The others who answered you before already hinted at that, but to make it as explicit as paossible:
Security is not about first allowing everything and then disallowing something specific. It is the other way round: forbid everything, carefully identify what has to be allowed and then allow exeactly that (and not more).
If you have a house it is a bad idea to first tear down every wall and then put a locked door to block a tenth of the western side. It is better to have walls all around and then put a door exactly at where visitors need to come in.
Sudo rules like the one you described are flawed in such a way they are irredeemable. It would be a good idea to identify the users real needs (not "i don't want to be slowed down by these pesky 'you are not allowed to...'-messages", but real, legitimate and arguable needs) and put that into sudo-rules.
Perhaps, if the account has only the groups it needs to have, only the rights it needs to have and only the access it needs to have, then the problem of forbidding it some "rm"-command might be already gone because the account cannot delete a file or directory it doesn't have write-access to.
And, honestly: if a user is irresponsible enough to issue rm-commands where they are harmful - do you really trust him enough to allow him the other powers that come with a sudo-rule like the above? Off the top of my head i know 10 methods to delete the file effectively without using rm at all:
All these commands will either reduce the file targetfile to length 0, overwrite it with meaningless information from /foo/bar (replace that with the name of any file containing nothing usable) or otherwise destroy what is in the file. You might end up with a file but all the information it held is gone. I hardly can see any improvement over the "its-gone-completely-because-of-rm"-situation.
Dear Concern,
We want to restrict ssh for particular user "oracle". Our HP UX version is as below. Please advise.
# uname -a
HP-UX tabsdb02 B.11.31 U ia64 2963363594 unlimited-user license (2 Replies)
Hello,
Our applications are deployed in SunOS 5.10 servers. All the team members use a same username/pwd to login to the box. Very often we face issue were we could see that weblogic server instance are KILLED and we are not able to trace who executed kill command. All team members use PUTTY to... (2 Replies)
hi,
I want to restrict some user access to only 1 directory (including all sub-directories/files in it).
can you please explain me, how can we do this?
example;
Filesystem GB blocks Used Free %Used Mounted on
/dev/hd4 2.61 1.02 1.59 40% /
/dev/hd2 ... (7 Replies)
Hi there
I have an application user on my system that wants accesses to these file systems as such:
rwx:
/SAPO
/SAPS12
/R3_888
/R3_888B
/R3_888F
/R3_888R
r:
/usr/sap
these are the existing FS permissions:ownerships:
# ls -ld /SAPO (9 Replies)
Hi
I have a Fedora10 server and i need a particular user to view files only in a particular folder.
All other files in other folders having "read" permission for all shouldn't be accessible to this user.
Please let me know if ther's a way.
Thanks,
HG (5 Replies)
Hi everyone !
I got "viewer" and "root" user on a *nix computer. When i log in using "viewer" I only can use "df" command. When I try another command like "ls" it say :
-bash: ls: command not found
I checked permission of "/bin/ls" file, it has excute permission for everyone. Inside home... (4 Replies)
Hello
I have a question in Aix 5.3 can I create a user, that only can see a specify path.
I mean the user log in the default path its /home/newuser he type cd the path that need to check /example/directory_check but if he wants to go to / or any other path. we can not do this.
I only... (1 Reply)
Hi all,
I want to restrict the perticular command to user.
ex: CD, CP, mv etc .,
"A" user cannot user CD, CP, mv commands from his home directory.
so please let me know the procedure how to restrict the commands access to user "A".
I really thankfull to all.... (3 Replies)
Hi all,
I am using Sun OS 5.10. I am new to Unix.
Is there some way to restrict a specific user to certain command say "/usr/bin/more" ??
for example: I want that user1 can execute more command & user2 can't.
Can we somehow edit .profile file in the home directory of user to achieve... (1 Reply)