Before molly-guard invokes the real command, all scripts in /etc/molly-guard/run.d/ have to run and exit successfully; else, it aborts the command. run-parts(1) is used to process the directory.
molly-guard passes any script_options to the scripts, and also populates the environment with the following variables:
molly-guard prints the contents of /etc/molly-guard/messages.d/COMMAND or /etc/molly-guard/messages.d/default to the console, if either exists. This is due to /etc/molly-guard/run.d/10-print-message.
molly-guard was primarily designed to shield SSH connections. This functionality (which should arguably be provided by the openssh-server package) is implemented in /etc/molly-guard/run.d/30-query-hostname.
This script first tests whether the command is being executed from a tty which has been created by sshd. It also checks whether the variable SSH_CONNECTION is defined. If any of these tests are successful, test script queries the user for the machine's hostname, which should be sufficient to prevent the user from doing something by accident.
You can pass the --pretend-ssh script option to molly-guard to pretend that those tests succeeds. Alternatively, setting ALWAYS_QUERY_HOSTNAME in /etc/molly-guard/rc causes the script to always query.
The following situations are still UNGUARDED. If you can think of ways to protect against those, please let me know!
You have been warned. You can use the --molly-guard-do-nothing switch to prevent anything from happening, e.g. halt --molly-guard-do-nothing.
shutdown(8), halt(1), reboot(8), poweroff(8).
molly-guard is copyright by martin f. krafft. Andrew Ruthven came up with the idea of using the scripts directory and submitted a patch, which I modified a bit.
This manual page was written by martin f. krafft <email@example.com>.
Permission is granted to copy, distribute and/or modify this document under the terms of the Artistic License 2.0