In this post I disclosed what I mistakenly did.
This is very shocking event for me..
Then I fixed some countermeasures to avoid this kind of dangerous operations.
Red screen during user root
This makes red screen when you switch to root.
![](https://linuxfun.org/wp-content/uploads/2023/05/image-8.png)
This is not valid during normal user.
![](https://linuxfun.org/wp-content/uploads/2023/05/image-9.png)
This is video.
You can see red screen only when root user, right?
This is realized by /etc/bash.bashrc.
You can change the color “1B2224” to what you like.
if [ -n "$SSH_TTY" ]; then if [ $UID -eq 0 ]; then echo -e "\033]11;#A00000\a" else echo -e "\033]11;#1B2224\a" fi fi
This code enables to return normal configuration when you exit from root.
mysu() { if [ 0 -eq $# ]; then \su;. /etc/bash.bashrc else \su "$*";. /etc/bash.bashrc fi } alias su='mysu'
Disallow sudo -s
Everyone likes “sudo -s” because it is convenient, right?
But it includes risks to run danger operations.
So I prevent this.
mysudo() { if [ 0 -eq $# ]; then \sudo else if [ "-s" == $1 ]; then echo "This option is not allowed." else \sudo $@ fi fi } alias sudo='mysudo'
Disallow rm by root
Adding rm to “not allowed list” in sudo configuration is also good.
$ sudo rm -rf / [sudo] password for yasu: Sorry, user yasu is not allowed to execute '/usr/sbin/rm -rf /' as root on nextcloud-server.
![](https://linuxfun.org/wp-content/uploads/2023/05/image-10.png)
This can be realized by /etc/sudoers like this.
yasu ALL=(ALL:ALL) ALL, !/usr/bin/rm
Justify the location which can be run by sudo
Maybe this isn’t essential but I did it which limits the location of executable files which can be run from sudo.
Below configuration is deactivated so I activated.
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Warning when you run sudo
As you can see below, I configured to show noticable image when running sudo to warn.
![](https://linuxfun.org/wp-content/uploads/2023/05/image-10.png)
I completely referred this web site.
– Link
Changing editor for visudo
I changed editor configuration for visudo to vim on /etc/sudoers beacuse vi is too powerless…
Defaults editor=/usr/bin/vim
Conclusion
How was it?
If you have more idea, please message me!
Thank you!
Comments