Jan 29
Limited Shell (lshell) – Comments
This was the original lshell project page. As it has been moved here, this page now keeps track of the comments that were posted.
So, if you don’t want to open a thread, or mail me, you can leave a comment here. ;)
Cheers,
Ignace M -ghantoos-
January 29th, 2008 at 3:14 pm
i’ve accomplished similar feat for the sake of archiving my site using authprogs.pl from hackinglinuxexposed
you can check it at: http://www.getoto.net/2007/11/backup-with-rsnapshot-and-ssh/lang/en/
Frankly said python is a bit heavier than perl so … i prefer perl.
January 29th, 2008 at 3:42 pm
Also recall that vi is not a safe command to allow, as it allows shell escapes.
January 29th, 2008 at 4:01 pm
True. I had just put it as an example. It has been corrected. : )
Cheers,
ghantoos
January 31st, 2008 at 12:44 pm
telnet allows shell escape too. Some (long) time ago I wrote noexec project (http://noexec.sf.net) to prevent shell escape (or actually any program execution) in cases like lshells. (noexec use LD_PRELOAD to turn any exec* to NOP).
By the way, noexec idea was integrated in sudo. So fill free to use it to :)
Valery.
January 31st, 2008 at 12:55 pm
Great stuff! Thank you Valery for your suggestion! : )
It took a look at http://noexec.sf.net. I will definitely try to use it with lshell!
Cheers!
ghantoos
February 1st, 2008 at 10:28 am
Almost all Bourne-family shells (modern sh, ksh, jsh, bash) support a “restricted mode” that has functionality like this built-in (read the man page). Execution of programs via absolute paths is prohibited, and the user is unable to redefine the PATH variable. Set PATH appropriately (and activate restricted mode) in the user’s profile, deny editing of the profile, and symlink the programs you want available to something in the user’s PATH, and you’re done: no perl or python necessary. If you set ENV (or use .bashrc for bash) to a script that reactivates the restrictions, even shell escapes (via system(3), not exec(2)) from vi and telnet are handled.
February 1st, 2008 at 10:38 am
Sorry Jonathan, but I have read the man pages you talked about.
And sincerely, I prefer having one and *only* configuration file for all my ssh users, rather than creating folders with symlinks for each different user.
I feel it’s clearer and cleaner. : )
Python had my solution.
Nevertheless, thanks for the tip using .bashrc to activate restrictions on shell escapes.
Cheers,
ghantoos
February 8th, 2008 at 7:05 pm
well, now read something about ssh and then rewrite your code so that it really works :)))
February 11th, 2008 at 8:56 pm
Thank you youdah (or zdenda..) for this very useful comment. : )
Cheers,
ghantoos
October 6th, 2008 at 3:56 pm
[...] http://ghantoos.org/limited-shell-lshell/ [...]
October 29th, 2008 at 6:27 am
Thank you!!
This was very handy!
We needed a way to allow the staff at the datacentre to shutdown machines.
This saved me from having to chroot users etc.
Thanks :)
January 21st, 2009 at 10:31 am
Hi Ignace!
The lshell is a good choice for mee whatever I have a big problem. I mus use rsync, but isn’t “compatibile” with lshell.
Command(connect to localhost): $ rsync -ravvvvv file leves@192.168.1.2:
The error is:
(Client) Protocol versions: remote=1920102227, negotiated=30
protocol version mismatch — is your shell clean?
(see the rsync man page for an explanation)
_exit_cleanup(code=2, file=compat.c, line=168): entered
rsync error: protocol incompatibility (code 2) at compat.c(168) [sender=3.0.3]
_exit_cleanup(code=2, file=compat.c, line=168): about to call exit(2).
I think, the problem is: “is your shell clean?”.
Please, help me, and make lshell rsync compatible, if possible.
I trust your solution,
Thanks, Zsolt
January 21st, 2009 at 9:39 pm
Dear Ignace!
I’ve already. More problem… I would executing any command via ssh, but lshell doesn’t.
Please, help me, and make lshell rsync and ssh compatible, if it possible.
THANK YOU!
January 22nd, 2009 at 7:06 pm
@KaZso
Hello KaZso!
I completely agree that lshell should be able to execute a set of configurable commands via ssh (e.g. rsync)
I’ll try to work and patch lshell as soon as possible. :)
I’ll keep you posted!
I’ve opened a Feature request on sourceforge: https://sourceforge.net/tracker2/?func=detail&aid=2530776&group_id=215792&atid=1035096
cheers,
ghantoos
January 27th, 2009 at 5:11 pm
A new version of lshell is available: lshell-0.2.4
@KaZso
I’ve added the support for commands over ssh in lshell-0.2.4
Just add a overssh parameter in the lshell configuration file (e.g. overssh: ['rsync','ls']
@ALL
If you are updating from version to 0.2.2 to 0.2.4 using rpm or deb packages.
Please _BACKUP_ your configuration file:
# cp /etc/lshell.conf /etc/lshell.conf.bak
Then _UNINSTALL_ the current package before installing the new one.
I know it’s a pain, but there is post-uninstall error in both packages. Sorry for the inconvenience.
Cheers,
ghantoos
February 16th, 2009 at 2:38 am
A new version of lshell is available: lshell-0.2.5
Cheers,
Ignace M -ghantoos-
February 16th, 2009 at 5:46 pm
Hi very very good product!!!
i have one question: can i use this shell only for logging local and remote ssh commands?
So, it’s possible enable all environnement commands without list one by one, i use only logging feature.
sorry for my terrible english
cheers
chris
February 21st, 2009 at 6:18 pm
@ramarro
Hi ramarro,
I will implement this feature as soon as I come back from my holiday trip ;)
To authorise _all_ commands (that are within a user’s PATH), you will hqve to input the following in lshell’s configuration file:
Instead of:
Tracker: 2624461
I’ll keep you posted on the tracker above.
Cheers,
Ignace M -ghantoos-
March 3rd, 2009 at 11:42 am
A new version of lshell is available: lshell-0.2.6
Tracker 2624461 is closed. You cann allow all commands in user’s PATH as mentioned above.
Cheers,
Ignace M -ghantoos-
March 24th, 2009 at 1:40 pm
A new version of lshell is now available: lshell-0.9.1
It corrects many bugs, and adds new features. See the changelog.
Cheers,
Ignace M -ghantoos-
April 6th, 2009 at 2:09 pm
A new version of lshell is now available: lshell-0.9.2
It adds 2 new features. See the changelog.
Unless something big comes up, this should be a stable version of lshell. (I hope I’m not cursing myself with this statement..;) )
Cheers,
Ignace M -ghantoos-
April 8th, 2009 at 6:59 pm
There is a lot of overlap with Jailkit. It also has a limited shell, but the Jailkit limited shell (jk_lsh) is designed for rsync, sftp, cvs etc. To restrict users to certain commands jailkit uses chroot jails, but allows you to set up really easy and quick.
April 8th, 2009 at 10:09 pm
@Olivier
If I had found your project when searching for a limited shell, I may not have coded lshell. :)
As you said, some features overlap.
Reading the documentation of jk_lsh, it seems lshell(1) is more complete as a system shell and offers many other features.
This seems quite normal as jk_lsh is intended to be used as part of the jailkit project whereas lshell(1) is to be used without any jail setup.
Nevertheless, I think I will be trying jailkit soon.
Cheers,
Ignace M -ghantoos-
April 11th, 2009 at 8:03 am
Here is a bug.please fix it.
def get_aliases(self,line):
“”" Replace all configured aliases in the line
“”"
(…)
# for item in self.conf['aliases'].keys():
# line = re.sub(’(^|;|&|\|)%s’ %item,self.conf['aliases'][item],line)
(…)
return line
April 13th, 2009 at 8:56 pm
Thank you wei wufeng for reporting this bug!
A new version of lshell is now available: lshell-0.9.3
It corrects the bug reported by wei wufeng that appeard with the new ‘aliases’ feature of lshell-0.9.2. See the changelog.
It seems I did curse myself, with my last “this is the stable version”, so I won’t say it this time ;)
Cheers,
Ignace M -ghantoos-
April 21st, 2009 at 9:54 pm
Nice program. Is it possible to make it log the output of every command executed by setting the loglevel variable to four (the highest setting)? Also custom naming conventions for log files would be a nice idea in the future. For example /var/log/lshell/20090421155332_username.log
April 23rd, 2009 at 10:35 am
@gabriel
I replied to your message on the open forum here
@all
If you have any suggestion about lshell, please do not hesitate to start a thread on the forums
Cheers,
Ignace M -ghantoos-
July 17th, 2009 at 6:09 pm
Thank you for such a great tool!! Exactly what I have been looking for. Jails are overkill in my mind and to be able to configure everything in one file is a joy!
August 15th, 2009 at 9:22 pm
lshell is great but user can read file in restricted flders.
eg.: default section
## list of path to restrict the user “geographicaly”
path : – ['/var','/etc', '/boot', '/proc']
You are in a limited shell.
Type ‘?’ or ‘help’ to get the list of allowed commands
maciek:~$ ls /proc
*** forbidden path -> “/proc”
*** You have 1 joker(s) left, before getting kicked out.
This incident has been reported.
maciek:~$ cd /proc
*** forbidden path -> “/proc”
*** You have 0 joker(s) left, before getting kicked out.
This incident has been reported.
maciek:~$ cat /proc/version
Linux version 2.6.30-ARCH (root@T-POWA-LX) (gcc version 4.4.1 (GCC) ) #1 SMP PREEMPT Fri Jul 31 18:10:38 UTC 2009
maciek:~$ tail -n 1 /proc/version
Linux version 2.6.30-ARCH (root@T-POWA-LX) (gcc version 4.4.1 (GCC) ) #1 SMP PREEMPT Fri Jul 31 18:10:38 UTC 2009
August 15th, 2009 at 9:40 pm
This can be fixed by adding restricted folders to forbidden variable.
eg.:
forbidden : ['&','`', '/proc']
You are in a limited shell.
Type ‘?’ or ‘help’ to get the list of allowed commands
maciek:~$ cat /proc/version
*** forbidden synthax -> “cat /proc/version”
*** You have 1 joker(s) left, before getting kicked out.
This incident has been reported.
maciek:~$ tail -n 1 /proc/version
*** forbidden synthax -> “tail -n 1 /proc/version”
*** You have 0 joker(s) left, before getting kicked out.
This incident has been reported.
maciek:~$ ls /proc/irq
*** forbidden synthax -> “ls /proc/irq”
- Kicked out -
but this is bad solution..
August 16th, 2009 at 4:46 pm
@shark
Thank you for reporting this bug. This is actually quite serious!
I will work on correcting this ASAP.
You can keep track of the bug resolution here.
Regards,
Ignace M -ghantoos-
September 9th, 2009 at 10:22 pm
How to i conect over sftp in lshell and still restrict to my home folder ?
September 10th, 2009 at 10:45 am
@sfrique
lshell cannot restrict sftp(1) to a certain folder.
When “sftp” is enable for a user/group, you allow lshell(1) to invoke sftp(1) if it requested by the user.
lshell(1) can only try to prevent shell escapes from being executed from the sftp instance.
Regards,
Ignace M -ghantoos-
September 10th, 2009 at 11:02 am
Comments on this page will be closed.
If you want to contribute to this project, please do not hesitate. You can:
– report a bug, please refer to the bug tracker here.
– discuss/ask something about lshell(1), please open a discussion inside the forum here.
– send me an email: ghantoos {at} ghantoos [dot] org
Kind regards,
Ignace M -ghantoos-