LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 04-22-2012, 04:50 PM   #1
suChris
Member
 
Registered: Nov 2009
Distribution: Slackware 13
Posts: 56

Rep: Reputation: 15
Removing a command


Greetings

Is there a way to "deactivate" a command so not even root can execute it? Like removing a command all the way or something?

Thanks
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 04-22-2012, 05:28 PM   #2
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,648
Blog Entries: 2

Rep: Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095
You can't prevent root from running a command. Even if you de-install it, root has the ability to just install it again. So the answer to this is: No.
 
Old 04-22-2012, 05:31 PM   #3
astrogeek
Senior Member
 
Registered: Oct 2008
Distribution: Slackware [64]X{.0|.1|.2|-current} ::X>=12<=14, FreeBSD_10{.0|.1}
Posts: 2,144

Rep: Reputation: 846Reputation: 846Reputation: 846Reputation: 846Reputation: 846Reputation: 846Reputation: 846
If it is a package: removepkg packagename (but could break other things)

For any executable: locate the executable (whereis name), then chmod -x path/name

For builtins I guess you could alias them to something harmless

What are you trying to disable?

Last edited by astrogeek; 04-22-2012 at 05:34 PM.
 
Old 04-22-2012, 05:39 PM   #4
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
To avoid "fat finger" moments or prevent scripts from executing a command, then disabling the executable bit "chmod -x command" will help. Disabling the executable bit does not fully prevent anybody or a script from running the command and only avoids common usage.

One work-around is to rename the original command and replace that command with a dummy wrapper script or even a zero-byte file of the same name. The wrapper script could do nothing or spit out a stdout message that the command has been replaced/disabled.

Future package updates are likely to undo such efforts. Therefore a method of tracking or monitoring such changes would help. Possibly a cron job that runs a script to check the file size or executable bit and when different, restore things to the desired status.
 
Old 04-22-2012, 08:46 PM   #5
smoooth103
Member
 
Registered: Aug 2009
Location: NC, USA
Distribution: Slackware (64 bit)
Posts: 238

Rep: Reputation: 60
Couple ideas:

1. could try encrypting it
2. create a user with access to virtually everything except that command
3. remove the command
 
Old 04-22-2012, 09:12 PM   #6
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,648
Blog Entries: 2

Rep: Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095
Quote:
Originally Posted by smoooth103 View Post
Couple ideas:

1. could try encrypting it
2. create a user with access to virtually everything except that command
3. remove the command
1. Doesn't prevent root from just using a fresh command, unpacked from a Slackware package (explodepkg) or just freshly installed.
2. Creating a different user with all rights except using that command doesn't prevent my #1.
3. The same.

There is absolutely no way to prevent root from doing something, except one: If you don't trust that person don't give the root password to that person.
 
Old 04-22-2012, 10:21 PM   #7
chrisretusn
Member
 
Registered: Dec 2005
Location: Philippines
Distribution: Slackware
Posts: 508

Rep: Reputation: Disabled
Quote:
Originally Posted by suChris View Post
Is there a way to "deactivate" a command so not even root can execute it? Like removing a command all the way or something?
It might help if you gave us a bit more information, such as what command and why.

I can't fathom a reason for disabling a command from root. Just doesn't make sense to me.
 
Old 04-22-2012, 10:55 PM   #8
bassmadrigal
Member
 
Registered: Nov 2003
Location: Newport News, VA
Distribution: Slackware
Posts: 345

Rep: Reputation: 108Reputation: 108
If you are root, there is pretty much no way to completely disable a command as you will always have the access to restore it, whether it was deleted, renamed, moved, or uninstalled. That is THE point of being root. Having complete access to your system.

But if you just want to prevent an accidental run of the command, there were a few items mentioned above that would work fine. Just keep in mind, no matter what is done, there will always be the ability to put the command back so it is executable.
 
Old 04-22-2012, 11:05 PM   #9
smoooth103
Member
 
Registered: Aug 2009
Location: NC, USA
Distribution: Slackware (64 bit)
Posts: 238

Rep: Reputation: 60
Quote:
Originally Posted by TobiSGD View Post
There is absolutely no way to prevent root from doing something, except one: If you don't trust that person don't give the root password to that person.

Yes, I agree with you completely -- the question was ill-formed leaving much to the imagination as to why, and under what conditions, it was being asked. Just shooting in the dark to help the user consider various options that might help them towards their desired result.

We should also add that if the person is not trusted they should not have physical access to the machine either.
 
Old 04-23-2012, 04:33 AM   #10
suChris
Member
 
Registered: Nov 2009
Distribution: Slackware 13
Posts: 56

Original Poster
Rep: Reputation: 15
Thanks for the responses so far!

To give you a bit more information, I am using the shorewall package to blacklist several web sites in a Linux machine which has several users. However, you can log in as root any time, and execute the command "shorewall stop" which disables shorewall. Can I disable this command, or alter its script to do something else? (if I can find it)
 
Old 04-23-2012, 04:47 AM   #11
pan64
Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 5,139

Rep: Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363
you can rename it, move it and they will not find it, but as it is already mentioned you cannot stop them: if they want to do it there are several ways to solve (for example kill process...).
You would better restrict them and do not allow them to work as root.
 
Old 04-23-2012, 06:17 AM   #12
suChris
Member
 
Registered: Nov 2009
Distribution: Slackware 13
Posts: 56

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by pan64 View Post
you can rename it, move it and they will not find it, but as it is already mentioned you cannot stop them: if they want to do it there are several ways to solve (for example kill process...).
You would better restrict them and do not allow them to work as root.
You are right, I totally forgot about the kill process.

Unfortunately, it will be quite difficult to restrict the root privileges...

Any way to make a script that restarts shorewall automatically after it is shut down for whatever reason? I don't see any other solution besides removing the root access.
 
Old 04-23-2012, 06:23 AM   #13
pan64
Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 5,139

Rep: Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363Reputation: 1363
I do not know this shorewall, but I think it has a pid file. You can check if this pid is running from crontab and cleanup and restart if missing. But remember, root can disable/modify crontab, so anything you will make to disable them will be disabled by them...
 
Old 04-23-2012, 06:35 AM   #14
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,648
Blog Entries: 2

Rep: Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095Reputation: 4095
Quote:
Originally Posted by suChris View Post
Unfortunately, it will be quite difficult to restrict the root privileges...
I think you are taking the wrong approach here. The key is not to restrict root access here, the key is to give your users only that rights that they need. Set up sudo so that your users can do what they need, but don't allow them every thing. There is absolutely no reason why one should have complete root privileges if the person only needs to start some programs as root.
 
2 members found this post helpful.
  


Reply

Tags
command


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is there a terminal command for removing files? cousinlucky Ubuntu 4 09-19-2011 11:11 PM
Removing a file named like a command flag yuchai Linux - General 1 07-26-2006 03:32 PM
Removing from bash command prompt?? anandt4u Linux - Software 3 06-03-2005 11:36 PM
removing only most previously executed command from history? jagroop mand Linux - Newbie 2 01-19-2005 06:39 AM
anyone know that dd command for removing ... purpleburple Linux - Newbie 2 09-15-2002 04:38 AM


All times are GMT -5. The time now is 06:57 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration