Restrict user from executing rm command
-rwxr-xr-x. 1 root root 57K Oct 14 2014 /bin/rm
[root@nginx ~]# getfacl /bin/rm
getfacl: Removing leading ‘/’ from absolute path names
# file: bin/rm
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
[root@nginx ~]# setfacl -m u:yesdani:rw /bin/rm
[root@nginx ~]# getfacl /bin/rm
getfacl: Removing leading ‘/’ from absolute path names
# file: bin/rm
# owner: root
# group: root
user::rwx
user:yesdani:rw-
group::r-x
mask::rwx
other::r-x
[root@nginx ~]# su – yesdani
[yesdani@nginx ~]$ ls -l
total 4
-rw-rw-r–. 1 yesdani yesdani 33 May 27 11:00 test
[yesdani@nginx ~]$ cat test
try to remove file by rm command
[yesdani@nginx ~]$ rm -rf test
-bash: /bin/rm: Permission denied
————————————————————————————————————————–
The syntax for the user lines in the sudoers file follows this syntax:
who host=(accounts) commands
————————————————————————————————————————–
But same i can remove with sudo permission
[root@nginx ~]# cat /etc/sudoers | grep root
## the root user, without needing the root password.
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
I am adding yesdani to super user
[root@nginx ~]# vim /etc/sudoers
[root@nginx ~]# cat /etc/sudoers | grep yesdani
yesdani ALL=(ALL) ALL
[root@nginx ~]# su – yesdani
[yesdani@nginx ~]$ ls -l
total 4
-rw-rw-r–. 1 yesdani yesdani 33 May 27 11:00 test
[yesdani@nginx ~]$ rm -rf test
-bash: /dev/null: Permission denied
[yesdani@nginx ~]$ sudo rm -rf test
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for yesdani:
[yesdani@nginx ~]$ ls -l
total 0
————————————————————————————————————————–
Restricting sudo useer from executing rm command
[root@nginx ~]# cat /etc/sudoers | grep yesdani
yesdani ALL=!/bin/rm
[root@nginx ~]# su – yesdani
[yesdani@nginx ~]$ cat >>test4
say hello
[yesdani@nginx ~]$ rm -rf test4
-bash: /dev/null: Permission denied
[yesdani@nginx ~]$ sudo rm -rf test4
[sudo] password for yesdani:
Sorry, user yesdani is not allowed to execute ‘/bin/rm -rf test4’ as root on nginx.admin.com.
———————————————————————————————-
How to Disable password prompt when executing particular command
[root@nginx ~]# cat /etc/sudoers | grep yesdani
yesdani ALL=(ALL) NOPASSWD:/bin/rm
[root@nginx ~]# su – yesdani
[yesdani@nginx ~]$ cat >>test2
hello every one
[yesdani@nginx ~]$ rm -rf test2
-bash: /dev/null: Permission denied
[yesdani@nginx ~]$ sudo rm -rf test2
[yesdani@nginx ~]$ ls -l
total 0
———————————————————————————————–
One more possibility for testing with out password
[root@nginx ~]# cat /etc/sudoers | grep yesdani
yesdani ALL=(ALL) NOPASSWD:!/bin/rm
[root@nginx ~]# su – yesdani
[yesdani@nginx ~]$ cat >>test3
hai
[yesdani@nginx ~]$ rm -rf test3
-bash: /dev/null: Permission denied
[yesdani@nginx ~]$ sudo rm -rf test3
Sorry, user yesdani is not allowed to execute ‘/bin/rm -rf test3’ as root on nginx.admin.com.
