Almost all the secure RMS streaming on the Internet provide a rm "garbage" recycle bin, which is a bad recipe for server environment.
I think it might be better to provide a secure rm to protect some important files or directories from deletion and avoid the tragedy of deleting important data by mistake.
I wrote a script: https://github.com/malongshuai/rm_is_safe , the source code and usage are provided later in this article, but you can go to github and order a star if you want to win.
Operation mode
rm_is_safe creates a shell script named/bin/rm and backs up the native/bin/rm as/bin/rm.bak.Therefore, there is no difference in how RM was used before and how RM is used now.
To distinguish between native RM and masqueraded secure rm, the masqueraded RM command is called rm_is_safe below.
Rm_is_safe automatically checks the parameters passed when RM is called. If the parameters contain important files, this may mean a dangerous RM operation. rm_is_safe will ignore this RM directly.It's up to you to decide which documents are important.
rm_is_safe is valid for all users, including existing and future newly created users.
What are the important files?
-
The root directory/and subdirectories and subfiles under the root directory are always automatically protected
-
You can define files that you think are important to you in /etc/security/rm_fileignore, with one protected file path per line.For example:
/home/junmajinlong /home/junmajinlong/apps
Now, both files defined in this file are secured and will not be deleted by rm.
Matters needing attention:
- Obviously, a protected directory is not recursive, so'/bin'is safe and'/bin/aaa' is not unless you add it to the / etc/security/rm_fileignore file
- The root directory/and subdirectories under the root directory are automatically protected without having to manually add them to/etc/security/rm_fileignore
- The path defined in the /etc/security/rm_fileignore file can contain any slash, and rm_is_safe is handled automatically.Therefore,'/home/junmajinlong'and'/home//junmajinlong///' are both valid paths
- Do not use wildcards in paths defined in /etc/security/rm_fileignore, e.g. /home/* is invalid
Usage
1. Execute the Shell script provided later in this article:
$ sudo bash rm_is_safe.sh
After execution, your RM command becomes a secure rm.
2. If you really want to delete the protected file, such as if you know/data can be deleted, you can use the native RM command, /bin/rm.bak, to delete it.
$ rm.bak /path/to/file
3. If you want to uninstall rm_is_safe, execute the function uninstall_rm_is_safe:
# If the function cannot be found, exec bash is executed before execution $ uninstall_rm_is_safe
When uninstallation is complete, /bin/rm becomes the native RM command.
Script: rm_is_safe.sh
The script is as follows, assuming its file name is rm_is_safe.sh:
#!/bin/bash
###############################
# Author: www.junmajinlong.com
###############################
# generate /bin/rm
# 1.create file: /etc/security/rm_fileignore
# 2.backup /bin/rm to /bin/rm.bak
function rm_is_safe(){
[ -f /etc/security/rm_fileignore ] || touch /etc/security/rm_fileignore
if [ ! -f /bin/rm.bak ];then
file /bin/rm | grep -q ELF && /bin/cp -f /bin/rm /bin/rm.bak
fi
cat >/bin/rm<<'eof'
#!/bin/bash
args=$(echo "$*" | tr -s '/' | tr -d "\042\047" )
safe_files=$(find / -maxdepth 1 | tr '\n' '|')\
$(cat /etc/security/rm_fileignore | tr '\n' '|')
echo "$args" | grep -qP "(?:${safe_files%|})(?:/?(?=\s|$))"
if [ $? -eq 0 ];then
echo -e "'\e[1;5;33mrm $args\e[0m' is not allowed,Exit..."
exit 1
fi
/bin/rm.bak "$@"
eof
chmod +x /bin/rm
}
# for uninstall rm_is_safe
# function `uninstall_rm_safe` used for uninstall
function un_rm(){
# make efforts for all user
if [ ! -f /etc/profile.d/rm_is_safe.sh ];then
shopt -s nullglob
for uh in /home/* /root /etc/skel;do
shopt -u nullglob
cat >>$uh/.bashrc<<'eof'
# for rm_is_safe:
[ -f /etc/profile.d/rm_is_safe.sh ] && source /etc/profile.d/rm_is_safe.sh
eof
done
fi
cat >/etc/profile.d/rm_is_safe.sh<<'eof'
function uninstall_rm_is_safe(){
unset uninstall_rm_is_safe
/bin/unlink /etc/security/rm_fileignore
/bin/cp -f /bin/rm.bak /bin/rm
/bin/unlink /etc/profile.d/rm_is_safe.sh
shopt -s nullglob
for uh in /home/* /root /etc/skel;do
shopt -u nullglob
sed -ri '\%# for rm_is_safe%,\%/etc/profile.d/rm_is_safe.sh%d' $uh/.bashrc
done
}
export -f uninstall_rm_is_safe
eof
}
rm_is_safe
un_rm