Safer rm commands to protect important data

Keywords: Linux github shell sudo

Almost all the secure RMS streaming on the Internet provide a rm "garbage" recycle bin, which is a bad recipe for server environment.

I think it might be better to provide a secure rm to protect some important files or directories from deletion and avoid the tragedy of deleting important data by mistake.

I wrote a script: https://github.com/malongshuai/rm_is_safe , the source code and usage are provided later in this article, but you can go to github and order a star if you want to win.

Operation mode

rm_is_safe creates a shell script named/bin/rm and backs up the native/bin/rm as/bin/rm.bak.Therefore, there is no difference in how RM was used before and how RM is used now.

To distinguish between native RM and masqueraded secure rm, the masqueraded RM command is called rm_is_safe below.

Rm_is_safe automatically checks the parameters passed when RM is called. If the parameters contain important files, this may mean a dangerous RM operation. rm_is_safe will ignore this RM directly.It's up to you to decide which documents are important.

rm_is_safe is valid for all users, including existing and future newly created users.

What are the important files?

  1. The root directory/and subdirectories and subfiles under the root directory are always automatically protected

  2. You can define files that you think are important to you in /etc/security/rm_fileignore, with one protected file path per line.For example:

    /home/junmajinlong
    /home/junmajinlong/apps
    

Now, both files defined in this file are secured and will not be deleted by rm.

Matters needing attention:

  1. Obviously, a protected directory is not recursive, so'/bin'is safe and'/bin/aaa' is not unless you add it to the / etc/security/rm_fileignore file
  2. The root directory/and subdirectories under the root directory are automatically protected without having to manually add them to/etc/security/rm_fileignore
  3. The path defined in the /etc/security/rm_fileignore file can contain any slash, and rm_is_safe is handled automatically.Therefore,'/home/junmajinlong'and'/home//junmajinlong///' are both valid paths
  4. Do not use wildcards in paths defined in /etc/security/rm_fileignore, e.g. /home/* is invalid

Usage

1. Execute the Shell script provided later in this article:

$ sudo bash rm_is_safe.sh

After execution, your RM command becomes a secure rm.

2. If you really want to delete the protected file, such as if you know/data can be deleted, you can use the native RM command, /bin/rm.bak, to delete it.

$ rm.bak /path/to/file

3. If you want to uninstall rm_is_safe, execute the function uninstall_rm_is_safe:

# If the function cannot be found, exec bash is executed before execution
$ uninstall_rm_is_safe

When uninstallation is complete, /bin/rm becomes the native RM command.

Script: rm_is_safe.sh

The script is as follows, assuming its file name is rm_is_safe.sh:

#!/bin/bash

###############################
# Author: www.junmajinlong.com
###############################

# generate /bin/rm
#   1.create file: /etc/security/rm_fileignore
#   2.backup /bin/rm to /bin/rm.bak
function rm_is_safe(){
  [ -f /etc/security/rm_fileignore ] || touch /etc/security/rm_fileignore
  if [ ! -f /bin/rm.bak ];then
    file /bin/rm | grep -q ELF && /bin/cp -f /bin/rm /bin/rm.bak
  fi

  cat >/bin/rm<<'eof'
#!/bin/bash
args=$(echo "$*" | tr -s '/' | tr -d "\042\047" )
safe_files=$(find / -maxdepth 1 | tr '\n' '|')\
           $(cat /etc/security/rm_fileignore | tr '\n' '|')
echo "$args" | grep -qP "(?:${safe_files%|})(?:/?(?=\s|$))"
if [ $? -eq 0 ];then
  echo -e "'\e[1;5;33mrm $args\e[0m' is not allowed,Exit..."
  exit 1
fi
/bin/rm.bak "$@"
eof

  chmod +x /bin/rm
}

# for uninstall rm_is_safe
# function `uninstall_rm_safe` used for uninstall
function un_rm(){
  # make efforts for all user
  if [ ! -f /etc/profile.d/rm_is_safe.sh ];then
    shopt -s nullglob
    for uh in /home/* /root /etc/skel;do
      shopt -u nullglob

cat >>$uh/.bashrc<<'eof'
# for rm_is_safe:
[ -f /etc/profile.d/rm_is_safe.sh ] && source /etc/profile.d/rm_is_safe.sh
eof
    done
  fi

cat >/etc/profile.d/rm_is_safe.sh<<'eof'
function uninstall_rm_is_safe(){
  unset uninstall_rm_is_safe
  /bin/unlink /etc/security/rm_fileignore
  /bin/cp -f /bin/rm.bak /bin/rm
  /bin/unlink /etc/profile.d/rm_is_safe.sh
  shopt -s nullglob
  for uh in /home/* /root /etc/skel;do
    shopt -u nullglob
    sed -ri '\%# for rm_is_safe%,\%/etc/profile.d/rm_is_safe.sh%d' $uh/.bashrc
  done
}
export -f uninstall_rm_is_safe
eof
}

rm_is_safe
un_rm

Posted by blade_922 on Tue, 05 May 2020 14:44:33 -0700