Prevent admins from disabling bash historyWhat stops someone from setting root password?How can I automatically rotate/archive my bash history logs?Bash History not containing all history and blank after reboot, how to resolve?Bash history too short/keeps getting deleted (possibly doesn't survive reboots)make sudoers use their own history fileHalf of bash history is missingDeleting history from ~/.bash_historyGnome Shell command prompt historyCreating a complete and alphabetically sorted .txt file of bash history
What was the deal with the news stories about rats in "Joker"?
how can traditional forms of magic compete against demon magic?
Nano able to read on write-only access file
Why does Greedo say "Maclunkey" in the Mos Eisley Cantina?
Force a HTML form to submit over IPv4
Are we sinners because we sin or do we sin because we are sinners?
How to play proper time when other instrument is playing out of time?
Running code in a different tmux pane
Is it a mistake to use a password that has previously been used (by anyone ever)?
SMD ceramic capacitor 0805 vs 1206
Can it be viewed as a negative for PhD applications in the US if I have children?
How can one "treat writing as a job" even though it doesn't pay?
What exactly is "Japanese" Salt and Pepper?
How can I improve combat so my players don't always use the strategy of collectively focusing fire on one enemy at a time until it's dead?
Unique magic triplets
NP-hard problems but only for n≥3
When can't Cramer-Rao lower bound be reached?
Locked folder with obscure app from Sourceforge, now cannot unlock folder
Should I tell an editor that I believe an article I'm reviewing is not good enough for the journal?
Several verbs in subjuntivo mood in one sentence
Can I use pavers as a cheap solution to stop rain water erosion?
Did Ohio pass a law granting students the right to give scientifically wrong answers consistent with their religious beliefs?
Looking for a reference in Greek
Isn't any conversation with the US president quid-pro-quo?
Prevent admins from disabling bash history
What stops someone from setting root password?How can I automatically rotate/archive my bash history logs?Bash History not containing all history and blank after reboot, how to resolve?Bash history too short/keeps getting deleted (possibly doesn't survive reboots)make sudoers use their own history fileHalf of bash history is missingDeleting history from ~/.bash_historyGnome Shell command prompt historyCreating a complete and alphabetically sorted .txt file of bash history
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
I have some admins that don't want their activity seen.
They cleverly run set +o history once they log in. Doing so means that commands they run don't get recorded in the history file.
Is there a way to set .bash_history attribute to not allow this?
command-line bash administrator bash-history
edited Sep 5 at 21:29
Eliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
asked Sep 5 at 20:33
Rick PhilbrtmoRick Philbrtmo
39
add a comment
|
I have some admins that don't want their activity seen.
They cleverly run set +o history once they log in. Doing so means that commands they run don't get recorded in the history file.
Is there a way to set .bash_history attribute to not allow this?
command-line bash administrator bash-history
edited Sep 5 at 21:29
Eliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
asked Sep 5 at 20:33
Rick PhilbrtmoRick Philbrtmo
39
4
One solution: Revoke their admin privilege. It's a privilege and a position of trust. If they have demonstrated untrustworthy behavior, then perhaps they shouldn't be admins.
– user535733
Sep 5 at 21:15
add a comment
|
I have some admins that don't want their activity seen.
They cleverly run set +o history once they log in. Doing so means that commands they run don't get recorded in the history file.
Is there a way to set .bash_history attribute to not allow this?
command-line bash administrator bash-history
edited Sep 5 at 21:29
Eliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
asked Sep 5 at 20:33
Rick PhilbrtmoRick Philbrtmo
39
I have some admins that don't want their activity seen.
They cleverly run set +o history once they log in. Doing so means that commands they run don't get recorded in the history file.
Is there a way to set .bash_history attribute to not allow this?
command-line bash administrator bash-history
command-line bash administrator bash-history
edited Sep 5 at 21:29
Eliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
asked Sep 5 at 20:33
Rick PhilbrtmoRick Philbrtmo
39
edited Sep 5 at 21:29
Eliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
asked Sep 5 at 20:33
Rick PhilbrtmoRick Philbrtmo
39
edited Sep 5 at 21:29
Eliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
edited Sep 5 at 21:29
Eliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
edited Sep 5 at 21:29
Eliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
95.2k25 gold badges256 silver badges409 bronze badges
asked Sep 5 at 20:33
Rick PhilbrtmoRick Philbrtmo
39
asked Sep 5 at 20:33
Rick PhilbrtmoRick Philbrtmo
39
asked Sep 5 at 20:33
Rick PhilbrtmoRick Philbrtmo
39
39
4
One solution: Revoke their admin privilege. It's a privilege and a position of trust. If they have demonstrated untrustworthy behavior, then perhaps they shouldn't be admins.
– user535733
Sep 5 at 21:15
add a comment
|
4
One solution: Revoke their admin privilege. It's a privilege and a position of trust. If they have demonstrated untrustworthy behavior, then perhaps they shouldn't be admins.
– user535733
Sep 5 at 21:15
4
4
One solution: Revoke their admin privilege. It's a privilege and a position of trust. If they have demonstrated untrustworthy behavior, then perhaps they shouldn't be admins.
– user535733
Sep 5 at 21:15
One solution: Revoke their admin privilege. It's a privilege and a position of trust. If they have demonstrated untrustworthy behavior, then perhaps they shouldn't be admins.
– user535733
Sep 5 at 21:15
add a comment
|
1 Answer
1
active
oldest
votes
TL;DR: No. There is no way to do this that cannot be worked around extremely easily. More generally, you cannot grant someone full control of a computer system and then succeed at preventing them from performing specific actions.
This answer is based on the following assumptions, which you appear to be indicating are the case. Note that although I've used a bit of legalistic-sounding wording here, what I'm talking about is technical and practical/social. This post is not about the law.
- You are talking about a multi-user production system on which some users have been deliberately granted the ability to perform any action whatsoever, by running commands as root with
sudoand/or Polkit. (Such an ability is what "administrator" or "admin" means in Ubuntu--and it is, in essence, what it means on any system.) - You are the actual and rightful owner of that system or systems. You are not obligated, contractually or otherwise, to refrain from imposing requirements on the way those users use their administrative powers. Really what I'm trying to capture here is that the problem is not you, it's them. If the problem is you, that's great, because it means you can address it directly by changing your own behavior. But I'm going to assume that this is unfortunately not the case.
- You believe these users are using their administrative powers to perform actions that are not justified by their roles as administrators and that constitute a betrayal of your trust. Some or all of them have undertaken deliberate efforts to prevent you from knowing how they are using those powers.
If those assumptions hold, then the best possible situation is one in which you have not yet demanded that your administrators refrain from attempting to conceal their actions. In that scenario, it is imaginably possible that you could simply make this demand clear to them and that they would abide by it. If it turns out that this is feasible, then I recommend you ask your administrators why they have been concealing their actions. Perhaps they also use the system for non-administrative tasks that involve sensitive information about themselves or others that must be protected. If so, then either this is an inappropriate use of the system and you can tell them to stop doing it, or it's an appropriate use in which case that is something that can be solved with technical measures--specifically, they can be given separate non-admin accounts for such use.
Short of that, the only way to prevent them from continuing to conceal what actions they are performing with their elevated powers is to remove their elevated powers (as user535733 mentioned).
As you've described the situation, the system grants them the same technical abilities it grants you. Anything you could do to prevent bash from recording history is something they could easily undo. They could also make it hard for you to know they had undone it. As one example among many, they could let it record history but edit the history file, either automatically or manually. Also, they can use the history builtin to edit or delete history lines before they are written to a file.
Also, even when history is recorded, Bash is deliberately designed to permit the user to prevent any individual command from being recorded in the history. This is achieved by beginning the command with one or more spaces, and it is often useful for situations where one cannot avoid running a command whose arguments contain sensitive data, as well as to prevent commands that could easily cause harm under other circumstances (e.g., some rm -r commands) from being accidentally retrieved and run from the history.
Furthermore, users don't have to conceal or avoid writing to their Bash history to make it difficult or impossible to discover what actions they are performing. They don't need to use a shell, and if they do use a shell, it doesn't have to be bash, and if it is bash, it can be a separate instance of bash that is run with options like --norc to prevent it from reading configuration files. They can run a program like vim or emacs and use it to do just about whatever they want, including but not limited to starting a new shell, an interpreter like python3, or other powerful program like mc.
Looking at a user's ~/.history file is not a good way of auditing their administrative actions, since all of the techniques described above that can be used to circumvent this also have fairly frequent other uses. For example, many users perform non-trivial tasks outside of a shell. Shell history, when it is recorded at all, is recorded for the convenience of the user. It is not reliably useful for any other purpose.
There are logs you can look in to see what administrative actions have been performed, such as /var/log/auth.log. (See also man journalctl.) But any administrator can delete or modify logs. If you have administrators doing bad things, and telling them to stop doesn't work, you have no technical measure to prevent or even significantly mitigate this short of removing them as administrators. (If they are truly malicious, they may even have set up backdoors in the system to get back in even after their administrative powers are removed. Hopefully your situation is not this extreme.)
Finally, although this is not specifically about bash, shell history, or logging, I think it's worthwhile to take a moment to really think about what kinds of actions an administrator can perform. As I wrote in this answer to What stops someone from setting root password?:
You are a member of the
sudogroup. You can delete all the files on the system. You can write raw data to the hard disk, overwriting what is there irrecoverably. You can access other users' files, even if they have set restrictive permissions. You can install new firmware to your physical devices. You can dump users' passwords from the shadow database and attempt to crack them, or just reset them. You can install malware that infringes users' privacy or destroys data, including keyloggers and ransomware. You can do some really weird stuff with your network interfaces. You can make the system misinform users about the security of their communications. You can cover your tracks. You can hand all these powers, and others I haven't listed, over to people who will use them for evil. When it comes to misusingsudoor Polkit, those are the kinds of things you should be concerned about.
See also Panther's answer to that question.
answered Sep 5 at 21:24
Eliah KaganEliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
2
this is really the only true answer. if you and UserX are both admins, and changes you do they can undo and vice versa. Remove the untrustworthy user from admin/sudo privileges as soon as you can.
– Thomas Ward♦
Sep 5 at 21:58
@ThomasWard Linux was born on an IBM PC/AT in 1993 which was considered a multi-user joke at the time of S/36, S/38, S/390 and DEC VAX. Perhaps it's time for a Paradigm Shift in Linux where some commands have to be approved by two or more sudo users. This would have to be a Linux kernel team change request and beyond the scope of Ubuntu. It's not a problem for my three user laptop system comprised of Me, Myself and I but I sympathize with Linux mutlti-user system owners. A single Snowden with Sudo can bring down the NSA for good purposes but Sudo in hands of a white collar criminal could....
– WinEunuuchs2Unix
Sep 18 at 3:52
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1171160%2fprevent-admins-from-disabling-bash-history%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
TL;DR: No. There is no way to do this that cannot be worked around extremely easily. More generally, you cannot grant someone full control of a computer system and then succeed at preventing them from performing specific actions.
This answer is based on the following assumptions, which you appear to be indicating are the case. Note that although I've used a bit of legalistic-sounding wording here, what I'm talking about is technical and practical/social. This post is not about the law.
- You are talking about a multi-user production system on which some users have been deliberately granted the ability to perform any action whatsoever, by running commands as root with
sudoand/or Polkit. (Such an ability is what "administrator" or "admin" means in Ubuntu--and it is, in essence, what it means on any system.) - You are the actual and rightful owner of that system or systems. You are not obligated, contractually or otherwise, to refrain from imposing requirements on the way those users use their administrative powers. Really what I'm trying to capture here is that the problem is not you, it's them. If the problem is you, that's great, because it means you can address it directly by changing your own behavior. But I'm going to assume that this is unfortunately not the case.
- You believe these users are using their administrative powers to perform actions that are not justified by their roles as administrators and that constitute a betrayal of your trust. Some or all of them have undertaken deliberate efforts to prevent you from knowing how they are using those powers.
If those assumptions hold, then the best possible situation is one in which you have not yet demanded that your administrators refrain from attempting to conceal their actions. In that scenario, it is imaginably possible that you could simply make this demand clear to them and that they would abide by it. If it turns out that this is feasible, then I recommend you ask your administrators why they have been concealing their actions. Perhaps they also use the system for non-administrative tasks that involve sensitive information about themselves or others that must be protected. If so, then either this is an inappropriate use of the system and you can tell them to stop doing it, or it's an appropriate use in which case that is something that can be solved with technical measures--specifically, they can be given separate non-admin accounts for such use.
Short of that, the only way to prevent them from continuing to conceal what actions they are performing with their elevated powers is to remove their elevated powers (as user535733 mentioned).
As you've described the situation, the system grants them the same technical abilities it grants you. Anything you could do to prevent bash from recording history is something they could easily undo. They could also make it hard for you to know they had undone it. As one example among many, they could let it record history but edit the history file, either automatically or manually. Also, they can use the history builtin to edit or delete history lines before they are written to a file.
Also, even when history is recorded, Bash is deliberately designed to permit the user to prevent any individual command from being recorded in the history. This is achieved by beginning the command with one or more spaces, and it is often useful for situations where one cannot avoid running a command whose arguments contain sensitive data, as well as to prevent commands that could easily cause harm under other circumstances (e.g., some rm -r commands) from being accidentally retrieved and run from the history.
Furthermore, users don't have to conceal or avoid writing to their Bash history to make it difficult or impossible to discover what actions they are performing. They don't need to use a shell, and if they do use a shell, it doesn't have to be bash, and if it is bash, it can be a separate instance of bash that is run with options like --norc to prevent it from reading configuration files. They can run a program like vim or emacs and use it to do just about whatever they want, including but not limited to starting a new shell, an interpreter like python3, or other powerful program like mc.
Looking at a user's ~/.history file is not a good way of auditing their administrative actions, since all of the techniques described above that can be used to circumvent this also have fairly frequent other uses. For example, many users perform non-trivial tasks outside of a shell. Shell history, when it is recorded at all, is recorded for the convenience of the user. It is not reliably useful for any other purpose.
There are logs you can look in to see what administrative actions have been performed, such as /var/log/auth.log. (See also man journalctl.) But any administrator can delete or modify logs. If you have administrators doing bad things, and telling them to stop doesn't work, you have no technical measure to prevent or even significantly mitigate this short of removing them as administrators. (If they are truly malicious, they may even have set up backdoors in the system to get back in even after their administrative powers are removed. Hopefully your situation is not this extreme.)
Finally, although this is not specifically about bash, shell history, or logging, I think it's worthwhile to take a moment to really think about what kinds of actions an administrator can perform. As I wrote in this answer to What stops someone from setting root password?:
You are a member of the
sudogroup. You can delete all the files on the system. You can write raw data to the hard disk, overwriting what is there irrecoverably. You can access other users' files, even if they have set restrictive permissions. You can install new firmware to your physical devices. You can dump users' passwords from the shadow database and attempt to crack them, or just reset them. You can install malware that infringes users' privacy or destroys data, including keyloggers and ransomware. You can do some really weird stuff with your network interfaces. You can make the system misinform users about the security of their communications. You can cover your tracks. You can hand all these powers, and others I haven't listed, over to people who will use them for evil. When it comes to misusingsudoor Polkit, those are the kinds of things you should be concerned about.
See also Panther's answer to that question.
answered Sep 5 at 21:24
Eliah KaganEliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
2
this is really the only true answer. if you and UserX are both admins, and changes you do they can undo and vice versa. Remove the untrustworthy user from admin/sudo privileges as soon as you can.
– Thomas Ward♦
Sep 5 at 21:58
@ThomasWard Linux was born on an IBM PC/AT in 1993 which was considered a multi-user joke at the time of S/36, S/38, S/390 and DEC VAX. Perhaps it's time for a Paradigm Shift in Linux where some commands have to be approved by two or more sudo users. This would have to be a Linux kernel team change request and beyond the scope of Ubuntu. It's not a problem for my three user laptop system comprised of Me, Myself and I but I sympathize with Linux mutlti-user system owners. A single Snowden with Sudo can bring down the NSA for good purposes but Sudo in hands of a white collar criminal could....
– WinEunuuchs2Unix
Sep 18 at 3:52
add a comment
|
TL;DR: No. There is no way to do this that cannot be worked around extremely easily. More generally, you cannot grant someone full control of a computer system and then succeed at preventing them from performing specific actions.
This answer is based on the following assumptions, which you appear to be indicating are the case. Note that although I've used a bit of legalistic-sounding wording here, what I'm talking about is technical and practical/social. This post is not about the law.
- You are talking about a multi-user production system on which some users have been deliberately granted the ability to perform any action whatsoever, by running commands as root with
sudoand/or Polkit. (Such an ability is what "administrator" or "admin" means in Ubuntu--and it is, in essence, what it means on any system.) - You are the actual and rightful owner of that system or systems. You are not obligated, contractually or otherwise, to refrain from imposing requirements on the way those users use their administrative powers. Really what I'm trying to capture here is that the problem is not you, it's them. If the problem is you, that's great, because it means you can address it directly by changing your own behavior. But I'm going to assume that this is unfortunately not the case.
- You believe these users are using their administrative powers to perform actions that are not justified by their roles as administrators and that constitute a betrayal of your trust. Some or all of them have undertaken deliberate efforts to prevent you from knowing how they are using those powers.
If those assumptions hold, then the best possible situation is one in which you have not yet demanded that your administrators refrain from attempting to conceal their actions. In that scenario, it is imaginably possible that you could simply make this demand clear to them and that they would abide by it. If it turns out that this is feasible, then I recommend you ask your administrators why they have been concealing their actions. Perhaps they also use the system for non-administrative tasks that involve sensitive information about themselves or others that must be protected. If so, then either this is an inappropriate use of the system and you can tell them to stop doing it, or it's an appropriate use in which case that is something that can be solved with technical measures--specifically, they can be given separate non-admin accounts for such use.
Short of that, the only way to prevent them from continuing to conceal what actions they are performing with their elevated powers is to remove their elevated powers (as user535733 mentioned).
As you've described the situation, the system grants them the same technical abilities it grants you. Anything you could do to prevent bash from recording history is something they could easily undo. They could also make it hard for you to know they had undone it. As one example among many, they could let it record history but edit the history file, either automatically or manually. Also, they can use the history builtin to edit or delete history lines before they are written to a file.
Also, even when history is recorded, Bash is deliberately designed to permit the user to prevent any individual command from being recorded in the history. This is achieved by beginning the command with one or more spaces, and it is often useful for situations where one cannot avoid running a command whose arguments contain sensitive data, as well as to prevent commands that could easily cause harm under other circumstances (e.g., some rm -r commands) from being accidentally retrieved and run from the history.
Furthermore, users don't have to conceal or avoid writing to their Bash history to make it difficult or impossible to discover what actions they are performing. They don't need to use a shell, and if they do use a shell, it doesn't have to be bash, and if it is bash, it can be a separate instance of bash that is run with options like --norc to prevent it from reading configuration files. They can run a program like vim or emacs and use it to do just about whatever they want, including but not limited to starting a new shell, an interpreter like python3, or other powerful program like mc.
Looking at a user's ~/.history file is not a good way of auditing their administrative actions, since all of the techniques described above that can be used to circumvent this also have fairly frequent other uses. For example, many users perform non-trivial tasks outside of a shell. Shell history, when it is recorded at all, is recorded for the convenience of the user. It is not reliably useful for any other purpose.
There are logs you can look in to see what administrative actions have been performed, such as /var/log/auth.log. (See also man journalctl.) But any administrator can delete or modify logs. If you have administrators doing bad things, and telling them to stop doesn't work, you have no technical measure to prevent or even significantly mitigate this short of removing them as administrators. (If they are truly malicious, they may even have set up backdoors in the system to get back in even after their administrative powers are removed. Hopefully your situation is not this extreme.)
Finally, although this is not specifically about bash, shell history, or logging, I think it's worthwhile to take a moment to really think about what kinds of actions an administrator can perform. As I wrote in this answer to What stops someone from setting root password?:
You are a member of the
sudogroup. You can delete all the files on the system. You can write raw data to the hard disk, overwriting what is there irrecoverably. You can access other users' files, even if they have set restrictive permissions. You can install new firmware to your physical devices. You can dump users' passwords from the shadow database and attempt to crack them, or just reset them. You can install malware that infringes users' privacy or destroys data, including keyloggers and ransomware. You can do some really weird stuff with your network interfaces. You can make the system misinform users about the security of their communications. You can cover your tracks. You can hand all these powers, and others I haven't listed, over to people who will use them for evil. When it comes to misusingsudoor Polkit, those are the kinds of things you should be concerned about.
See also Panther's answer to that question.
answered Sep 5 at 21:24
Eliah KaganEliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
2
this is really the only true answer. if you and UserX are both admins, and changes you do they can undo and vice versa. Remove the untrustworthy user from admin/sudo privileges as soon as you can.
– Thomas Ward♦
Sep 5 at 21:58
@ThomasWard Linux was born on an IBM PC/AT in 1993 which was considered a multi-user joke at the time of S/36, S/38, S/390 and DEC VAX. Perhaps it's time for a Paradigm Shift in Linux where some commands have to be approved by two or more sudo users. This would have to be a Linux kernel team change request and beyond the scope of Ubuntu. It's not a problem for my three user laptop system comprised of Me, Myself and I but I sympathize with Linux mutlti-user system owners. A single Snowden with Sudo can bring down the NSA for good purposes but Sudo in hands of a white collar criminal could....
– WinEunuuchs2Unix
Sep 18 at 3:52
add a comment
|
TL;DR: No. There is no way to do this that cannot be worked around extremely easily. More generally, you cannot grant someone full control of a computer system and then succeed at preventing them from performing specific actions.
This answer is based on the following assumptions, which you appear to be indicating are the case. Note that although I've used a bit of legalistic-sounding wording here, what I'm talking about is technical and practical/social. This post is not about the law.
- You are talking about a multi-user production system on which some users have been deliberately granted the ability to perform any action whatsoever, by running commands as root with
sudoand/or Polkit. (Such an ability is what "administrator" or "admin" means in Ubuntu--and it is, in essence, what it means on any system.) - You are the actual and rightful owner of that system or systems. You are not obligated, contractually or otherwise, to refrain from imposing requirements on the way those users use their administrative powers. Really what I'm trying to capture here is that the problem is not you, it's them. If the problem is you, that's great, because it means you can address it directly by changing your own behavior. But I'm going to assume that this is unfortunately not the case.
- You believe these users are using their administrative powers to perform actions that are not justified by their roles as administrators and that constitute a betrayal of your trust. Some or all of them have undertaken deliberate efforts to prevent you from knowing how they are using those powers.
If those assumptions hold, then the best possible situation is one in which you have not yet demanded that your administrators refrain from attempting to conceal their actions. In that scenario, it is imaginably possible that you could simply make this demand clear to them and that they would abide by it. If it turns out that this is feasible, then I recommend you ask your administrators why they have been concealing their actions. Perhaps they also use the system for non-administrative tasks that involve sensitive information about themselves or others that must be protected. If so, then either this is an inappropriate use of the system and you can tell them to stop doing it, or it's an appropriate use in which case that is something that can be solved with technical measures--specifically, they can be given separate non-admin accounts for such use.
Short of that, the only way to prevent them from continuing to conceal what actions they are performing with their elevated powers is to remove their elevated powers (as user535733 mentioned).
As you've described the situation, the system grants them the same technical abilities it grants you. Anything you could do to prevent bash from recording history is something they could easily undo. They could also make it hard for you to know they had undone it. As one example among many, they could let it record history but edit the history file, either automatically or manually. Also, they can use the history builtin to edit or delete history lines before they are written to a file.
Also, even when history is recorded, Bash is deliberately designed to permit the user to prevent any individual command from being recorded in the history. This is achieved by beginning the command with one or more spaces, and it is often useful for situations where one cannot avoid running a command whose arguments contain sensitive data, as well as to prevent commands that could easily cause harm under other circumstances (e.g., some rm -r commands) from being accidentally retrieved and run from the history.
Furthermore, users don't have to conceal or avoid writing to their Bash history to make it difficult or impossible to discover what actions they are performing. They don't need to use a shell, and if they do use a shell, it doesn't have to be bash, and if it is bash, it can be a separate instance of bash that is run with options like --norc to prevent it from reading configuration files. They can run a program like vim or emacs and use it to do just about whatever they want, including but not limited to starting a new shell, an interpreter like python3, or other powerful program like mc.
Looking at a user's ~/.history file is not a good way of auditing their administrative actions, since all of the techniques described above that can be used to circumvent this also have fairly frequent other uses. For example, many users perform non-trivial tasks outside of a shell. Shell history, when it is recorded at all, is recorded for the convenience of the user. It is not reliably useful for any other purpose.
There are logs you can look in to see what administrative actions have been performed, such as /var/log/auth.log. (See also man journalctl.) But any administrator can delete or modify logs. If you have administrators doing bad things, and telling them to stop doesn't work, you have no technical measure to prevent or even significantly mitigate this short of removing them as administrators. (If they are truly malicious, they may even have set up backdoors in the system to get back in even after their administrative powers are removed. Hopefully your situation is not this extreme.)
Finally, although this is not specifically about bash, shell history, or logging, I think it's worthwhile to take a moment to really think about what kinds of actions an administrator can perform. As I wrote in this answer to What stops someone from setting root password?:
You are a member of the
sudogroup. You can delete all the files on the system. You can write raw data to the hard disk, overwriting what is there irrecoverably. You can access other users' files, even if they have set restrictive permissions. You can install new firmware to your physical devices. You can dump users' passwords from the shadow database and attempt to crack them, or just reset them. You can install malware that infringes users' privacy or destroys data, including keyloggers and ransomware. You can do some really weird stuff with your network interfaces. You can make the system misinform users about the security of their communications. You can cover your tracks. You can hand all these powers, and others I haven't listed, over to people who will use them for evil. When it comes to misusingsudoor Polkit, those are the kinds of things you should be concerned about.
See also Panther's answer to that question.
answered Sep 5 at 21:24
Eliah KaganEliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
TL;DR: No. There is no way to do this that cannot be worked around extremely easily. More generally, you cannot grant someone full control of a computer system and then succeed at preventing them from performing specific actions.
This answer is based on the following assumptions, which you appear to be indicating are the case. Note that although I've used a bit of legalistic-sounding wording here, what I'm talking about is technical and practical/social. This post is not about the law.
- You are talking about a multi-user production system on which some users have been deliberately granted the ability to perform any action whatsoever, by running commands as root with
sudoand/or Polkit. (Such an ability is what "administrator" or "admin" means in Ubuntu--and it is, in essence, what it means on any system.) - You are the actual and rightful owner of that system or systems. You are not obligated, contractually or otherwise, to refrain from imposing requirements on the way those users use their administrative powers. Really what I'm trying to capture here is that the problem is not you, it's them. If the problem is you, that's great, because it means you can address it directly by changing your own behavior. But I'm going to assume that this is unfortunately not the case.
- You believe these users are using their administrative powers to perform actions that are not justified by their roles as administrators and that constitute a betrayal of your trust. Some or all of them have undertaken deliberate efforts to prevent you from knowing how they are using those powers.
If those assumptions hold, then the best possible situation is one in which you have not yet demanded that your administrators refrain from attempting to conceal their actions. In that scenario, it is imaginably possible that you could simply make this demand clear to them and that they would abide by it. If it turns out that this is feasible, then I recommend you ask your administrators why they have been concealing their actions. Perhaps they also use the system for non-administrative tasks that involve sensitive information about themselves or others that must be protected. If so, then either this is an inappropriate use of the system and you can tell them to stop doing it, or it's an appropriate use in which case that is something that can be solved with technical measures--specifically, they can be given separate non-admin accounts for such use.
Short of that, the only way to prevent them from continuing to conceal what actions they are performing with their elevated powers is to remove their elevated powers (as user535733 mentioned).
As you've described the situation, the system grants them the same technical abilities it grants you. Anything you could do to prevent bash from recording history is something they could easily undo. They could also make it hard for you to know they had undone it. As one example among many, they could let it record history but edit the history file, either automatically or manually. Also, they can use the history builtin to edit or delete history lines before they are written to a file.
Also, even when history is recorded, Bash is deliberately designed to permit the user to prevent any individual command from being recorded in the history. This is achieved by beginning the command with one or more spaces, and it is often useful for situations where one cannot avoid running a command whose arguments contain sensitive data, as well as to prevent commands that could easily cause harm under other circumstances (e.g., some rm -r commands) from being accidentally retrieved and run from the history.
Furthermore, users don't have to conceal or avoid writing to their Bash history to make it difficult or impossible to discover what actions they are performing. They don't need to use a shell, and if they do use a shell, it doesn't have to be bash, and if it is bash, it can be a separate instance of bash that is run with options like --norc to prevent it from reading configuration files. They can run a program like vim or emacs and use it to do just about whatever they want, including but not limited to starting a new shell, an interpreter like python3, or other powerful program like mc.
Looking at a user's ~/.history file is not a good way of auditing their administrative actions, since all of the techniques described above that can be used to circumvent this also have fairly frequent other uses. For example, many users perform non-trivial tasks outside of a shell. Shell history, when it is recorded at all, is recorded for the convenience of the user. It is not reliably useful for any other purpose.
There are logs you can look in to see what administrative actions have been performed, such as /var/log/auth.log. (See also man journalctl.) But any administrator can delete or modify logs. If you have administrators doing bad things, and telling them to stop doesn't work, you have no technical measure to prevent or even significantly mitigate this short of removing them as administrators. (If they are truly malicious, they may even have set up backdoors in the system to get back in even after their administrative powers are removed. Hopefully your situation is not this extreme.)
Finally, although this is not specifically about bash, shell history, or logging, I think it's worthwhile to take a moment to really think about what kinds of actions an administrator can perform. As I wrote in this answer to What stops someone from setting root password?:
You are a member of the
sudogroup. You can delete all the files on the system. You can write raw data to the hard disk, overwriting what is there irrecoverably. You can access other users' files, even if they have set restrictive permissions. You can install new firmware to your physical devices. You can dump users' passwords from the shadow database and attempt to crack them, or just reset them. You can install malware that infringes users' privacy or destroys data, including keyloggers and ransomware. You can do some really weird stuff with your network interfaces. You can make the system misinform users about the security of their communications. You can cover your tracks. You can hand all these powers, and others I haven't listed, over to people who will use them for evil. When it comes to misusingsudoor Polkit, those are the kinds of things you should be concerned about.
See also Panther's answer to that question.
answered Sep 5 at 21:24
Eliah KaganEliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
edited Sep 18 at 1:51
answered Sep 5 at 21:24
Eliah KaganEliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
answered Sep 5 at 21:24
Eliah KaganEliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
answered Sep 5 at 21:24
Eliah KaganEliah Kagan
95.2k25 gold badges256 silver badges409 bronze badges
95.2k25 gold badges256 silver badges409 bronze badges
2
this is really the only true answer. if you and UserX are both admins, and changes you do they can undo and vice versa. Remove the untrustworthy user from admin/sudo privileges as soon as you can.
– Thomas Ward♦
Sep 5 at 21:58
@ThomasWard Linux was born on an IBM PC/AT in 1993 which was considered a multi-user joke at the time of S/36, S/38, S/390 and DEC VAX. Perhaps it's time for a Paradigm Shift in Linux where some commands have to be approved by two or more sudo users. This would have to be a Linux kernel team change request and beyond the scope of Ubuntu. It's not a problem for my three user laptop system comprised of Me, Myself and I but I sympathize with Linux mutlti-user system owners. A single Snowden with Sudo can bring down the NSA for good purposes but Sudo in hands of a white collar criminal could....
– WinEunuuchs2Unix
Sep 18 at 3:52
add a comment
|
2
this is really the only true answer. if you and UserX are both admins, and changes you do they can undo and vice versa. Remove the untrustworthy user from admin/sudo privileges as soon as you can.
– Thomas Ward♦
Sep 5 at 21:58
@ThomasWard Linux was born on an IBM PC/AT in 1993 which was considered a multi-user joke at the time of S/36, S/38, S/390 and DEC VAX. Perhaps it's time for a Paradigm Shift in Linux where some commands have to be approved by two or more sudo users. This would have to be a Linux kernel team change request and beyond the scope of Ubuntu. It's not a problem for my three user laptop system comprised of Me, Myself and I but I sympathize with Linux mutlti-user system owners. A single Snowden with Sudo can bring down the NSA for good purposes but Sudo in hands of a white collar criminal could....
– WinEunuuchs2Unix
Sep 18 at 3:52
2
2
this is really the only true answer. if you and UserX are both admins, and changes you do they can undo and vice versa. Remove the untrustworthy user from admin/sudo privileges as soon as you can.
– Thomas Ward♦
Sep 5 at 21:58
this is really the only true answer. if you and UserX are both admins, and changes you do they can undo and vice versa. Remove the untrustworthy user from admin/sudo privileges as soon as you can.
– Thomas Ward♦
Sep 5 at 21:58
@ThomasWard Linux was born on an IBM PC/AT in 1993 which was considered a multi-user joke at the time of S/36, S/38, S/390 and DEC VAX. Perhaps it's time for a Paradigm Shift in Linux where some commands have to be approved by two or more sudo users. This would have to be a Linux kernel team change request and beyond the scope of Ubuntu. It's not a problem for my three user laptop system comprised of Me, Myself and I but I sympathize with Linux mutlti-user system owners. A single Snowden with Sudo can bring down the NSA for good purposes but Sudo in hands of a white collar criminal could....
– WinEunuuchs2Unix
Sep 18 at 3:52
@ThomasWard Linux was born on an IBM PC/AT in 1993 which was considered a multi-user joke at the time of S/36, S/38, S/390 and DEC VAX. Perhaps it's time for a Paradigm Shift in Linux where some commands have to be approved by two or more sudo users. This would have to be a Linux kernel team change request and beyond the scope of Ubuntu. It's not a problem for my three user laptop system comprised of Me, Myself and I but I sympathize with Linux mutlti-user system owners. A single Snowden with Sudo can bring down the NSA for good purposes but Sudo in hands of a white collar criminal could....
– WinEunuuchs2Unix
Sep 18 at 3:52
add a comment
|
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1171160%2fprevent-admins-from-disabling-bash-history%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
4
One solution: Revoke their admin privilege. It's a privilege and a position of trust. If they have demonstrated untrustworthy behavior, then perhaps they shouldn't be admins.
– user535733
Sep 5 at 21:15