Show HN: Boulette - Protect you from yourself (even as root).

For me, what is more common is the likelihood of doing something in the wrong environment (e.g. lab, dev, stage, prod). To help make things a bit more clear, our images now override the PS1 with a `(environment)` at the beginning, which is a different color, lab=green, dev=purple, prod=red. If it saves me once, it was worth it.

Why should my user have the right to shut down a production box?<p>Having a tool to warn me that I&#x27;m about to do something I shouldn&#x27;t be allowed to do is okay. Having proper access control would be better.<p>(Fun: &#x27;boulette&#x27; is French for &#x27;dumb mistake&#x27;)

What I really want is a way to get a <i>read only</i> root shell. I do a lot of work on a &quot;traditional&quot; multi-user unix host, where hundreds of scientists share a powerful computer. I often need to become root to look at files. I want to be able to do that <i>without</i> the ability to screw anything up.

Isn&#x27;t this a little over engineered? You can accomplish the same thing with a 5-line bash script. put protect.sh somewhere in your path:<p><pre><code> #!&#x2F;bin&#x2F;bash if [[ $SSH_TTY ]]; then read -p &#x27;You are in SSH. Are you sure (enter hostname for yes)? &#x27; [[ $REPLY == $(hostname) ]] || exit 2 fi exec &quot;$@&quot; </code></pre> Then in your bashrc or zshrc:<p><pre><code> alias shutdown=&#x27;protect.sh shutdown&#x27; alias reboot=&#x27;protect.sh&#x27; alias sudo=&#x27;sudo &#x27; # Don&#x27;t allow sudo to bypass the protection. Can do the same with doas</code></pre>

It&#x27;s mentioned in the bottom of the page, but I&#x27;d like to highlight that &quot;molly-guard&quot; [0] provides a very similar functionality for at least 10 years.<p>Since it&#x27;s so old, it is present in all the systems - &quot;sudo apt install molly-guard&quot; on your server, and your shutdown, reboot, etc.. are all protected, no need for 3rd party tools.<p>[0] <a href="https:&#x2F;&#x2F;www.unix.com&#x2F;man-page&#x2F;debian&#x2F;8&#x2F;MOLLY-GUARD&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.unix.com&#x2F;man-page&#x2F;debian&#x2F;8&#x2F;MOLLY-GUARD&#x2F;</a>

I like the idea, but my immediate comment here, in a spirit of thinking about what would get a tool like this wider adoption, is that &quot;boulette&quot; is a clunky thing to type on a terminal. You can be more assertive about the importance of your tool, and give it a shorter, punchier (command-line) name; it might see more use if you do.

Loving the name &quot;boulette&quot; here, which means &quot;blinder&quot; or &quot;slip-up&quot;.

Why does it take the command as a single string argument? Seems like it would make more sense to take it as an argument list, like other &quot;wrapper&quot; commands like sudo, nohup, etc., do.

I guess the name and Pignon&#x27;s picture only resonate with a French audience, thus why so many serious comments here.<p>Moi ça m&#x27;a fait sourire !

What if you alias ssh on the local machine to open a tmux with the top pane being a red warning, and then the whole thing could automatically close when ssh ends so the experience is just like normal ssh?<p>I&#x27;ve never actually used tmux, but maybe I will try it out!

I&#x27;ve basically stopped these problems by coloring the servers. My production shells have a red PS1 background. Datagrip gives a red color to my prod databases. HTML admin consoles got some red css if configurable.

I&#x27;ve a shell alias for this, requiring valid hostname for reboot, halt etc...

Running &quot;shutdown&quot; on remote hosts isn&#x27;t something I have ever needed to do routinely.<p>Is this for ephemeral dev boxes? Does shutdown suspend billing on AWS&#x2F;cloud type hosts?

ZFS snapshots with bootloader support (other CoW filesystem should also work).<p>For the specific purpose of shutdown, there has been a solution for decades: molly-guard.

I&#x27;ve worked as a sysadmin for most of my professional career, around 25 years. Sure I&#x27;ve screwed up, but I&#x27;ve learned each time. Covering everything in bubble wrap to shield you from consequences of mistakes is counter-productive. All that happens is that you learn that there are safety nets and not to think twice about what you&#x27;re doing. Also these tools are non-standard, so you&#x27;ll expect them everywhere. Don&#x27;t do this.

Seems like just aliasing `shutdown` to something with a confirmation on servers and not your local would suffice.

Just remove `&#x2F;usr&#x2F;sbin&#x2F;shutdown` and `&#x2F;usr&#x2F;sbin&#x2F;poweroff`

I would like to register a prediction of futility here, just a little more detailed than the trope of &quot;when you try to idiot proof something the universe always makes a better idiot.&quot;<p>The number of software systems I&#x27;ve seen designed to allow the clueless to bumble their way through operations is much higher than the number of companies I&#x27;ve seen that attempts to train better operators.<p>Maybe its the experience of working on tractors, where the PTO has fun side effects like &quot;degloving&quot; where, sure theres a guard but more importantly theres attention not to put your hand, hair or clothing near the spinning torque monster of doom. Theres no option to make that purely safe economically. Same goes for machine tools and other heavy equipment. The people who work around such things have been to my experience more capable at accomplishing difficult, diverse tasks.<p>Where was the last company that had anything equivalent to the lowly &quot;forklift certified&quot; for prod? Its a very rare shop I&#x27;ve seen invest in any sort of across the board training for command line skills, outages, pre-requirements for delicate operations. We don&#x27;t invest in people being better, being more capable. I think because we have internalized an owner&#x2F;management point of view that workers are fungible and training is a waste, while software system guards are investments.<p>As a worker, I don&#x27;t agree with that. I don&#x27;t agree with building systems to be powered by the lowest educated, lowest paid meat popsicles yet I think thats the strategy behind this.<p>Next time you go to build a system like this, consider who&#x27;s logged into production and can they be trained to be more capable, more attentive operators. In the long run, I think it will end up with a better industry overall.

I&#x27;m using molly-guard (htps:&#x2F;&#x2F;salsa.debian.org&#x2F;debian&#x2F;molly-guard, mentioned on Boulette&#x27;s github btw as inspiration) since years for this after I&#x27;ve remotely shut down our file server thinking I was on another tmux pane. It saved me once or twice since. Btw, molly-guard doesn&#x27;t require setting up aliases.

This says it&#x27;s inspired by molly-guard (which I love and install everywhere and has saved my bacon countless times) but I don&#x27;t see what&#x27;s different about it? Molly-guard is a single `apt install` away with no further config needed.<p>Also, the problem with a Y&#x2F;N question is that when you are bored and&#x2F;or in a hurry, you only skim the question and muscle memory takes over, and you hit Y and then you realise a few seconds later that you rebooted the wrong machine. This is why molly-guard makes you enter the hostname of the host you want to shut down.

Combination of bash profiles and alias can be used to achieve this without installing any external thing. You can prevent commands like rm, chmod, cat etc even for root user. You can also prevent root users from accessing directories where the vault, database etc. Data is written.<p>Ps. At Adaptive (<a href="http:&#x2F;&#x2F;adaptive.live" rel="nofollow">http:&#x2F;&#x2F;adaptive.live</a>), we have kind of productized something like this.

i don&#x27;t need anything reminding me that i&#x27;m in a remote shell session: i know because it lags. i also know which one from the delay&#x27;s length.