groups with different privileges for each group.
 
Old 09-03-2009, 11:40 AM   #11
RaptorX
Member
 
Registered: Jun 2009
Location: Emden, Germany
Distribution: Slackware 12.2, Slax 6.1
Posts: 254

Rep: Reputation: 37
yes, I agree with lazlow, I guess it is better to make individual users but in 1 global group something like:

user1:coders
user2:coders
user3:coders

If user1 makes something that you did not approve then you can know that HE did it and nobody else.

Then in sudoers you can restrict the use of rm, dd, mv, shred...etc to the whole group
 
Old 09-03-2009, 12:21 PM   #12
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
Quote:
Originally Posted by muditcse@yahoo.com View Post
hi all,
thanks for reply.
1)No stickty bit...since all users belogs to same group and also username is same...

Actually there is a CVS directory on my server and i want no user can run rm -rf on that server.I think sudo will be best...

give your views please,,,

regards.
mudit
bit of a long shot, but have you tried the chattr command?

Code:
man chattr
There are various options that may or may not work in your situation mainly the -u -i and -a flags. The -u flag which is best suited to your situation does not work on ext2/ext3 filesystems though.
Give the man page a good read to determine if it helps you or not.
 
  


Reply

Tags
command, disabling


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Disabling 'write command' hirenpandya Linux - Security 9 03-03-2009 05:10 PM
Disabling agpgart RedShift2 Linux - Hardware 1 07-26-2004 03:34 PM
disabling " who " command usman Linux - Software 4 03-09-2004 11:35 PM
Disabling Firewall From Command Line Ben Sytko Red Hat 4 02-16-2004 05:27 PM
disabling user accounts via command line n1wil Linux - Security 3 07-25-2003 05:11 PM


All times are GMT -5. The time now is 02:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration