0

I want to prevent someone from typing in and executing a shell command within terminal that might unknowingly cause problems. Let's say for the sake of argument that the command is rm -rf /.

My first thought is to write an alias that would catch the command before it runs, but aliases only work on single-word commands. Is there a way to intercept a specific command before it runs and echo something like "You cannot run that command" instead of executing?

samcorcos
  • 2,330
  • 4
  • 27
  • 40
  • Are you talking about a _script_ (i.e. a file that contains a sequence of shell commands to run), or a _command_? – David Z Oct 23 '18 at 21:12
  • Sorry, i just meant a "command". Will update – samcorcos Oct 23 '18 at 21:15
  • 3
    No, there is no way to prevent a motivated attacker with arbitrary shell access from executing a specific command. You should be using permissions and capabilities, not command blacklisting. – that other guy Oct 23 '18 at 21:18
  • 1
    This has been asked and answered before, but the duplicate is being a bit tricky to find -- I wonder if perhaps it's on [unix.se] (where this question would certainly be closer to topic). – Charles Duffy Oct 23 '18 at 21:20
  • 1
    Related: https://unix.stackexchange.com/questions/90998/block-particular-command-in-linux-for-specific-user – kvantour Oct 23 '18 at 21:20
  • I can copy/paste the identical script from another server and execute it. – Walter A Oct 23 '18 at 21:22
  • @thatotherguy It's less about a motivated attacker and more about preventing someone who is new to programming who might make a substantial mistake. – samcorcos Oct 23 '18 at 21:24
  • 1
    @WalterA, you don't even need to do that -- if the restriction is being performed by the shell, just call it in a way that doesn't go through the shell. Even if `somecmd foo` is blocked, `xargs somecmd foo` won't be, much less `python -c 'import subprocess; subprocess.Popen(['somecmd', 'foo'])`. – Charles Duffy Oct 23 '18 at 21:24
  • @CharlesDuffy When somebody sets the file to 700 (and writes some wrapper code with setuid and check of parameters) `xargs` is blocked. – Walter A Oct 23 '18 at 21:29
  • @WalterA, ...did you mention any of that work upthread? The response is true enough, but seems like a bit of a non sequitur; the question is tagged "bash", together with the text implying that the OP is looking for a restriction that can be implemented as an (alias-like) shell configuration measure. – Charles Duffy Oct 23 '18 at 21:30
  • 1
    @samcorcos When I was new somebody tried preventing me making a mistake with `alias rm='/bin/rm -i'`. That seemed to work until I changed to a user (root), where the alias was not set. And I made a substantial mistake, expecting confirmation after `rm *`. Try to give new persons minimal rights. – Walter A Oct 23 '18 at 21:36
  • *nod* -- the best safety net (beyond well-crafted permissions) is a robust snapshot or backup regimen. Doubly so if those snapshots are live for users to read without requesting admin intervention; if you can pick up your files as they existed as of last week by looking in `/snapshots/2018-10-15/home/username`, the threat of deletion gets a lot less scary. – Charles Duffy Oct 23 '18 at 21:40
  • @CharlesDuffy I agree that an alias can be passed even more easy. – Walter A Oct 23 '18 at 21:41
  • `alias rm=rm -i` has no effect when `-f` is set, so `rm -f` oder `rm -fi` will never prompt. – JGK Oct 24 '18 at 08:15

0 Answers0