1lshell(1) General Commands Manual lshell(1)
2
3
4
6 lshell - Limited Shell
7
8
10 lshell [OPTIONS]
11
12
14 lshell provides a limited shell configured per user. The configuration
15 is done quite simply using a configuration file. Coupled with ssh's
16 authorized_keys or with /etc/shells and /etc/passwd , it becomes very
17 easy to restrict user's access to a limited set of command.
18
19
21 --config <FILE>
22 Specify config file
23
24 --log <DIR>
25 Specify the log directory
26
27 -h, --help
28 Show help message
29
30 --version
31 Show version
32
33
35 You can configure lshell through its configuration file:
36
37 On Linux -> /etc/lshell.conf
38 On *BSD -> /usr/{pkg,local}/etc/lshell.conf
39
40 lshell configuration has 4 types of sections:
41
42 [global] -> lshell system configuration (only 1)
43 [default] -> lshell default user configuration (only 1)
44 [foo] -> UNIX username "foo" specific configuration
45 [grp:bar] -> UNIX groupname "bar" specific configuration
46
47 Order of priority when loading preferences is the following:
48
49 1- User configuration
50 2- Group configuration
51 3- Default configuration
52
53 [global]
54 logpath
55 config path (default is /var/log/lshell/)
56
57 loglevel
58 0, 1, 2, 3 or 4 (0: no logs -> 4: logs everything)
59
60 logfilename
61 - set to syslog in order to log to syslog
62 - set log file name, e.g. %u-%y%m%d (i.e foo-20091009.log):
63 %u -> username
64 %d -> day [1..31]
65 %m -> month [1..12]
66 %y -> year [00..99]
67 %h -> time [00:00..23:59]
68
69 syslogname
70 in case you are using syslog, set your logname (default: lshell)
71
72 [default] and/or [username] and/or [grp:groupname]
73 aliases
74 command aliases list (similar to bash's alias directive)
75
76 allowed
77 a list of the allowed commands or set to 'all' to allow
78 all commands in user's PATH
79
80 env_path
81 update the environment variable $PATH of the user
82 (optional)
83
84 env_vars
85 set environment variables (optional)
86
87 forbidden
88 a list of forbidden characters or commands
89
90 history_file
91 set the history filename. A wildcard can be used:
92 %u -> username (e.g. '/home/%u/.lhistory')
93
94 history_size
95 set the maximum size (in lines) of the history file
96
97 home_path (deprecated)
98 set the home folder of your user. If not specified, the
99 home directory is set to the $HOME environment variable.
100 This variable will be removed in the next version of
101 lshell, please use your system's tools to set a user's
102 home directory. A wildcard can be used:
103 %u -> username (e.g. '/home/%u')
104
105 intro set the introduction to print at login
106
107 passwd password of specific user (default is empty)
108
109 path list of path to restrict the user geographically
110
111 prompt set the user's prompt format (default: username)
112 %u -> username
113 %h -> hostname
114
115 overssh
116 list of command allowed to execute over ssh (e.g. rsync,
117 rdiff-backup, scp, etc.)
118
119 scp allow or forbid the use of scp connection - set to 1 or 0
120
121 scpforce
122 force files sent through scp to a specific directory
123
124 scp_download
125 set to 0 to forbid scp downloads (default is 1)
126
127 scp_upload
128 set to 0 to forbid scp uploads (default is 1)
129
130 sftp allow or forbid the use of sftp connection - set to 1 or
131 0
132
133 sudo_commands
134 a list of the allowed commands that can be used with
135 sudo(8)
136
137 timer a value in seconds for the session timer
138
139 strict logging strictness. If set to 1, any unknown command is
140 considered as forbidden, and user's warning counter is
141 decreased. If set to 0, command is considered as unknown,
142 and user is only warned (i.e. *** unknown synthax)
143
144 warning_counter
145 number of warnings when user enters a forbidden value
146 before getting exited from lshell. Set to -1 to disable
147 the counter, and just warn the user.
148
149
151 Here is the set of commands that are always available with
152 lshell:
153
154 clear clears the terminal
155
156 help, ?
157 print the list of allowed commands
158
159 history
160 print the commands history
161
162 lpath lists all allowed and forbidden path
163
164 lsudo lists all sudo allowed commands
165
166
168 $ lshell
169 Tries to run lshell using default ${PRE‐
170 FIX}/etc/lshell.conf as configuration file. If it fails a
171 warning is printed and lshell is interrupted. lshell
172 options are loaded from the configuration file
173
174 $ lshell --config /path/to/myconf.file --log /path/to/mylog.log
175 This will override the default options specified for con‐
176 figuration and/or log file
177
178
180 The primary goal of lshell, was to be able to create shell
181 accounts with ssh access and restrict their environment to a
182 couple a needed commands. In this example, User 'foo' and user
183 'bar' both belong to the 'users' UNIX group:
184
185 User foo:
186 - must be able to access /usr and /var but not
187 /usr/local
188 - user all command in his PATH but 'su'
189 - has a warning counter set to 5
190 - has his home path set to '/home/users'
191
192 User bar:
193 - must be able to access /etc and /usr but not
194 /usr/local
195 - is allowed default commands plus 'ping' minus 'ls'
196 - strictness is set to 1 (meaning he is not allowed to
197 type an unknown command)
198
199 In this case, my configuration file will look something like
200 this:
201
202 # CONFIURATION START
203 [global]
204 logpath : /var/log/lshell/
205 loglevel : 2
206
207 [default]
208 allowed : ['ls','pwd']
209 forbidden : [';', '&', '|']
210 warning_counter : 2
211 timer : 0
212 path : ['/etc', '/usr']
213 env_path : ':/sbin:/usr/bin/'
214 scp : 1 # or 0
215 sftp : 1 # or 0
216 overssh : ['rsync','ls']
217 aliases : {'ls':'ls --color=auto','ll':'ls -l'}
218
219 [grp:users]
220 warning_counter : 5
221 overssh : - ['ls']
222
223 [foo]
224 allowed : 'all' - ['su']
225 path : ['/var', '/usr'] - ['/usr/local']
226 home_path : '/home/users'
227
228 [bar]
229 allowed : + ['ping'] - ['ls']
230 path : - ['/usr/local']
231 strict : 1
232 scpforce : '/home/bar/uploads/'
233 # CONFIURATION END
234
236 In order to log a user's warnings into the logging directory
237 (default /var/log/lshell/) , you must firt create the folder (if
238 it doesn't exist yet) and chown it to lshell group:
239
240 # mkdir /var/log/lshell
241 # chown :lshell /var/log/lshell
242 # chmod 770 /var/log/lshell
243
244 then add the user to the lshell group:
245
246 # usermod -aG lshell user_name
247
248 In order to set lshell as default shell for a user:
249
250 On Linux:
251 # chsh -s /usr/bin/lshell user_name
252
253 On *BSD:
254 # chsh -s /usr/{pkg,local}/bin/lshell user_name
255
257 Currently maintained by Ignace Mouzannar (ghantoos)
258
259
261 Feel free to send me your recommendations at <ghantoos@ghan‐
262 toos.org>
263
264
265
266v0.9.14 October 27, 2010 lshell(1)