Home / server / Questions / 919423
In Process
Ram Kumar
Asked: 2018-07-05 00:24:14 +0800 CST

Restrict users to run 'history -d [arg]' and 'set +o history' commands

  • 772

We are in the early stages of standardizing our infra. As an immediate step, we want to restrict users from manipulating the history. Have setup some restrictions for the same. But recently found that there are couple of loop holes.

  • Users can remove the history entry by just running 'history -d '
  • 'set +o history' will stop the history file from being updated.

I am finding ways to restrict users from running this command. I can't think of a way out for this.

Any suggestions will be helpful. Please let me know if something isn't clear. Thanks.

We are using CentOS and our shell is bash

-Ram Kumar

linux

1 Answers

  1. First need to create an alias for history then use a wrapper to grab the option. this is a simple example but can be expanded. Create Alias for history command (this can be placed in bashrc)

    alias history='/usr/local/bin/myhistory

    then in /usr/local/bin/myhistory (you can add more cases as needed and add an else clause to go to the default history funciton): 

    if [ $username == 'myuser' ]
then 
while getopts ":d" opt; do
  case ${opt} in
    d )
      echo "Invalid Option:"
      exit 1
      ;;
  esac
done

fi

    You can look into rbash and lshell -- those are more elegant ways to restrict shells. Hope this gives you some idea.

    • 0