Disable commands in linux

How to disable scary terminal commands?

How do you disable scary terminal commands? I was using SSH to access a remote Ubuntu server without access to the physical server. I thought I was typing ‘ shutdown ‘ into the NoSQL server running on the Ubuntu OS, but actually I told the Ubuntu server to shutdown. Then I had to tell the server admin what I did so that he could start up the physical server for me. That was embarrassing! How can I keep this from happening again?

This has been discussed in lengths, usually with relation to rm which has worse side effects than shutdown . Bottom line: here is no way to prevent bad things from happening if you keep running random commands as root.

As other people have noted regarding aliasing, doing so can make people «get in the habit of a command working in a non-standard way.» So does it seem bad to anyone else that the silly NoSQL server uses this command?

I dare say you learnt the lesson so won’t have to feel the need to disable any command again. I’d also add you don’t fool-proof GNU/Linux, you just get better than the fool.

9 Answers 9

The standard answer is «don’t login as root». All commands run as root are scary. If that isn’t an option you could put some alias commands into your .bashrc to disable commands you find especially scary. For example:

for scary in shutdown halt reboot rm do alias $scary="echo If you really want to do that, type: `which $scary`" done 

Then, if you type shutdown you will get the following message:

If you really want to do that, type: /sbin/shutdown 

(Make sure your .bashrc has loaded first, before you try this on a production server)

Quitting your current ssh session and logging in again, or using . ~/.bashrc should load/run .bashrc. Perhaps try running rm without any arguments to make sure your server hasn’t disabled automatically loading .bashrc on logins or similar.

Note that if you are primarily concerned with halt and shutdown, you could consider installing molly-guard, which will make you type the hostname before shutting down the machine. This is more useful if you regularly shutdown whole OS’es on the commandline, but want to make sure you are shutting down the right one.

You could also test try this with a less scary command such as logout or exit.

don’t login as root: this won’t help if you’re confusing the machine you’re logged into. I’d suggest changing the prompt to something that would give you a visual cue.

Aliasing «scary» commands to have a «safe» behaviour is, in my experience, a bad idea. This is because people tend to get in the habit of a command working in a non-standard way which can make them do some very regrettable things when they are on a vanilla system. Simple answer is to tread very carefully when logged in as root.

@isanae The shortcut I used to open a terminal with ssh to the production server would make the terminal background light red. That made me pay attention.

Also note that while Debian and, by extension, Ubuntu have the defaullt ~/.bash_profile source .bashrc , that isn’t standard behavior and on most systems, .bashrc is not read when logging in via ssh, so this won’t make a difference there. It is far better to add the aliases to ~/.profile or ~/.bash_profile instead.

sudo exists for a reason — use it. When your command (in this case an interactive CLI) is finished, you’re dumped back to your user-level shell, not a root shell. There are very few worthy reasons to be in a root shell. (I’m surprised that this isn’t already an answer. )

Having said that, don’t be a muppet that uses sudo for everything. Understand what you’re doing, and understand why it does/doesn’t require root privileges.

Additionally you can differentiate your prompt for root / user shells. This also makes it more obvious that you’re back at the shell prompt and not «some other CLI«. Mine is very colorful, and has lots of useful information (such as the hostname), which makes it very simple to know what host the command will execute on, and also makes it easier to look back through your history and locate prompts — a root shell uses the default prompt.

This is more suitable to use on «your» account, but if you’re taking security/sysadminning seriously, then you won’t be sharing passwords/accounts, and you won’t be sitting in a root shell without being fully aware.

As people have said over, and over, and over again «aliasing commands to make a safe environment is a bad idea«. You’re going to get comfortable in your safe environment, typing those ‘scary’ commands where you shouldn’t. Then one day you’ll change jobs, or login to a new machine, and then boom «whoopsy, I didn’t mean to, I’m sorry«.

Источник

Shell disable terminal commands from within folder

If that isn’t an option you could put some alias commands into your to disable commands you find especially scary. If you have commands you call repeatedly, setting up an alias in your .zshrc would be a common solution.

Disable terminal commands

You can override rm (or any other command); the command built-in lets you access the original command when necessary.

command disables shell function look-up.

If you want to capture all uses of rm , then there is one way. However, I must mention that it’s a dirty, not-recommended way.

mv /bin/rm /bin/rm.bak cp my_rm_script /bin/rm 

my_rm_script should contain call to /bin/rm.bak, instead of /bin/rm.

This will capture all calls to command rm .

However, this will not work on busybox type architecture, where the NAME of the binary also matters.

You can use dpkg-divert to install a different rm on your system.

See also this article Replacing binaries with dpkg-divert for an example using a shell script.

Save all the terminal output to a file, script also has many options e.g. running quietly -q ( —quiet ) without showing/saving program messages, it can also run a specific command -c

How to disable cd command-line?

You can use cd — to quickly return to the previous directory ( $OLDPWD ). In general, I recommend getting used to UNIX as it is. But if you really want to, add this function to ~/.bashrc . It will make cd with no arguments a noop.

Block all default commands while a bash script are running?, Consider using «source», if you want the script to change the environment in your currently running shell. Other processes and scripts can

How to disable scary terminal commands?

The standard answer is «don’t login as root». All commands run as root are scary. If that isn’t an option you could put some alias commands into your .bashrc to disable commands you find especially scary. For example:

for scary in shutdown halt reboot rm do alias $scary="echo If you really want to do that, type: `which $scary`" done 

Then, if you type shutdown you will get the following message:

If you really want to do that, type: /sbin/shutdown 

( Make sure your .bashrc has loaded first, before you try this on a production server)

Quitting your current ssh session and logging in again, or using . ~/.bashrc should load/run .bashrc. Perhaps try running rm without any arguments to make sure your server hasn’t disabled automatically loading .bashrc on logins or similar.

Note that if you are primarily concerned with halt and shutdown, you could consider installing molly-guard, which will make you type the hostname before shutting down the machine. This is more useful if you regularly shutdown whole OS’es on the commandline, but want to make sure you are shutting down the right one.

You could also test try this with a less scary command such as logout or exit.

sudo exists for a reason — use it. When your command (in this case an interactive CLI) is finished, you’re dumped back to your user-level shell, not a root shell. There are very few worthy reasons to be in a root shell. (I’m surprised that this isn’t already an answer. )

Having said that, don’t be a muppet that uses sudo for everything . Understand what you’re doing, and understand why it does/doesn’t require root privileges.

Additionally you can differentiate your prompt for root / user shells. This also makes it more obvious that you’re back at the shell prompt and not » some other CLI «. Mine is very colorful, and has lots of useful information (such as the hostname), which makes it very simple to know what host the command will execute on, and also makes it easier to look back through your history and locate prompts — a root shell uses the default prompt.

This is more suitable to use on » your » account, but if you’re taking security/sysadminning seriously, then you won’t be sharing passwords/accounts, and you won’t be sitting in a root shell without being fully aware.

As people have said over, and over, and over again » aliasing commands to make a safe environment is a bad idea «. You’re going to get comfortable in your safe environment, typing those ‘scary’ commands where you shouldn’t. Then one day you’ll change jobs, or login to a new machine, and then boom » whoopsy, I didn’t mean to, I’m sorry «.

The package ‘molly-guard’ (at least on Debian derived systems) will install a wrapper around shutdown, halt, poweroff, and reboot. If it detects that the terminal is a remote one, then it will prompt for the host’s name. If it doesn’t match, then the command is cancelled.

How to limit user commands in Linux, All of the directions here assume that users have their own /home/[username] directory, that their shell is /bin/bash , and that you would like

How to disable «auto cd» in zsh with oh-my-zsh

Thats three questions in one 😉

AUTO_CD Option and howto find it

First of all the option you are looking for is AUTO_CD. You can easily find it by looking up man zshoptions . Use your pagers search function, usually you press / and enter the keyword. With n you jump to the next occurrence. This will bring up the following:

[..] Changing Directories AUTO_CD (-J) If a command is issued that can't be executed as a normal command, and the command is the name of a directory, perform the cd command to that directory. [..] 

The option can be unset using unsetopt AUTO_CD .

Turning it properly off

You are using oh-my-zsh which is described as

«A community-driven framework for managing your zsh configuration» Includes 120+ optional plugins (rails, git, OSX, hub, capistrano, brew, ant, macports, etc), .

So the next thing is to find out, how to enable/disable options according to the framework.

The readme.textile file states that the prefered way to enable/disable plugins would be an entry in your .zshrc: plugins=(git osx ruby) Find out which plugin uses the AUTO_CD option. As discovered from the manpage it can be invoked via the -J switch or AUTO_CD. Since oh-my-zsh is available on github, searching for it will turn up the file lib/theme-and-appearance.zsh . If you don’t want to disable the whole plugin «theme-and-appearance», put a unsetopt AUTO_CD in your .zshrc. Don’t modify the files of oh-my-zsh directly, because in case you are updating the framework, your changes will be lost.

Why executables are not invoked directly

Your third question is howto execute a binary directly: You have to execute your binary file via a path, for example with a prefixed ./ as in ./do-something . This is some kind of a security feature and should not be changed. hing of plugging in an USB stick, mounting it and having a look on it with ls . If there is a executable called ls which deletes your home directory, everything would be gone, since this would have overwritten the order of your $PATH.

If you have commands you call repeatedly, setting up an alias in your .zshrc would be a common solution.

Hide current working directory in terminal, This gets shown when a command is not finished. Type echo «asd and hit enter, the secondary prompt will let you enter more lines until you close

Источник

Disable terminal commands [closed]

I want to disable the use of rm except in certain circumstances. I wrote a function called remove in a .sh file and it goes though certain checks that I wanted to impose before actually calling rm . However, one could still go into the terminal and simply call the rm function rather than using remove . Is there a way to disable the rm function except when called by remove ? I want it to be as if the rm function doesn’t «exist» to a user who logs into the terminal, all that «exists» is the remove function. Maybe even go a step further and when a user calls rm it prints to the screen a statement saying to use remove . As a more broad question, is there a way to disable terminal commands except in certain circumstances? I know I could just make an alias for rm to require root, but that’s the easy and less convenient way out.

#!/bin/bash function rm < if [ $# -le 0 ]; then echo "Error: no arguments specified." else hasDir=0 for arg in "$@"; do if [ -d "$arg" ]; then hasDir=1; fi done ac="Action canceled." resp=("y" "n" "e") sure=" " while [ "$sure" != "y" ] && [ "$sure" != "n" ]; do read -p "PERMANENT ACTION. Are you sure? (y/n): " sure done if [ "$sure" == "n" ]; then echo "$ac"; return; fi if [ $hasDir -eq 1 ]; then direc=" " validResp=0 while [ $validResp -eq 0 ]; do read -p "Remove all sub-directories? (y/n/e): " direc for ans in "$"; do if [ "$direc" == "$ans" ]; then validResp=1; fi done done if [ "$direc" == "e" ]; then echo "$ac"; return; fi else direc="n" fi check=" " validResp=0 while [ $validResp -eq 0 ]; do read -p "Verify removal of each file? (y/n): " check for ans in "$"; do if [ "$check" == "$ans" ]; then validResp=1; fi done done if [ "$check" == "e" ]; then echo "$ac"; return; fi if [ "$direc" == "n" ]; then if [ "$check" == "n" ]; then for file in "$@"; do if [ ! -d "$file" ]; then command rm -f "$file"; fi done else for file in "$@"; do if [ ! -d "$file" ]; then command rm -i "$file"; fi done fi else if [ "$check" == "n" ]; then command rm -rf "$@" else command rm -ir "$@" fi fi fi > 

Источник