Blacklisting Commands in Ubuntu?

[l11h]

Hey, 

 

I was thinking how would I go about blacklisting commands in Ubuntu? I've been looking around and all I get is blacklisting kernel modules. 

 

Commands like rm -rf *, which I know will clear the current directory if they have permission but I dont want users to remove all files within their directory even if they created them. 

 

The reason is this is for a school project, and users will have access to the server through a Shellinabox, browser terminal emulator. (Side Question: Does anyone know how to add a Javascript file so it reads users input e.g. if they input rm -rf * and then blocks it? if you do then it will be of great help ) 

 

Even if I do have that security on the terminal level in browser, I want an extra layer of security on the O/S level. 

 

Any help will be appreciated.

 

Thanks. 

[alpenwasser]

You could write a script which is evaluated between when a command is read

and when it is executed (in ZFS, for example, that would fall into the

preexec() function).

So, the preexec() function would call your script, your script would parse the

command and check if it should be allowed to be executed, and if not, throw

an error back to preexec and make the shell abort the command.

I have never done this though, so I'm not sure if this would work, but if

I were tasked with implementing this and I couldn't find anything else I'd

probably give it a shot.

Your script could be BASH, Perl, Python etc., doesn't really matter, you'd

probably parse the command with some regex magic.

[l11h]

You could write a script which is evaluated between when a command is read

and when it is executed (in ZFS, for example, that would fall into the

preexec() function).

So, the preexec() function would call your script, your script would parse the

command and check if it should be allowed to be executed, and if not, throw

an error back to preexec and make the shell abort the command.

I have never done this though, so I'm not sure if this would work, but if

I were tasked with implementing this and I couldn't find anything else I'd

probably give it a shot.

Your script could be BASH, Perl, Python etc., doesn't really matter, you'd

probably parse the command with some regex magic.

 

Kind of what I was thinking for the web terminal but I cannot seem to get it to work as I want lol, it is so annoying.

 

So the problem that i've been having is with what type of regular expression to use.

 

I know of String.Match, so I could do if match say this, but still dont get how to send back error or say you can't do this.

Other option is String.Replace, so if you input rm -rf *, I replace with Ctrl C, but that is then executed right? 

 

So any idea of what to research in order to do this? 

 

Thanks

[alpenwasser]

As I've never done this (and really don't have the time to actually

implement it myself ), this is the pseudocode for what I would

try out on the O/S side at first:

function preexec{    legality = check_if_command_is_legal(command)    if (!legality)    {        abort command # <-- I have no idea how I would implement this in the shell though    }}function check_if_command_is_legal{    regex_magix... # check if regex matches a list of criteria        if (command_OK)    {            return true    }    else    {        return false    }}