step by step lshell configuration in linux

step by step lshell configuration in linux

lshell is a shell that written in python. it's also called limited shell that provides limited access environment to the user. we can define a limit on specific commands, file and directories



Install lshell in CentOS / Rhel

yum install epel*
yum install lshell




Install in Debian 
apt-get update
apt-get install lshell
Configure LShell

lshell.conf configuration file locate in etc directory, There are 4 basic sections in configuration file.

1 - [global]

2 - [default]

3 - [grp:groupname]

4 - [username]


1 - [global] : we can defines the settings which applied globally for all users ( example logs )
[global]

## log directory (default /var/log/lshell/ )

logpath : /var/log/lshell/

## set log level to 0, 1, 2, 3 or 4 (0: no logs, 1: least verbose,

## 4: log all commands)

loglevel : 2

## configure log file name (default is %u i.e. username.log)

#logfilename : %y%m%d-%u

#logfilename : syslog

## in case you are using syslog, you can choose your logname

#syslogname : myapp




Default allowed /var/log/lshell directory with log lever 2, for all users.


2 - [default] : we can set default values which applied all users and groups.

[default]

## a list of the allowed commands or 'all' to allow all commands in user's PATH

allowed : ['ls','echo','cd','ll', ‘cat’,’elinks’, ‘ip’]

# We allow cat , ip and elinks command

## a list of forbidden character or commands -- deny vim, as it allows to escape lshell

forbidden : [';', '&', '|','`','>','<', '$(', '${']

## a list of allowed command to use with sudo(8)

sudo_commands : ['ls', ‘ifconfig’ 'more']

# We allow ifconfig command

## number of warnings when user enters a forbidden value before getting

## exited from lshell, set to -1 to disable.

warning_counter : 2

## command aliases list (similar to bash’s alias directive)

aliases : {'ll':'ls -l', 'vim':'rvim', ‘cat:cat’, ‘link: ip r’, ‘elinks: link }

We set alias for checking route with “ip r” command as “link”

## introduction text to print (when entering lshell)

#intro : "== My personal intro ==\nWelcome to lshell\nType '?' or 'help' to get the list of allowed commands"

## configure your promt using %u or %h (default: username)

#prompt : "%u@%h"

## set sort prompt current directory update (default: 0)

#prompt_short : 0

## a value in seconds for the session timer

#timer : 5

## list of path to restrict the user "geographicaly"

#path : ['/home/bla/','/etc']

## set the home folder of your user. If not specified the home_path is set to

## the $HOME environment variable

#home_path : '/home/bla/'

## update the environment variable $PATH of the user

#env_path : ':/usr/local/bin:/usr/sbin'

## a list of path; all executable files inside these path will be allowed

#allowed_cmd_path: ['/home/bla/bin','/home/bla/stuff/libexec']

## add environment variables

#env_vars : {'foo':1, 'bar':'helloworld'}

## allow or forbid the use of scp (set to 1 or 0)

#scp : 1

## forbid scp upload

#scp_upload : 0

## forbid scp download

#scp_download : 0

## allow of forbid the use of sftp (set to 1 or 0)

#sftp : 1

## list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.)

#overssh : ['ls', 'rsync']

## logging strictness. If set to 1, any unknown command is considered as

## forbidden, and user's warning counter is decreased. If set to 0, command is

## considered as unknown, and user is only warned (i.e. *** unknown synthax)

strict : 0

## force files sent through scp to a specific directory

#scpforce : '/home/bla/uploads/'

## history file maximum size

#history_size : 100

## set history file name (default is /home/%u/.lhistory)

#history_file : "/home/%u/.lshell_history"

## define the script to run at user login

#login_script : "/path/to/myscript.sh"
3 - [grp:group name] : we specify a group with specific settings for all users of group

## Add Group

[grp:network]

allowed : + ['ping','ifconfig','traceroute','tracepath','routes','ssh','tail','cd','pwd','ls','lynx','cat','df','telnet']

aliases : {'ll':'ls -l', 'vim':'rvim', 'routes':'ip a'}

path : ['/tmp','/var/log','/var/www/html']





We create network support group and allowed some network related command, and allow to see logs folder

4 - [username] : we can specify user with specific settings, command and more to user only

# Add User

[lokesh]

allowed : ['ifconfig','APACHESTOP','APACHESTART','DBSTART','DBSTOP','traceroute','ping','tracepath','date','su']

aliases : {'ll':'ls -l', 'vim':'rvim','APACHESTOP': 'sudo /usr/bin/systemctl stop httpd.service','APACHESTART': 'sudo /usr/bin/systemctl start httpd.service','APACHESTART': 'sudo /usr/bin/systemctl start mariadb.service','DBSTOP': 'sudo /usr/bin/systemctl stop mariadb.service'}

forbidden : [';', '&', '|','`','>','<', '$(', '${']

warning_counter : 2

strict : 0

env_path : ':/usr/local/bin:/usr/sbin:/usr/bin:/sbin'




We Create Lokesh User and and allowed some service level command

Create New User and change there shell



adduser lokesh
set password of lokesh
passwd lokesh
change shell of lokesh
chsh lokesh
Login and Check



Add Existing User for lshell
chsh linuxtopic


Login and Check default 
su linuxtopic


Add linuxtopic user in network support group
usermod -aG network linuxtopic
Previous
Next Post »

1 comments:

Write comments
GrahVaidya
AUTHOR
February 8, 2018 at 10:38 AM

limited shell for limited access to users

Reply
avatar