Command line safety tricks [closed]

unix command-line-interface

Command line and scripting is dangerous. Make a little typo with rm -rf and you are in a world of hurt. Confuse prod with stage in the name of the database while running an import script and you are boned (if they are on the same server, which is not good, but happens). Same for noticing too late that the server name where you sshed is not what you thought it was after funning some commands. You have to respect the Hole Hawg.

I have a few little rituals before running risky commands - like doing a triple take check of the server I'm on. Here's an interesting article on rm safety.

What little rituals, tools and tricks keeps you safe on the command line? And I mean objective things, like "first run ls foo*, look at the output of that and then substitute ls with rm -rf to avoid running rm -rf foo * or something like that", not "make sure you know what the command will do".


One that works well is using different background colors on your shell for prod/staging/test servers.


Have a back out plan in mind before you start.

  • ZIP up a file/directory instead of deleting it right away
  • set the (cisco) router to reboot in 'x' number of minutes and don't 'wr' right away
  • make sure the interface you are changing is not the one you entered the system on. This could be the router interface you telnet'd to or the ethernet port VNC'd to.
  • never login as 'root'
  • make a backup. check that it is good. make another one.
  • ask someone you trust 'Am I about to do something dumb here?'

I have a low-tech solution to some of these.

I have developed an inate habit of doing the following (when planning to work as root):

  • First, logging in as a normal user, then using sudo su - root to switch to root. I do this as a mental preparation, a reminder to me that I have mentally walked into a very dangerous area and that I should be alert and on my guard at all times. Funny as it sounds, this little ritual alone has save me a ton of grief by simply reinforcing that I cannot be careless.
  • Each command is typed but the [Return] key is never pressed. Never.
  • No command is ever executed without understanding exactly what it does. If you are doing this without knowing what it does, you are playing Russian roulette with your system.
  • Before pressing the [Return] key, the command that was banged out on the CLI is carefully examined by eye. If there is any hesitation, any hint of potential issue, it is re-examined again. If that hesitation persists, the command is left on the line and I alt-F2 to another console to consult man pages, etc. If in a graphical session, I launch a browser and do some searching.
  • No common user is ever handed sudo on my systems, not because I'm a BOFH, but because without preparation and training, this is like giving a loaded gun to a monkey. It's amusing and fun at first, until the monkey looks down the barrel and squeezes...

When using rm, I always cd to the directory first, then use a prefix of ./ to ensure that the directory is correct, i.e.

cd /usr/some/directory ; rm ./targetfile

or I specify the entire path of the file

rm /usr/some/directory/targetfile

which is a PITA but...better safe than sorry.


This one is specific to Windows Powershell.

As a policy we add the following the the machine profile.ps1 on each server. This ensures that the following are true:

  1. Admin powershell console windows have a dark red background color
  2. Administrator is added to the title
  3. The message "Warning: Powershell is running as an Administrator." is written at startup
  4. The title bar is prefixed with "Administrator: "
  5. Standard utilities (like corporate shell scripts, vim and infozip) are in the path.
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent() )
& {
    if ($currentPrincipal.IsInRole( [Security.Principal.WindowsBuiltInRole]::Administrator ))
    {
        (get-host).UI.RawUI.Backgroundcolor="DarkRed"
        clear-host
        write-host "Warning: PowerShell is running as an Administrator.`n"
    }

    $utilities = $null
    if( [IntPtr]::size * 8 -eq 64 )
    {
        $host.UI.RawUI.WindowTitle = "Windows PowerShell (x64)" 
        $utilities = "${env:programfiles(x86)}\Utilities"
    }
    else
    {
        $host.UI.RawUI.WindowTitle = "Windows PowerShell (x86)"
        $utilities = "${env:programfiles}\Utilities"
    }
    if( (Test-Path $utilities) -and !($env:path -match $utilities.Replace("\","\\")) )
    {
        $env:path = "$utilities;${env:path}"
    }
}

function Prompt
{
    if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
    {
        if( !$host.UI.RawUI.WindowTitle.StartsWith( "Administrator: " ) )
        { $Host.UI.RawUI.WindowTitle = "Administrator: " + $host.UI.RawUI.WindowTitle }
    }
    'PS' + $(if ($nestedpromptlevel -ge 1) { '>>' }) + '> '
}

I can agree with all the above answers but I have to stress this very, very important tip:

Know when to avoid multitasking.

Related

What's the meaning of logging in as "[email protected]:something"
What is the point of the docker-proxy process? Why is a userspace tcp proxy needed?
HP plan to restrict access to ProLiant server firmware - consequences?
What's the difference between "Turn Off" and "Shutdown" in Hyper-V
Authentication is required to manage system services or units.
Can I build my own Extended Validation SSL certificate?
How do I enable apache modules from the command line in RedHat?
Is using SOFTFAIL over FAIL in the SPF record considered best practice?
Random TCP RST's on certain websites, what's going on?
How is DNS lookup configured for OSX Mountain Lion?
How can one send commands to the "inner" ssh session?
FTP/FTPS/SFTP/SCP - Speed comparison [closed]