The other day I was doing some maintenance tasks on my web server. I was in hurry and sleepy, so I did everything using sudo
command.
And then, I accidentally pressed Ctrl+V, sending this command to my web server:
sudo rm -rf /*
For those wondering what above command does: This deleted my whole web server
Luckily, I had backups and sadly, I had to spend two more hours being awake to fix this awesome error. But since then, I have been wondering:
Is there a way to always enforce sudo password for specific command?
If the server asked me for a password, I would save myself from lot of trouble. It did not, because I ran about 5 sudo
commands before this majestic error.
So, is there a way to do it? I just need the password with the rm
command to always be enforced. Other commands I am using are usually nano
or cp
which both are (to some extent) revertable.
Best Answer
You can set the
timestamp_timeout
to0
for particular commands in/etc/sudoers
. Create a filevisudo -f /etc/sudoers.d/pduck
with the following content:Now the user
pduck
is always asked for a password when runningsudo rm
(no matter what additional parameters are given) even though the user is member of thesudo
group andsudo
remembers his password for other commands.The downside is that you cannot easily add parameters to the
/bin/rm
line in the file to further restrict this. Well… you can, like:but then you just get prompted for exactly
sudo rm -f
and not (again) forsudo rm -rf
, for example.