LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Removing a command (http://www.linuxquestions.org/questions/slackware-14/removing-a-command-941178/)

suChris 04-22-2012 03:50 PM

Removing a command
 
Greetings

Is there a way to "deactivate" a command so not even root can execute it? Like removing a command all the way or something?

Thanks

TobiSGD 04-22-2012 04:28 PM

You can't prevent root from running a command. Even if you de-install it, root has the ability to just install it again. So the answer to this is: No.

astrogeek 04-22-2012 04:31 PM

If it is a package: removepkg packagename (but could break other things)

For any executable: locate the executable (whereis name), then chmod -x path/name

For builtins I guess you could alias them to something harmless

What are you trying to disable?

Woodsman 04-22-2012 04:39 PM

To avoid "fat finger" moments or prevent scripts from executing a command, then disabling the executable bit "chmod -x command" will help. Disabling the executable bit does not fully prevent anybody or a script from running the command and only avoids common usage.

One work-around is to rename the original command and replace that command with a dummy wrapper script or even a zero-byte file of the same name. The wrapper script could do nothing or spit out a stdout message that the command has been replaced/disabled.

Future package updates are likely to undo such efforts. Therefore a method of tracking or monitoring such changes would help. Possibly a cron job that runs a script to check the file size or executable bit and when different, restore things to the desired status.

smoooth103 04-22-2012 07:46 PM

Couple ideas:

1. could try encrypting it
2. create a user with access to virtually everything except that command
3. remove the command

TobiSGD 04-22-2012 08:12 PM

Quote:

Originally Posted by smoooth103 (Post 4660238)
Couple ideas:

1. could try encrypting it
2. create a user with access to virtually everything except that command
3. remove the command

1. Doesn't prevent root from just using a fresh command, unpacked from a Slackware package (explodepkg) or just freshly installed.
2. Creating a different user with all rights except using that command doesn't prevent my #1.
3. The same.

There is absolutely no way to prevent root from doing something, except one: If you don't trust that person don't give the root password to that person.

chrisretusn 04-22-2012 09:21 PM

Quote:

Originally Posted by suChris (Post 4660112)
Is there a way to "deactivate" a command so not even root can execute it? Like removing a command all the way or something?

It might help if you gave us a bit more information, such as what command and why.

I can't fathom a reason for disabling a command from root. Just doesn't make sense to me.

bassmadrigal 04-22-2012 09:55 PM

If you are root, there is pretty much no way to completely disable a command as you will always have the access to restore it, whether it was deleted, renamed, moved, or uninstalled. That is THE point of being root. Having complete access to your system.

But if you just want to prevent an accidental run of the command, there were a few items mentioned above that would work fine. Just keep in mind, no matter what is done, there will always be the ability to put the command back so it is executable.

smoooth103 04-22-2012 10:05 PM

Quote:

Originally Posted by TobiSGD (Post 4660249)
There is absolutely no way to prevent root from doing something, except one: If you don't trust that person don't give the root password to that person.


Yes, I agree with you completely -- the question was ill-formed leaving much to the imagination as to why, and under what conditions, it was being asked. Just shooting in the dark to help the user consider various options that might help them towards their desired result.

We should also add that if the person is not trusted they should not have physical access to the machine either.

suChris 04-23-2012 03:33 AM

Thanks for the responses so far!

To give you a bit more information, I am using the shorewall package to blacklist several web sites in a Linux machine which has several users. However, you can log in as root any time, and execute the command "shorewall stop" which disables shorewall. Can I disable this command, or alter its script to do something else? (if I can find it)

pan64 04-23-2012 03:47 AM

you can rename it, move it and they will not find it, but as it is already mentioned you cannot stop them: if they want to do it there are several ways to solve (for example kill process...).
You would better restrict them and do not allow them to work as root.

suChris 04-23-2012 05:17 AM

Quote:

Originally Posted by pan64 (Post 4660509)
you can rename it, move it and they will not find it, but as it is already mentioned you cannot stop them: if they want to do it there are several ways to solve (for example kill process...).
You would better restrict them and do not allow them to work as root.

You are right, I totally forgot about the kill process.

Unfortunately, it will be quite difficult to restrict the root privileges...

Any way to make a script that restarts shorewall automatically after it is shut down for whatever reason? I don't see any other solution besides removing the root access.

pan64 04-23-2012 05:23 AM

I do not know this shorewall, but I think it has a pid file. You can check if this pid is running from crontab and cleanup and restart if missing. But remember, root can disable/modify crontab, so anything you will make to disable them will be disabled by them...

TobiSGD 04-23-2012 05:35 AM

Quote:

Originally Posted by suChris (Post 4660578)
Unfortunately, it will be quite difficult to restrict the root privileges...

I think you are taking the wrong approach here. The key is not to restrict root access here, the key is to give your users only that rights that they need. Set up sudo so that your users can do what they need, but don't allow them every thing. There is absolutely no reason why one should have complete root privileges if the person only needs to start some programs as root.


All times are GMT -5. The time now is 04:38 PM.