In my High school there are few computer having Ubuntu 14.04 installed and many students know the Root password,
how can I block/disable certain dangerous commands like :- rm -rf / rm -rf * :(){:|:&};: to avoid Data loss ?
Asked
Active
Viewed 808 times
2
Ashu_FalcoN
- 2,118
-
4what about the simplest way? Changing the root password? – AlexGreg Aug 11 '14 at 14:56
-
possible duplicate of Remove a terminal command – Parto Aug 11 '14 at 14:56
-
@parto that question/answer assumes they do not have the admin password. – Rinzwind Aug 11 '14 at 14:58
-
Cannot change root password as many students and teacher use it !!! – Ashu_FalcoN Aug 11 '14 at 14:58
-
I see no reason why students and faculty should have the root password. Use sudo properly and limit its impact. That said, if you can't do that, educate the students and faculty of the power they wield. – muru Aug 12 '14 at 03:49
-
2@Parto Also, none of the solutions there achieve any security-related goals such as preventing people from inflicting deliberate harm. For aliasing, users can redefine their own aliases or execute commands in such a way as to bypass aliases (e.g., with their full path). Users can put back a command that has been deleted. And users can similarly make their own copy--or, if they cannot do that, bring in their own copy--of a non-setuid command they can't run. – Eliah Kagan Aug 12 '14 at 04:09
-
@Ashu Have you considered using guest sessions that revert on reboot? – Panagiotis Tabakis Aug 22 '16 at 12:56
1 Answers
13
Impossible. Absolutely impossible. If they know the admin password they can do a-n-y-t-h-i-n-g and can always revert any change you make to the system.
If you are the admin of those system you need to re-install those computers. There is no telling what those students did to those systems (for all you know they installed a keylogger, a mailserver or some dubious script and know your password seconds after you changed it) and create an admin account with a secure password.
Cannot change root password as many students and teacher use it !!!
Yes you can and yes you should. There should be 1 or 2 people that know the admin password. Other people can have elevated access but they still do not need the admin password.
Rinzwind
- 299,756
-
yes it' not possible to prevent totally that a command may be enabled back, but how to avoid accidental run of dangerous commands? command 'foobar' for example, how to disable "sudo foobar"? – Dan D. Dec 28 '19 at 06:04