1

I want to restrict rm command for certain group. I have implemented sudo on my Linux server. sudo rm <filename> is not permitted as I've restricted it.

The issue is, if a user does not use sudo he can remove a file. My users belong to a certain group e.g. test. So, I need to restrict /bin/rm for all users in test group.

setfacl did not help!

Any recommendations are really appreciated.

kenlukas
  • 3,101
  • 2
  • 16
  • 26
Sheeze Mirza
  • 11
  • 2
  • 4
    What are you actually trying to achieve? Limiting `/bin/rm` won't help you, users can copy an own version of `rm` in their home directory and use that one. Or use Python or whatsover to remove files. – Thomas Aug 06 '19 at 16:28
  • 1
    Restricting the `rm` command is the wrong approach. (There numerous other ways to destroy a file or the data stored in a file.) The typical approach is to use place your users in different groups and then correct file system ownership and permissions will ensure that only authorized users can modify and delete files. – HBruijn Aug 06 '19 at 16:29

1 Answers1

0

I'll reply to this because I think I know how to achieve something close to your request.

By the way, I strongly agree with people in the comments: this is not at all a solution for what you mean to achieve.

Filesystem permissions tuning is the way.

Given "privileged" is the group that will be able to run restricted binaries and "youradminusername" is the admin user you are using.

Repeat the second command for any other local admin user. 

sudo groupadd privileged
sudo usermod -a -G privileged youradminusername
sudo dpkg-statoverride --update --add root privileged 4750 /bin/rm

This way, only users added to the privileged group will be able to access rm.

BTW, again, even uploading my own rm won't be needed, I can promptly list tens of binaries I can use in bash to destroy a file. Configure filesystem's permissions instead.

Marco
  • 1,709
  • 3
  • 17
  • 31
  • Thanks for your response @Marco. I am using a wheel group. So you are recommending use privileged instead? – Sheeze Mirza Aug 15 '19 at 10:55
  • The group I used is just an example, and I don't recommend using this solution at all in your case, the right approach is filesystem's permissions as stated in other comments and in my answer. – Marco Aug 16 '19 at 12:23
  • 1
    Thanks for your response, after taking away the executable permissions from others resolved my problem. Thanks for your replies – Sheeze Mirza Aug 20 '19 at 14:25