LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   restriction on commands (http://www.linuxquestions.org/questions/linux-newbie-8/restriction-on-commands-718944/)

hihiren 04-14-2009 01:53 AM

restriction on commands
 
I am using Ubuntu linux.

Do we have any mechanism in linux where we can restrict user for giving any commands?
E.g. I have one folder named <home>/myCode
Now I want to make sure that any user including me, is not able to user "rm -rf *" on this folder.

Can we do this?

Any help would be really grateful.

Regards,
Kumar

Disillusionist 04-14-2009 02:00 AM

You could change the execute permissions on rm (preventing anyone other than root from executing the command) however this would probably cause lots of issues elsewhere.

You could write your own front-end to the rm command, performing some basic checks before allowing the command to be run.

EDIT:- Sample front-end:

Code:

#!/bin/bash
###
### Front-end to rm
###
### This must be located in a path before /bin in the $PATH environment variable.
###
### Limitations: only checks two parameters
###

if [ $# -gt 1 ]
then
  # more than 1 parameter passed to rm.
  # check for -rf or -fr
  if [ "$1" == '-rf' -o "$1" == '-fr' ]
  then
      echo "You are in directory $(pwd)"
      echo "about to recursively remove $2"
      read -p "Do you want to continue? " ans

      case $ans in

        [Yy]|[Yy][Ee][Ss]) /bin/rm $1 $2;;

        *) echo "Exiting..."
            exit 1;;

      esac

  else
      # Test $1 to ensure it is a valid file
      if [ -f $1 ]
      then
        /bin/rm $1
      fi

      # Test $2 to ensure it is a valid file
      if [ -f $2 ]
      then
        /bin/rm $2
      fi
  fi
else
  # Only 1 parameter assume file
  if [ -f $1 ]
  then
      /bin/rm $1
  else
      echo "Error $1 was not a file"
      exit 2
  fi
fi

This file should be called rm owned by root with rwxr-xr-x permissions. It should also be in a folder that only root has write permissions to!

vi /usr/local/bin/rm

chown root:root /usr/local/bin/rm
chmod 755 /usr/local/bin/rm
chown root:root /usr/local/bin
chmod 755 /usr/local/bin

ensure that /usr/local/bin is before /bin in the $PATH environment variable.

export PATH=/usr/local/bin:$PATH

cyprinidae 04-14-2009 07:34 AM

Have you thought about 'chattr'?
Code:

chattr +i filename
prevents deletion or any other kind of change to a file, so might be not much usefull, but
Code:

chattr +a filename
for example, prevents deletion, but allows appending to a file, so you can be sure nobody can delete it...


All times are GMT -5. The time now is 12:56 AM.