I have an issue with some of my users misusing chmod by doing things like
chmod 777 ~ -Rf
I'd like to disable chmod so that only users with full sudo rights (I.E. IT) have rights. Are there any downsides to this that I might be overlooking?
Does apache or any other common part of linux require access to chmod that I'm overlooking?
Additionally, would the best way to do this just be:
chmod 700 /bin/chmod
Thanks!
EDIT:
To clarify, I know there are ways around it, and I know that educating my users is the right thing to do. But people don't always do what I tell them to do. Computers will... if I force my users to ask me before using chmod, I can educate them on why their rights were taken away, instruct them on the right way to do it, and selectively grant them sudo rights to chmod what they need to chmod.
At the same time, I'm hesitant to mess with one of the fundamental commands of a linux shell. What I'm asking is, does anyone know of any side effects I might be overlooking? I.E. when you create a file, does it call chmod to set the initial permissions, or is that unrelated? Does a file copy need chmod? Are there standard services that rely on chmod that might break if only root had access to chmod?
imho, this sounds like looking for a technical solution to a human problem.
Do you allow users to use certificates to SSH in? Or write scripts (shell, CGIs, etc?)
Without access to chmod, they won't be able to set the necessary permissions to make ssh certificates work (some people might see that an an advantage, but if that's the case, you should be editing pam.conf to disallow it entirely), they'd have to call the interpreter w/ the script as an argument (eg,
perl script.pl), rather than the script directly, and a webserver will refuse to run their CGIs as the permissions aren't set correctly.Depending on what the user's default group is, and how you have the default umask set up, it's also possible that files created won't be be readable by the webserver, and so can't be served at all, CGI or otherwise. Also, lack of chmod means that you can't correct problem permissions from files that were moved over via scp, which is permission preserving by default.
... giving the users sudo rights to chmod is possibly an even bigger can of worms -- as then they'd be able to run the commands as root, not as themselves, so they could affect the permissions of any user. You'd be better off making a 'chmodders' group, setting the permission on chmod to 0750, and add people to the group who are allowed to use it.
If you still want to do this, you can do it by moving the binary file from
/bin/chmodto some other path like/root/chmod.To make the users think the tool is still available, you can create a script that does nothing in the original path under
/bin.This way you can disable the
chmodtool unless you specify the full path/root/chmod.The cons are that chmod would not be available to any script that is run as non-root user which might break some things.
It is not clear what are your real requirements, but might look at this question and the solutions.