Results 1 to 16 of 16
  1. #1
    Join Date
    May 2006
    Posts
    1,426

    How to prevent rm -rf /?

    Does anyone know anyway that "rm -rf /" can be disabled? OR any selinux rule or something to prevent this?

    Or if I wanted to prevent a certain directory from being deleted like backups but something unlike chattr that someone can figure out quickly.

    Im sure LOTS of people would like to know about this. Ive searched around and only somewhat useful thing I have found is an rm wrapper that sends everything to a trash file in the root of the mount point.
    Last edited by jon-f; 07-04-2009 at 01:47 AM.

  2. #2
    Join Date
    Apr 2005
    Posts
    1,767
    How about FreeBSD's noschg flag and sysctl kernel_securelevel?

  3. #3
    Join Date
    Sep 2003
    Location
    Chicago, IL
    Posts
    165
    The best solution to this problem is to not login as root. Create a user and provide sudo priveleges to that user. This has saved me a few times.

  4. #4
    Join Date
    May 2006
    Posts
    1,426
    I just found something else unless this is the same thing I posted in first post - it seems different you can make a list of files to never be deleted - http://linux.softpedia.com/get/Utili...rm-40929.shtml

    I will try to find the original site for this.

    Also I want to point out, this question and thread is not about accidentally deleting things it is about preventing hackers form wiping your box so sudo wont help if they get root through the kernel or some root service. If you forbid root login they can still be root from exploitations.

    update - http://www.safe-rm.org.nz/
    Last edited by jon-f; 07-04-2009 at 02:07 AM.

  5. #5
    Join Date
    Sep 2003
    Location
    Chicago, IL
    Posts
    165
    Sorry I misread that bit.

    That is some good information though.

  6. #6
    Join Date
    May 2006
    Posts
    1,426
    Well the safe-rm script is useless, it would be good to prevent accidental deletions but not so against hackers. For example, if you do like rm -blah it spits this back

    /usr/bin/rm -blah
    /bin/rm: invalid option -- b
    Try `/bin/rm --help' for more information.

    safe rm is /usr/bin/rm , real is /bin/rm so as you see it doesnt help any. I will look on the script and see if its possible to prevent that but otherwise it shows that script is only helpful for accidental deletions

  7. #7
    Join Date
    Apr 2007
    Posts
    652
    It would be a better idea to backup your server instead of trying to protect against 'rm -rf /'. If you did try to protect against it I would surely think it would just be for accidental reasons, not from somebody who penetrated your system.
    Justin Yancey | Northern Virginia & District of Columbia | https://www.linkedin.com/in/justinyancey

  8. #8
    Join Date
    May 2006
    Posts
    1,426
    Well yeah it would be for accidental reasons too. And of course backups are done. We are just working on some new things to try and prevent some disasters. We have practially gone over any potential disaster we can think of and are trying to find solutions, come up with backup plans, etc.

  9. #9
    Quote Originally Posted by JustinAY View Post
    It would be a better idea to backup your server instead of trying to protect against 'rm -rf /'. If you did try to protect against it I would surely think it would just be for accidental reasons, not from somebody who penetrated your system.
    Not to say that protecting against accidental deletions of rm -Rf / which I am sure happen all the time from a simple typo, to running a script directly that shouldn't be ran that way. Protection against rm -Rf / is the first step. Any protection against rm -Rf / is not a substitute for backups of course

  10. #10
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,422
    If a malicious person gains root, you are hosed.

    Even if a malicious person manages to access only as a user, they can still cause plenty of damage with just a few lines of code.

    Code:
    for p in walk('/'):
        if os.path.isfile(p):
            # do something nasty with the file like truncate
            # or fill with the output of /dev/urandom
            pass
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  11. #11
    Join Date
    Jun 2001
    Location
    Chicago, IL
    Posts
    1,953
    These days the goal is not so much to delete all your stuff but rather to steal information/do something for profit.

    Plus even if you did stop rm -rf, there are other ways they could mess with your server, maybe screw with your partitions? And if you really wanted to be secure, after a server being compromised you would probably start from square one anyways despite them deleting anything or not.
    Chicago Electronic Cigarettes: Tobacco Free, Smoke Free. 3 E-Cig Models, 11 flavors, and accessories.
    http://www.chicago-ecigs.com

  12. #12
    Join Date
    Jul 2009
    Location
    Charlotte, NC
    Posts
    42
    Protecting the `rm` command will not make much of a difference to an intruder with root access.

    Good thought, but it won't work in practice.

  13. #13
    Join Date
    May 2001
    Location
    HK
    Posts
    3,082

    Smile

    well, you can make your own rm command, sort of like a wrapper and check the paths (passed in the parameter) and then pass them to the real rm command to do the deletion.

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Whats to stop them uploading their own binary?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Join Date
    May 2006
    Posts
    1,426
    Quote Originally Posted by Steven View Post
    Whats to stop them uploading their own binary?
    ha dang,, I didnt even think of that. Well I guess it is still good to have for accidental deletions. My main concern is new staff coming and going but also for hacks but I guess either way someone can screw something up.

    EDIT: I guess pulled backups is about the safest thing to do to prevent total loss.

  16. #16
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by felosi View Post
    ha dang,, I didnt even think of that. Well I guess it is still good to have for accidental deletions. My main concern is new staff coming and going but also for hacks but I guess either way someone can screw something up.

    EDIT: I guess pulled backups is about the safest thing to do to prevent total loss.
    No. Physical in hand backups are best.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Similar Threads

  1. How prevent hackers away
    By kamyana in forum Hosting Security and Technology
    Replies: 7
    Last Post: 02-21-2007, 06:37 PM
  2. How to prevent this?
    By Vpower in forum Hosting Security and Technology
    Replies: 3
    Last Post: 09-01-2006, 08:27 AM
  3. How to prevent cmd from executing from php
    By canfone in forum Hosting Security and Technology
    Replies: 5
    Last Post: 04-16-2006, 12:35 PM
  4. How to prevent SQl injection?
    By traixanha in forum Hosting Security and Technology
    Replies: 10
    Last Post: 06-11-2003, 03:05 PM
  5. Is there a way to prevent this?
    By tutv in forum Programming Discussion
    Replies: 2
    Last Post: 03-02-2003, 01:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •