Views:
6,944β
Votes: 5β
Tags:
command-line
permissions
password
rm
Link:
π See Original Answer on Ask Ubuntu β§ π
URL:
https://askubuntu.com/q/866003
Title:
How can I set up a password for the 'rm' command?
ID:
/2016/12/30/How-can-I-set-up-a-password-for-the-_rm_-command_
Created:
December 30, 2016
Edited: March 5, 2017
Upload:
September 15, 2024
Layout: post
TOC:
false
Navigation: false
Copy to clipboard: false
Sometimes itβs not our friends, we are our own worst enemies
Iβve written a script to password protect rm like the OP requested but also put in edits to prevent you from accidentally deleting:
- /
- /home
- /bin
Edit: Mar 5 2017 - Change method of checking if running in terminal.
Create the script
Use gksu gedit /usr/local/bin/rm and copy in these lines:
#!/bin/bash
tty -s;
if [ "0" == "$?" ]; then Terminal="Y"; else Terminal="N"; fi
if [ $Terminal == "Y" ] ; then
# Running from terminal don't allow delete of / or /toplevel directory even if sudo
for i in ${@:1}
do
# Skip options -i -r -v -d
if [[ ${i:0:1} != "-" ]] ; then
# if parameter doesn't begin with '-' it's file or directory, so get real path.
fullname=$(realpath "$i" 2>&1) # No error messages if file doens't exist
# We must have at least two `/` in the full path
levels=$(echo "$fullname" | tr -cd '/' | wc -c)
if (( $levels == 1 )); then # Test for 1, will be zero when file doesn't exist.
echo "Attempting to remove top level directory '$fullname'"
echo "Use 'sudo /bin/rm $@' instead."
exit 1 # error
fi
fi
done
fi
if [[ $(id -u) != 0 ]]; then # Only non-root processes enter password (ie "sudo rm ..." is ok)
if [ $Terminal == "Y" ] ; then
# Only running from a terminal needs password (ie not cron)
# log rm usage to /var/log/syslog
PARENT_COMMAND="$(ps -o comm= $PPID)"
logger "$PARENT_COMMAND"" - rm command was used on file: ""$fullname"
# Get password
Password=$(zenity --password --title="Password for rm")
encryptPassword=$(echo -n "$Password" | md5sum)
echo "md5sum: $encryptPassword" # Comment out after viewing one time and updating line below.
if [[ "$encryptPassword" != "d2c30dc65e59558c852ea30b7338abbe -" ]]; then
echo "Invalid password!"
exit 1
fi
fi # non-terminals can't enter password.
fi # root doesn't need to enter password.
# Call REAL rm command with parameters passed to this wrapper sript
/bin/rm "$@"
exit 0
Change the password βWE2Uβ to anything you like and save the file.
Mark new rm script as executable
Flag new rm script as executable using:
sudo chmod +x /usr/local/bin/rm
How it Works
Unless the password is WE2U, the first time you run the script you will get βinvalid passwordβ and the encryption key for the password you entered is displayed. Copy and paste this encryption key from the terminal into the script. Then comment out the line with the echo that displayed the encryption key on the terminal.
Because the path /usr/local/bin is higher on the list than /bin our command rm is called. After getting valid password it calls /bin/rm to do the real removal.
As Thomas Ward pointed out in another answer, if you were to do a sudo apt-get install ... you could be asked for password a thousand times. The script checks if sudo is used and doesnβt ask for a password. Furthermore if rm is called from within GUI application no password is required.
The script calls logger to record every time rm was manually called using the terminal. Command usage is recorded to /var/log/syslog.