How to always enforce sudo password for specific command?

command-line server sudo

The other day I was doing some maintenance tasks on my web server. I was in hurry and sleepy, so I did everything using sudo command.

And then, I accidentally pressed Ctrl+V, sending this command to my web server:

sudo rm -rf /*

For those wondering what above command does: This deleted my whole web server

Luckily, I had backups and sadly, I had to spend two more hours being awake to fix this awesome error. But since then, I have been wondering:

Is there a way to always enforce sudo password for specific command?

If the server asked me for a password, I would save myself from lot of trouble. It did not, because I ran about 5 sudo commands before this majestic error.

So, is there a way to do it? I just need the password with the rm command to always be enforced. Other commands I am using are usually nano or cp which both are (to some extent) revertable.


You can set the timestamp_timeout to 0 for particular commands in /etc/sudoers. Create a file visudo -f /etc/sudoers.d/pduck with the following content:

Cmnd_Alias DANGEROUS = /bin/rm

Defaults!DANGEROUS timestamp_timeout=0

pduck ALL = (ALL:ALL) DANGEROUS

Now the user pduck is always asked for a password when running sudo rm (no matter what additional parameters are given) even though the user is member of the sudo group and sudo remembers his password for other commands.

The downside is that you cannot easily add parameters to the /bin/rm line in the file to further restrict this. Well… you can, like:

Cmnd_Alias DANGEROUS = /bin/rm -f

but then you just get prompted for exactly sudo rm -f and not (again) for sudo rm -rf, for example.


One method would be to use safe-rm. This will ONLY adress the usage of "rm" and preventing specific versions of "rm" to be run. That includes removing your root system but can also be used to prevent removing of system related directories like "/usr/" or "/var/". From the link:

Reventing the accidental deletion of important files

Safe-rm is a safety tool intended to prevent the accidental deletion of important files by replacing /bin/rm with a wrapper, which checks the given arguments against a configurable blacklist of files and directories that should never be removed.

Users who attempt to delete one of these protected files or directories will not be able to do so and will be shown a warning message instead:

$ rm -rf /usr   
Skipping /usr

(Protected paths can be set both at the site and user levels.)

Recovering important files you deleted by mistake can be quite hard. Protect yourself today by installing safe-rm and reduce the likelihood that you will need to contact a data recovery service!

enter image description here

Related

Is it possible to increase the size of the mouse pointer? [duplicate]
What's wrong with this 'find' command?
Google Talk Video Chat
Wine sound is played way too fast and crackles horribly
How can I print the contents of an array horizontally?
How to do n-D distance and nearest neighbor calculations on numpy arrays
use matplotlib color map for color cycle
AppleScript to make the preview image become the master in Aperture library?
iPhone 5 sync won't complete, stalls at waiting for changes to be applied
Apple Mail prints tiny fonts after Maverick upgrade
Trackpad (+ spotlight) semi-unresponsive, Mavericks on a 2010 MBP
OS X 10.9 Fullscreen on second display doesn't stretch to full screen, but only part of it