Results 1 to 16 of 16
Thread: How to prevent rm -rf /?
-
07-04-2009, 01:43 AM #1Disabled
- Join Date
- May 2006
- Posts
- 1,426
How to prevent rm -rf /?
Does anyone know anyway that "rm -rf /" can be disabled? OR any selinux rule or something to prevent this?
Or if I wanted to prevent a certain directory from being deleted like backups but something unlike chattr that someone can figure out quickly.
Im sure LOTS of people would like to know about this. Ive searched around and only somewhat useful thing I have found is an rm wrapper that sends everything to a trash file in the root of the mount point.Last edited by jon-f; 07-04-2009 at 01:47 AM.
-
07-04-2009, 01:57 AM #2Web Hosting Master
- Join Date
- Apr 2005
- Posts
- 1,767
How about FreeBSD's noschg flag and sysctl kernel_securelevel?
-
07-04-2009, 01:58 AM #3WHT Addict
- Join Date
- Sep 2003
- Location
- Chicago, IL
- Posts
- 165
The best solution to this problem is to not login as root. Create a user and provide sudo priveleges to that user. This has saved me a few times.
-
07-04-2009, 02:03 AM #4Disabled
- Join Date
- May 2006
- Posts
- 1,426
I just found something else unless this is the same thing I posted in first post - it seems different you can make a list of files to never be deleted - http://linux.softpedia.com/get/Utili...rm-40929.shtml
I will try to find the original site for this.
Also I want to point out, this question and thread is not about accidentally deleting things it is about preventing hackers form wiping your box so sudo wont help if they get root through the kernel or some root service. If you forbid root login they can still be root from exploitations.
update - http://www.safe-rm.org.nz/Last edited by jon-f; 07-04-2009 at 02:07 AM.
-
07-04-2009, 02:17 AM #5WHT Addict
- Join Date
- Sep 2003
- Location
- Chicago, IL
- Posts
- 165
Sorry I misread that bit.
That is some good information though.
-
07-04-2009, 03:58 AM #6Disabled
- Join Date
- May 2006
- Posts
- 1,426
Well the safe-rm script is useless, it would be good to prevent accidental deletions but not so against hackers. For example, if you do like rm -blah it spits this back
/usr/bin/rm -blah
/bin/rm: invalid option -- b
Try `/bin/rm --help' for more information.
safe rm is /usr/bin/rm , real is /bin/rm so as you see it doesnt help any. I will look on the script and see if its possible to prevent that but otherwise it shows that script is only helpful for accidental deletions
-
07-04-2009, 04:11 AM #7Web Hosting Master
- Join Date
- Apr 2007
- Posts
- 652
It would be a better idea to backup your server instead of trying to protect against 'rm -rf /'. If you did try to protect against it I would surely think it would just be for accidental reasons, not from somebody who penetrated your system.
Justin Yancey | Northern Virginia & District of Columbia | https://www.linkedin.com/in/justinyancey
-
07-04-2009, 04:15 AM #8Disabled
- Join Date
- May 2006
- Posts
- 1,426
Well yeah it would be for accidental reasons too. And of course backups are done. We are just working on some new things to try and prevent some disasters. We have practially gone over any potential disaster we can think of and are trying to find solutions, come up with backup plans, etc.
-
07-04-2009, 04:16 AM #9Disabled
- Join Date
- Sep 2005
- Location
- A box
- Posts
- 2,051
Not to say that protecting against accidental deletions of rm -Rf / which I am sure happen all the time from a simple typo, to running a script directly that shouldn't be ran that way. Protection against rm -Rf / is the first step. Any protection against rm -Rf / is not a substitute for backups of course
-
07-04-2009, 04:46 AM #10Web Hosting Master
- Join Date
- Nov 2001
- Location
- Vancouver
- Posts
- 2,422
If a malicious person gains root, you are hosed.
Even if a malicious person manages to access only as a user, they can still cause plenty of damage with just a few lines of code.
Code:for p in walk('/'): if os.path.isfile(p): # do something nasty with the file like truncate # or fill with the output of /dev/urandom pass
“Even those who arrange and design shrubberies are under
considerable economic stress at this period in history.”
-
07-04-2009, 10:01 AM #11A#* Duke Of New York
- Join Date
- Jun 2001
- Location
- Chicago, IL
- Posts
- 1,953
These days the goal is not so much to delete all your stuff but rather to steal information/do something for profit.
Plus even if you did stop rm -rf, there are other ways they could mess with your server, maybe screw with your partitions? And if you really wanted to be secure, after a server being compromised you would probably start from square one anyways despite them deleting anything or not.Chicago Electronic Cigarettes: Tobacco Free, Smoke Free. 3 E-Cig Models, 11 flavors, and accessories.
http://www.chicago-ecigs.com
-
07-04-2009, 12:14 PM #12Junior Guru Wannabe
- Join Date
- Jul 2009
- Location
- Charlotte, NC
- Posts
- 42
Protecting the `rm` command will not make much of a difference to an intruder with root access.
Good thought, but it won't work in practice.
-
07-04-2009, 12:53 PM #13Web Hosting Master
- Join Date
- May 2001
- Location
- HK
- Posts
- 3,082
well, you can make your own rm command, sort of like a wrapper and check the paths (passed in the parameter) and then pass them to the real rm command to do the deletion.
-
07-04-2009, 12:58 PM #14Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Whats to stop them uploading their own binary?
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
07-04-2009, 01:18 PM #15Disabled
- Join Date
- May 2006
- Posts
- 1,426
ha dang,, I didnt even think of that. Well I guess it is still good to have for accidental deletions. My main concern is new staff coming and going but also for hacks but I guess either way someone can screw something up.
EDIT: I guess pulled backups is about the safest thing to do to prevent total loss.
-
07-04-2009, 02:53 PM #16Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
Similar Threads
-
How prevent hackers away
By kamyana in forum Hosting Security and TechnologyReplies: 7Last Post: 02-21-2007, 06:37 PM -
How to prevent this?
By Vpower in forum Hosting Security and TechnologyReplies: 3Last Post: 09-01-2006, 08:27 AM -
How to prevent cmd from executing from php
By canfone in forum Hosting Security and TechnologyReplies: 5Last Post: 04-16-2006, 12:35 PM -
How to prevent SQl injection?
By traixanha in forum Hosting Security and TechnologyReplies: 10Last Post: 06-11-2003, 03:05 PM -
Is there a way to prevent this?
By tutv in forum Programming DiscussionReplies: 2Last Post: 03-02-2003, 01:23 PM