Prevent command with a specific option to be run on your server

Prevent command with a specific option to be run on your server

One week ago, our production server was down for a few seconds because of the command supervisorctl reload had restarted the server.

Thus, I made some research to prevent the command to be run again with the reload option.

The first clue Stack Overflow gave me, was to create a new binary file with the name of this command and to change my path variable to override the native one.

This has side effects: your binary files can be used by other scripts that you don’t know of, or worse, you can introduce security breaches by changing the user’s rights of your binary file … Moreover, this solution let you only override the whole command.

Finally, aliases saved my life (or at least, my server’s life).

To override a command, in your .bashrc file, create a function with the exact same name. For instance, if you want to make fun of one of your colleagues, you can do:

Capture d’écran 2017-05-12 à 14.28.48

More seriously, you can test the argument given to your command and specify different behaviours: and override the option(s) you want to:Capture d’écran 2017-05-12 à 14.30.51

If your command works with flags, you should use getopts, which have a nicer syntax.

With this trick you can prevent users to run --force, --rf and some other dangerous options on your production servers. But remember, as the joke shows, it’s just a safeguard, not a real security.

Please feel free to share your tips as well!