UNIX for Dummies Questions & Answers

hi

how to restrict a user ro run rm command.

In this scenario we have a user/group has below in sudoers

Code:

user ALL=(ALL) ALL

is there a way to restrict the user from just executing rm command

You could, but then there would be a zillion ways a user could go around it. Besides he/she could edit the sudoers file. So no, I don't think it can be done in a satisfactory way.

could you please suggest a way to restrict it , keeping the fact that the use have other ways to go around aside,

Since you have a sudoers file which completely makes security non-existent, this will block rm for a particular user for at least 10 seconds.
It also will, for that user, to break a lot of existing shell script code. So expect a problem ticket from that user saying 'I cannot run "X" '

In the user's home directory change .profile to be owned by root, with 644 protections.

Next at the top of the profile, add the line

Code:

alias rm='/dev/null'

There are other slightly more realistic possibilities using file ACL's on /usr/bin/rm to block the user from executing that file. If you understand ACL's and your system supports them. For example, on Linux try the setfacl command. Check the manual page first.

That user has to logout/login for this to take 'effect' If the user has to run a lot of login scripts from .profile after that alias, there is a good chance the user will not be able to login.

This is NOT a reasonable solution, it is an answer to keep you happy. There is no solution. This whole thing sounds like ignorant management dictating really bad changes. Sorry.

In a sudo context, usually you don't want these kind of "everything" entries. So the best solution is to just have rules for the things you do want the user to be able to do through sudo.

However, back to the general statement.... one way is to create a custom application firewall (e.g. apparmor) and set that new apparmored shell to be the user's shell.

You would need to not only restrict rm, but the ability to start up a different shell (gets very complex at this point since many utilities allow you to spawn a shell.

The better answer is to specific sudo rules for what you want to allow....

The OP seems to want an 'answer' that specifcally blocks a command rather than making sudoers changes. cjcox, scrutinizer, and myself all agree that sudoers is the problem. Not access to the rm command.

robo - you should not have sudoers entries like that, because it creates the kind of problems you are trying to work around.

some other ways (don't try them, if you don't understand the consequences):

1. rm -f /bin/rm
2. echo '#!/bin/sh' >/bin/rm