1lshell(1) General Commands Manual lshell(1)
2
6 lshell - Limited Shell
7
10 lshell [OPTIONS]
11
14 lshell provides a limited shell configured per user. The configuration
15 is done quite simply using a configuration file. Coupled with ssh's
16 authorized_keys or with /etc/shells and /etc/passwd , it becomes very
17 easy to restrict user's access to a limited set of command.
18
21 --config <FILE>
22 Specify config file
23 --log <DIR>
25 Specify the log directory
26 -h, --help
28 Show help message
29 --version
31 Show version
32
35 You can configure lshell through its configuration file:
36 On Linux -> /etc/lshell.conf
38 On *BSD -> /usr/{pkg,local}/etc/lshell.conf
39 lshell configuration has 4 types of sections:
41 [global] -> lshell system configuration (only 1)
43 [default] -> lshell default user configuration (only 1)
44 [foo] -> UNIX username "foo" specific configuration
45 [grp:bar] -> UNIX groupname "bar" specific configuration
46 Order of priority when loading preferences is the following:
48 1- User configuration
50 2- Group configuration
51 3- Default configuration
52 [global]
54 logpath
55 config path (default is /var/log/lshell/)
56 loglevel
58 0, 1, 2, 3 or 4 (0: no logs -> 4: logs everything)
59 logfilename
61 - set to syslog in order to log to syslog
62 - set log file name, e.g. %u-%y%m%d (i.e foo-20091009.log):
63 %u -> username
64 %d -> day [1..31]
65 %m -> month [1..12]
66 %y -> year [00..99]
67 %h -> time [00:00..23:59]
68 syslogname
70 in case you are using syslog, set your logname (default: lshell)
71 [default] and/or [username] and/or [grp:groupname]
73 aliases
74 command aliases list (similar to bash's alias directive)
75 allowed
77 a list of the allowed commands or set to 'all' to allow
78 all commands in user's PATH
79 env_path
81 update the environment variable $PATH of the user
82 (optional)
83 env_vars
85 set environment variables (optional)
86 forbidden
88 a list of forbidden characters or commands
89 history_file
91 set the history filename. A wildcard can be used:
92 %u -> username (e.g. '/home/%u/.lhistory')
93 history_size
95 set the maximum size (in lines) of the history file
96 home_path (deprecated)
98 set the home folder of your user. If not specified, the
99 home directory is set to the $HOME environment variable.
100 This variable will be removed in the next version of
101 lshell, please use your system's tools to set a user's
102 home directory. A wildcard can be used:
103 %u -> username (e.g. '/home/%u')
104 intro set the introduction to print at login
106 passwd password of specific user (default is empty)
108 path list of path to restrict the user geographically
110 prompt set the user's prompt format (default: username)
112 %u -> username
113 %h -> hostname
114 overssh
116 list of command allowed to execute over ssh (e.g. rsync,
117 rdiff-backup, scp, etc.)
118 scp allow or forbid the use of scp connection - set to 1 or 0
120 scpforce
122 force files sent through scp to a specific directory
123 scp_download
125 set to 0 to forbid scp downloads (default is 1)
126 scp_upload
128 set to 0 to forbid scp uploads (default is 1)
129 sftp allow or forbid the use of sftp connection - set to 1 or
131 0
132 sudo_commands
134 a list of the allowed commands that can be used with
135 sudo(8)
136 timer a value in seconds for the session timer
138 strict logging strictness. If set to 1, any unknown command is
140 considered as forbidden, and user's warning counter is
141 decreased. If set to 0, command is considered as unknown,
142 and user is only warned (i.e. *** unknown synthax)
143 warning_counter
145 number of warnings when user enters a forbidden value
146 before getting exited from lshell. Set to -1 to disable
147 the counter, and just warn the user.
148
151 Here is the set of commands that are always available with
152 lshell:
153 clear clears the terminal
155 help, ?
157 print the list of allowed commands
158 history
160 print the commands history
161 lpath lists all allowed and forbidden path
163 lsudo lists all sudo allowed commands
165
168 $ lshell
169 Tries to run lshell using default ${PRE‐
170 FIX}/etc/lshell.conf as configuration file. If it fails a
171 warning is printed and lshell is interrupted. lshell
172 options are loaded from the configuration file
173 $ lshell --config /path/to/myconf.file --log /path/to/mylog.log
175 This will override the default options specified for con‐
176 figuration and/or log file
177
180 The primary goal of lshell, was to be able to create shell
181 accounts with ssh access and restrict their environment to a
182 couple a needed commands. In this example, User 'foo' and user
183 'bar' both belong to the 'users' UNIX group:
184 User foo:
186 - must be able to access /usr and /var but not
187 /usr/local
188 - user all command in his PATH but 'su'
189 - has a warning counter set to 5
190 - has his home path set to '/home/users'
191 User bar:
193 - must be able to access /etc and /usr but not
194 /usr/local
195 - is allowed default commands plus 'ping' minus 'ls'
196 - strictness is set to 1 (meaning he is not allowed to
197 type an unknown command)
198 In this case, my configuration file will look something like
200 this:
201 # CONFIURATION START
203 [global]
204 logpath : /var/log/lshell/
205 loglevel : 2
206 [default]
208 allowed : ['ls','pwd']
209 forbidden : [';', '&', '|']
210 warning_counter : 2
211 timer : 0
212 path : ['/etc', '/usr']
213 env_path : ':/sbin:/usr/bin/'
214 scp : 1 # or 0
215 sftp : 1 # or 0
216 overssh : ['rsync','ls']
217 aliases : {'ls':'ls --color=auto','ll':'ls -l'}
218 [grp:users]
220 warning_counter : 5
221 overssh : - ['ls']
222 [foo]
224 allowed : 'all' - ['su']
225 path : ['/var', '/usr'] - ['/usr/local']
226 home_path : '/home/users'
227 [bar]
229 allowed : + ['ping'] - ['ls']
230 path : - ['/usr/local']
231 strict : 1
232 scpforce : '/home/bar/uploads/'
233 # CONFIURATION END
234
236 In order to log a user's warnings into the logging directory
237 (default /var/log/lshell/) , you must firt create the folder (if
238 it doesn't exist yet) and chown it to lshell group:
239 # mkdir /var/log/lshell
241 # chown :lshell /var/log/lshell
242 # chmod 770 /var/log/lshell
243 then add the user to the lshell group:
245 # usermod -aG lshell user_name
247 In order to set lshell as default shell for a user:
249 On Linux:
251 # chsh -s /usr/bin/lshell user_name
252 On *BSD:
254 # chsh -s /usr/{pkg,local}/bin/lshell user_name
255
257 Currently maintained by Ignace Mouzannar (ghantoos)
258
261 Feel free to send me your recommendations at <ghantoos@ghan‐
262 toos.org>
263v0.9.14 October 27, 2010 lshell(1)