|
Removing a command
Greetings
Is there a way to "deactivate" a command so not even root can execute it? Like removing a command all the way or something? Thanks |
You can't prevent root from running a command. Even if you de-install it, root has the ability to just install it again. So the answer to this is: No.
|
If it is a package: removepkg packagename (but could break other things)
For any executable: locate the executable (whereis name), then chmod -x path/name For builtins I guess you could alias them to something harmless What are you trying to disable? |
To avoid "fat finger" moments or prevent scripts from executing a command, then disabling the executable bit "chmod -x command" will help. Disabling the executable bit does not fully prevent anybody or a script from running the command and only avoids common usage.
One work-around is to rename the original command and replace that command with a dummy wrapper script or even a zero-byte file of the same name. The wrapper script could do nothing or spit out a stdout message that the command has been replaced/disabled. Future package updates are likely to undo such efforts. Therefore a method of tracking or monitoring such changes would help. Possibly a cron job that runs a script to check the file size or executable bit and when different, restore things to the desired status. |
Couple ideas:
1. could try encrypting it 2. create a user with access to virtually everything except that command 3. remove the command |
Quote:
2. Creating a different user with all rights except using that command doesn't prevent my #1. 3. The same. There is absolutely no way to prevent root from doing something, except one: If you don't trust that person don't give the root password to that person. |
Quote:
I can't fathom a reason for disabling a command from root. Just doesn't make sense to me. |
If you are root, there is pretty much no way to completely disable a command as you will always have the access to restore it, whether it was deleted, renamed, moved, or uninstalled. That is THE point of being root. Having complete access to your system.
But if you just want to prevent an accidental run of the command, there were a few items mentioned above that would work fine. Just keep in mind, no matter what is done, there will always be the ability to put the command back so it is executable. |
Quote:
Yes, I agree with you completely -- the question was ill-formed leaving much to the imagination as to why, and under what conditions, it was being asked. Just shooting in the dark to help the user consider various options that might help them towards their desired result. We should also add that if the person is not trusted they should not have physical access to the machine either. |
Thanks for the responses so far!
To give you a bit more information, I am using the shorewall package to blacklist several web sites in a Linux machine which has several users. However, you can log in as root any time, and execute the command "shorewall stop" which disables shorewall. Can I disable this command, or alter its script to do something else? (if I can find it) |
you can rename it, move it and they will not find it, but as it is already mentioned you cannot stop them: if they want to do it there are several ways to solve (for example kill process...).
You would better restrict them and do not allow them to work as root. |
Quote:
Unfortunately, it will be quite difficult to restrict the root privileges... Any way to make a script that restarts shorewall automatically after it is shut down for whatever reason? I don't see any other solution besides removing the root access. |
I do not know this shorewall, but I think it has a pid file. You can check if this pid is running from crontab and cleanup and restart if missing. But remember, root can disable/modify crontab, so anything you will make to disable them will be disabled by them...
|
Quote:
|
| All times are GMT -5. The time now is 01:28 PM. |