Re: How to trap !sh at keyboard
- From: "Chet Nichols III" <chet.nichols@xxxxxxxxx>
- Date: Sat, 24 May 2008 11:01:11 -0400
Unless you have some modified version of shutdown, only root should be able
to run it anyway. So, for a user to type !sh and get the box to shutdown,
they'd have to be logged in as root or knowingly type "sudo !sh" if they
have sudo, in which case, they shouldn't have sudo or the root password.
However, if shutdown is for some reason executable by anyone, you could just
chmod go-x it and make sure its owned by root (it should be), making it
executable only by root. At that point, any non-root or non-sudo user typing
!sh will just get "permission denied" when they try to run it.
You could also remote /sbin from everyones PATH by taking it out of
/etc/profile.
Good luck!
Chet
On Fri, May 23, 2008 at 7:27 PM, Paul Dwerryhouse <paul@xxxxxxxxxxxxxxxxxx>
wrote:
On Fri, May 23, 2008 at 01:53:20PM -0400, Billy Davis wrote:
It seems that some of our users are inclined to key in '!sh' at the
shell prompt, which promptly shuts down our Red Hat Enterprise 3 Server,
interrupting everyone else's work. Is there a line that we can add to
the inittab file, that will trap this string, in the same fashion that
the 'ca::ctrlaltdel:/sbin/shutdown -t3 -r now' line traps
Ctrl-Alt-Delete inputs?
Dodgy answer: move /sbin/shutdown to a location that isn't in the path,
so that typing just 'shutdown' from a command line without the full path
to it will result in 'command not found'.
Better answer: take root access away from users who aren't sensible
enough to know how to use it properly. If they *have* to have root
access for some reason (and I really can't think of any reason why they
should have it), force them to use sudo with a restricted range of
commands that they need.
Cheers,
Paul
--
Paul Dwerryhouse | PGP Key ID: 0x6B91B584
========================================================================
http://linoleum.leapster.org/ - Linux Programming Resources
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
/*
Chet Nichols III
mail: chet.nichols@xxxxxxxxx
(aim: chet / twitter: chet)
*/
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
- References:
- How to trap !sh at keyboard
- From: Billy Davis
- Re: How to trap !sh at keyboard
- From: Paul Dwerryhouse
- How to trap !sh at keyboard
- Prev by Date: Re: How to trap !sh at keyboard
- Next by Date: Hi Hertha/Gerrard/anyone, SAN disk partitions device files changes with each reboot
- Previous by thread: Re: How to trap !sh at keyboard
- Next by thread: Hi Hertha/Gerrard/anyone, SAN disk partitions device files changes with each reboot
- Index(es):
Relevant Pages
|
