Lshell用于构建一个受限的Shell环境,由Python编写,其功能如下:
1)限制可以使用的命令
2)记录用户执行的命令
3)限制可以访问的目录
4)限制环境变量
…..
安装步骤:
下载源码https://github.com/ghantoos/lshell
python setup.py install –no-compile –install-scripts=/usr/bin/
cp /etc/lshell.conf /usr/local/etc/
配置:
默认的配置文件中有Default配置,另外有可以创建[username]或者[grp:groupname]来定制用户的个性配置。
配置的优先级如下:
a.User配置
b.Group配置
c.Default配置
修改用户的shell环境:
chsh -s /usr/bin/lshell user_name
配置文件参数:
# lshell.py configuration file # # $Id: lshell.conf,v 1.27 2010-10-18 19:05:17 ghantoos Exp $ [global] ## log directory (default /var/log/lshell/ ) logpath : /var/log/lshell/ ## set log level to 0, 1, 2, 3 or 4 (0: no logs, 1: least verbose, ## 4: log all commands) loglevel : 2 ## configure log file name (default is %u i.e. username.log) #logfilename : %y%m%d-%u #logfilename : syslog ## in case you are using syslog, you can choose your logname #syslogname : myapp ## Set path to sudo noexec library. This path is usually autodetected, only ## set this variable to use alternate path. If set and the shared object is ## not found, lshell will exit immediately. Otherwise, please check your logs ## to verify that a standard path is detected. ## ## while this should not be a common practice, setting this variable to an empty ## string will disable LD_PRELOAD prepend of the commands. This is done at your ## own risk, as lshell becomes easily breached using some commands like find(1) ## using the -exec flag. #path_noexec : /usr/libexec/sudo_noexec.so ## include a directory containing multiple configuration files. These files ## can only contain default/user/group configuration. The global configuration will ## only be loaded from the default configuration file. ## e.g. splitting users into separate files #include_dir : /etc/lshell.d/*.conf [default] ## a list of the allowed commands without execution privileges or 'all' to ## allow all commands in user's PATH ## ## if sudo(8) is installed and sudo_noexec.so is available, it will be loaded ## before running every command, preventing it from running further commands ## itself. If not available, beware of commands like vim/find/more/etc. that ## will allow users to execute code (e.g. /bin/sh) from within the application, ## thus easily escaping lshell. See variable 'path_noexec' to use an alternative ## path to library. allowed : ['ls', 'echo','ll'] ## A list of the allowed commands that are permitted to execute other ## programs (e.g. shell scripts with exec(3)). Setting this variable to 'all' ## is NOT allowed. Warning do not put here any command that can execute ## arbitrary commands (e.g. find, vim, xargs) ## ## Important: commands defined in 'allowed_shell_escape' override their ## definition in the 'allowed' variable #allowed_shell_escape : ['man','zcat'] ## a list of forbidden character or commands forbidden : [';', '&', '|','`','>','<', '$(', '${'] ## a list of allowed command to use with sudo(8) ## if set to ´all', all the 'allowed' commands will be accessible through sudo(8) #sudo_commands : ['ls', 'more'] ## number of warnings when user enters a forbidden value before getting ## exited from lshell, set to -1 to disable. warning_counter : 2 ## command aliases list (similar to bash’s alias directive) aliases : {'ll':'ls -l'} ## introduction text to print (when entering lshell) #intro : "== My personal intro ==\nWelcome to lshell\nType '?' or 'help' to get the list of allowed commands" ## configure your promt using %u or %h (default: username) #prompt : "%u@%h" ## set sort prompt current directory update (default: 0) #prompt_short : 0 ## a value in seconds for the session timer #timer : 5 ## list of path to restrict the user "geographicaly" ## warning: many commands like vi and less allow to break this restriction #path : ['/home/bla/','/etc'] ## set the home folder of your user. If not specified the home_path is set to ## the $HOME environment variable #home_path : '/home/bla/' ## update the environment variable $PATH of the user #env_path : ':/usr/local/bin:/usr/sbin' ## a list of path; all executable files inside these path will be allowed #allowed_cmd_path: ['/home/bla/bin','/home/bla/stuff/libexec'] ## add environment variables #env_vars : {'foo':1, 'bar':'helloworld'} ## allow or forbid the use of scp (set to 1 or 0) #scp : 1 ## forbid scp upload #scp_upload : 0 ## forbid scp download #scp_download : 0 ## allow of forbid the use of sftp (set to 1 or 0) ## this option will not work if you are using OpenSSH's internal-sftp service #sftp : 1 ## list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.) #overssh : ['ls', 'rsync'] ## logging strictness. If set to 1, any unknown command is considered as ## forbidden, and user's warning counter is decreased. If set to 0, command is ## considered as unknown, and user is only warned (i.e. *** unknown synthax) strict : 0 ## force files sent through scp to a specific directory #scpforce : '/home/bla/uploads/' ## Enable support for WinSCP with scp mode (NOT sftp) ## When enabled, the following parameters will be overridden: ## - scp_upload: 1 (uses scp(1) from within session) ## - scp_download: 1 (uses scp(1) from within session) ## - scpforce - Ignore (uses scp(1) from within session) ## - forbidden: -[';'] ## - allowed: +['scp', 'env', 'pwd', 'groups', 'unset', 'unalias'] #winscp: 0 ## history file maximum size #history_size : 100 ## set history file name (default is /home/%u/.lhistory) #history_file : "/home/%u/.lshell_history" ## define the script to run at user login #login_script : "/path/to/myscript.sh" ## disable user exit, this could be useful when lshell is spawned from another ## none-restricted shell (e.g. bash) #disable_exit : 0
配置例子:
foo:
1)可以访问/usr和/var,无法访问/usr/local
2)可以执行除了su以外的命令
3)家目录/home/users
bar:
1)可以访问/usr和/etc,无法访问/usr/local
2)除了default的命令还可以执行ping,无法执行ls
3)开启strict(1:表示每个unknown命令都会减少warning counter的数量;0:针对unknown命令只是提醒,不会减少warning counter的数量)
配置文件如下:
# CONFIGURATION START [global] logpath : /var/log/lshell/ loglevel : 2 [default] allowed : ['ls','pwd'] forbidden : [';', '&', '|'] warning_counter : 2 timer : 0 path : ['/etc', '/usr'] env_path : ':/sbin:/usr/foo' scp : 1 # or 0 sftp : 1 # or 0 overssh : ['rsync','ls'] aliases : {'ls':'ls --color=auto','ll':'ls -l'} [grp:users] warning_counter : 5 overssh : - ['ls'] [foo] allowed : 'all' - ['su'] path : ['/var', '/usr'] - ['/usr/local'] home_path : '/home/users' [bar] allowed : + ['ping'] - ['ls'] path : - ['/usr/local'] strict : 1 scpforce : '/home/bar/uploads/' # CONFIGURATION END