I'm using Solaris 10. I want to restrict users from executing this dangerous command.
rm -rf *
But they should be able to perform the below actions:
rm -rf *.*
rm -rf filename
rm -rf directory
Is it possible? If yes then pls let me know how to do it?
Yes, everyone's nightmare.
Have you seen this before?
I also remember sometime ago being told about sysadmins creating a file with some escape characters in the name at root (/) which caused rm -r to fall over when executed at that level in the filesystem. Unfortunately, I can't remember how it was done. However, some of the coding/scripting experts on this forum might have something to say about that.
Why would *.* be much safer? That could potentially match . or .. on some systems. Besides, you can't really disable some globbing but not others.
What I usually see done to "safe" rm for root is putting alias rm="rm -i" in root's profile, so rm prompts for every single file removal.
Corona688: If the alias is added then all rm command would prompt the user input, this will affect any scripts that is used to clean the logs/files.
No, they don't, actually. Aliases apply to interactive logins, only interactive logins, and nothing but interactive logins.
If you type 'rm' directly into a root terminal where rm is aliased to rm -i, it will run 'rm -i'.
It does that absolutely nowhere else. Not inside scripts or utilities, even if you run them from that same terminal.
Which is a pretty good reason to use an alias for this, actually, and why you actually see that sort of thing done a lot.
This might help. It's a bit long-winded, but could accomplish what you want by adding a test in the alias command:
alias rm="[ $(id | cut -d'=' -f2 | cut -d'(' -f1) -ne 0 ] && rm -i"
So if the uid equals 0 (or substitute whichever uid you want to omit from being prompted), then skip prompting, while other users will be prompted.
Hope this helps.
id -u (if available on your machine) might save you all the cutting...
There's no point putting it in the global profile, that makes it more complicated than it needs to be. Just put it in root's profile alone, in their home directory, and only root will get it.