RESTRICT USER FROM EXECUTING rm COMMAND

Restrict user from executing rm command

[root@nginx ~]# ls -lh /bin/rm
-rwxr-xr-x. 1 root root 57K Oct 14  2014 /bin/rm
[root@nginx ~]# getfacl /bin/rm
getfacl: Removing leading ‘/’ from absolute path names
# file: bin/rm
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

[root@nginx ~]# setfacl -m u:yesdani:rw /bin/rm

[root@nginx ~]# getfacl /bin/rm
getfacl: Removing leading ‘/’ from absolute path names
# file: bin/rm
# owner: root
# group: root
user::rwx
user:yesdani:rw-
group::r-x
mask::rwx
other::r-x

[root@nginx ~]# su – yesdani
[yesdani@nginx ~]$ ls -l
total 4
-rw-rw-r–. 1 yesdani yesdani 33 May 27 11:00 test
[yesdani@nginx ~]$ cat test 
try to remove file by rm command
[yesdani@nginx ~]$ rm -rf test 
-bash: /bin/rm: Permission denied
————————————————————————————————————————–
The syntax for the user lines in the sudoers file follows this syntax:

who host=(accounts) commands

————————————————————————————————————————–

But same i can remove with sudo permission

[root@nginx ~]# cat /etc/sudoers | grep root 
## the root user, without needing the root password.
## Allow root to run any commands anywhere
root ALL=(ALL) ALL

I am adding yesdani to super user

[root@nginx ~]# vim /etc/sudoers

[root@nginx ~]# cat /etc/sudoers | grep yesdani
yesdani ALL=(ALL) ALL

[root@nginx ~]# su – yesdani
[yesdani@nginx ~]$ ls -l
total 4
-rw-rw-r–. 1 yesdani yesdani 33 May 27 11:00 test
[yesdani@nginx ~]$ rm -rf test 
-bash: /dev/null: Permission denied
[yesdani@nginx ~]$ sudo rm -rf test 

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for yesdani:
[yesdani@nginx ~]$ ls -l
total 0

————————————————————————————————————————–
Restricting sudo useer from executing rm command

[root@nginx ~]# cat /etc/sudoers | grep yesdani
yesdani ALL=!/bin/rm

[root@nginx ~]# su – yesdani

[yesdani@nginx ~]$ cat >>test4
say hello

[yesdani@nginx ~]$ rm -rf test4 
-bash: /dev/null: Permission denied

[yesdani@nginx ~]$ sudo rm -rf test4 
[sudo] password for yesdani:
Sorry, user yesdani is not allowed to execute ‘/bin/rm -rf test4’ as root on nginx.admin.com.
———————————————————————————————-

How to Disable password prompt when executing particular command

[root@nginx ~]# cat /etc/sudoers | grep yesdani
yesdani ALL=(ALL) NOPASSWD:/bin/rm

[root@nginx ~]# su – yesdani

[yesdani@nginx ~]$ cat >>test2
hello every one

[yesdani@nginx ~]$ rm -rf test2 
-bash: /dev/null: Permission denied

[yesdani@nginx ~]$ sudo rm -rf test2 
[yesdani@nginx ~]$ ls -l
total 0
———————————————————————————————–
One more possibility for testing with out password

[root@nginx ~]# cat /etc/sudoers | grep yesdani
yesdani ALL=(ALL) NOPASSWD:!/bin/rm

[root@nginx ~]# su – yesdani
[yesdani@nginx ~]$ cat >>test3
hai
[yesdani@nginx ~]$ rm -rf test3
-bash: /dev/null: Permission denied

[yesdani@nginx ~]$ sudo rm -rf test3

Sorry, user yesdani is not allowed to execute ‘/bin/rm -rf test3’ as root on nginx.admin.com.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s