ghantoos / lshell Goto Github PK

Hello,

A restricted user can use a not authorized path in his commands.
Below is a sample:

sudo su - restrictedUser
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
restrictedUser:$ ls /home/anotheruser
file1 laotra.sql
restrictedUser:$

the restricted user has not access or authorization to /home/anotheruser

You can reproduce this issue with the version 0.9.15 like it is at 1/22/2012. The configuration file is the one that exists in the git repository at that day.

when log files are saved to files (in /var/log/lshell), files are created with mod 644. The right permision should be 0600.

Example: (current)

# ls -lad /var/log/lshell/*
-rw-r--r-- 1 foobar foobar 147 2012-06-12 11:05 /var/log/lshell/20120612-foobar.log

Hello,

Are you aware of this method to escape lshell?

http://www.aldeid.com/wiki/Lshell

While the "echo os.system('/bin/bash')" doesn't work with recent code,
the vim trick works easily, so it should be probably a red-flagged with
something like:

##  a list of forbidden character or commands -- deny vim, as it allows to escape lshell
forbidden       : [';', '&', '|','`','>','<', '$(', '${', 'vim', 'vi']

and for sure removed from the default config:

##  command aliases list (similar to bash’s alias directive)
aliases         : {'ll':'ls -l', 'vi':'vim'}

Kind Regards,

Marlene
http://omega8.cc
[email protected]

Hello,

It should be great to have the -u option for sudo and set a user behind it (should be authorized in the config file, in a list).

It will allow to authorize this kind of command (for example) :
sudo -u www-data script.php

I will try to provide a patch soon.
Regards,

Is it possible to let the users to create their own aliases by themselves? For example, in bash it is possible to define aliases in .bash_profile or .bash_aliases file. Lshell could implement something like that and let users to define their aliases in, let's say, .lprofile file.

BTW, is it possible to load new config settings without logging out from the session like it is done in normal SSH: source .bash_profile?

Python2.3 requires subprocess to be installed explicitly. For example, from
http://svn.python.org/view/*checkout*/python/tags/r255/Lib/subprocess.py

This isn't a lshell's problem,but the document would provide such good information.

Hey, it would be nice if you could run a background process. When using a shell based editor for development it's not possible to ctrl + z to run a bash command or do something like this :!ls in vim. Is there a way to fix this?

While it works fine for alphanumeric directory names, it stops proper autocomplete suggestions when you use something like:

$ cd name- (tab)

If there are many directories starting with name- it will suggest all directories instead of those starting with name-

I installed lshell 0.9.16 (on a testenvironment) by downloading the current master branch (zip-format) and using the spec-file to build an rpm in Centos.

I get an error (and the session gets closed) when trying to do a command like this:
command1.sh $(command2.sh parameter)

This is the error output:
/bin/sh: -c: line 0: unexpected EOF while looking for matching `)'
/bin/sh: -c: line 1: syntax error: unexpected end of file
Traceback (most recent call last):
File "/usr/bin/lshell", line 54, in
main()
File "/usr/bin/lshell", line 44, in main
cli.cmdloop()
File "/usr/lib/python2.6/site-packages/lshell/shellcmd.py", line 557, in cmdloop
stop = self.onecmd(line)
File "/usr/lib/python2.6/site-packages/lshell/shellcmd.py", line 680, in onecmd
func = getattr(self, 'do_' + cmd)
File "/usr/lib/python2.6/site-packages/lshell/shellcmd.py", line 107, in getattr
if self.check_path(self.g_line, strict = self.conf['strict']) == 1:
File "/usr/lib/python2.6/site-packages/lshell/shellcmd.py", line 470, in check_path
item = cout.readlines()[0].split(' ')[0].strip()
IndexError: list index out of range

This only seems to happen when there is a space between the brackets of the $( ). Without a space, no problem.

I can consistently reproduce the same problem on clean install:

v182q:~# su o1.ftp Traceback (most recent call last): File "/usr/local/bin/lshell", line 27, in <module> from lshell.checkconfig import CheckConfig ImportError: No module named checkconfig v182q:~#

As soon as I downgrade to version just before the split, it works fine with the same config file.

Hello,

Would it be possible to add 2 new features :

• Include : to include another configuration file from the master config
• Include_dir : to include a lshell.d directory containing multiple configuration file

Thanks

It would be nice if we could use a wildcard while moving between directories using lshell

By that I mean:

cd mydir* to go into ~/mydirectory

Hi Guru,

First of all Thanks for your this awesome tool... :)

My Issue:
I have blocked mkdir command for user foo and my configuration as below :

[foo] allowed = 'all' - ['mkdir', 'bash', 'sh', 'csh', 'dash', 'env']

It's working fine, you can see test result here http://unix.stackexchange.com/questions/90998/block-particular-command-in-linux-for-specific-user/91004#91004

but when I used strace mkdir test then it's allow to create dir. so can you look into the same. Or should I blocked strace also ?

The intro param from lshell.conf does not seem to work well for newlines and other formatting options when explicitly specified. It gets printed as literal values.

It works fine when the static string is used from within lshell.py (i.e. no intro defined at all).

When no intro is specified:
~> sudo su -
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands

When an intro is specified:
~> sudo su -
"== My personal intro ==\r\nWelcome to lshell\nType '?' or 'help' to get the list of allowed commands"

~$ lshell --version
lshell-0.9.15.1 - Limited Shell

The session timer setting in the config file is for expiring and kicking the user regardless if the session was active or idle for some time. It is not very much useful since nobody wants to interrupt a user during he is doing something important, for example, if he is copying the files. IMHO the session timer should be effective only if a session is idle for definite period of time.

2 questions here

1. can su be limited to su-ing to a specific user? Can I put su testuser and it will only allow su to testuser?

2. Does lshell work in SLES 11 x64?

Hi,

Is there a way to geographically restrict a user to his home path ?

home_path, if not defined, is automatically set to the $HOME environment variable.
It would be great to have home_path work the same way.

Regards,

Shadok

$ rsync -e ssh -av -l --delete --exclude files/css user@host:/path /path/
Traceback (most recent call last):
File "/usr/local/bin/lshell", line 54, in
main()
File "/usr/local/bin/lshell", line 40, in main
userconf = CheckConfig(args).returnconf()
File "/usr/local/lib/python2.6/dist-packages/lshell/checkconfig.py", line 141, in init
self.check_scp_sftp()
File "/usr/local/lib/python2.6/dist-packages/lshell/checkconfig.py", line 678, in check_scp_sftp
cli = ShellCmd(self.conf, None, None, None, None,
NameError: global name 'ShellCmd' is not defined
rsync: connection unexpectedly closed (0 bytes received so far) [receiver]
rsync error: error in rsync protocol data stream (code 12) at /SourceCache/rsync/rsync-42/rsync/io.c(452) [receiver=2.6.9]

Tested with lshell head/master on Debian Squeeze.

rbenv is a ruby version manager (https://github.com/sstephenson/rbenv/) which requires to set a specific PATH and run a command at login using for example the .bash_profile file. Unfortunately I can't see any way to do that with lshell.

The exact content of .bash_profile required by rbenv is the following:

export PATH="$HOME/.rbenv/bin:$PATH"
eval "$(rbenv init -)"

Any way to make that work with lshell?

I really would like to change the wording of some messages, for example this one:

*** You have 3 warning(s) left, before getting kicked out.
This incident has been reported.

Is it possible to make messages configurable?

Hi,

I would like to know if there is a way to allow the user to execute some scripts inside the path /etc/init.d in a Debian Linux.
I tried to do this putting this path in the variable, but it didn't work.
Putting the name of the service in the allowed commands also didn't work.

Is there a way to do this?

Thanks a lot.
Breno

Hello,
In the master branch, it seems the warning isn't thrown anymore (but strict works) when a forbidden command is done.
As the last packaged version (.14) works well I think the bug appears between the last and the .14.
I will try to track and fix this bug and ask for a pull.

Regards

Hello, I ran into a bug with the GNU find. Configuration is as follows:

path : ['/home/web2']
allowed : ['find']

$ ssh web1@localhost
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
web2:~$ find /proc
*** forbidden path -> "/proc/"
*** You have 1 warning(s) left, before getting kicked out.
This incident has been reported.
/proc
/proc/mpt
/proc/mpt/version
/proc/mpt/summary

As soon as warning is printed the output of the find command from a forbidden path is dumped onto the terminal.

Hi,
Maybe a stupid question, but is there a way to have colors in the shell output ? (The same as in bash, for example).

I can't find if it a configuration problem, or if it is just not supported yet by lshell :)

Hi,

I've written a quick tutorial to use ossec+syslog+lshell (https://github.com/icy/lshell/wiki/ossec-integration), that helps to notify the system administrator if lshell users try any forbidden commands on the system. :) As I have no way to contribute this rules to ossec community, I would send the page to lshell's wiki page :P

Hope it helps.

Regards,

Regular SSH users are very much used to type 'cd /' to get to the top directory. And it is not very much convenient when switching to Limited Shell to get warning notice every time you type this command just by force of habit. So taking into attention the fact that the main reason for absolutely majority of cases for switching to Limited Shell is the willing to limit users to their home directories, we might consider a user's home directory as a top directory in a limited shell. And it would be very nice for the lshell to redirect a user typing 'cd /' to his home directory instead of printing error.

This is just a request. I don't know how much this sounds logical to others and how much it is difficult to implement.

Hi,

Lshell 0.9.15.1 is working fine on RHEL5 but on RHEL4 (Python 2.3.4) ls, lpath output nothing. help and welcome text are working

I'm searching why, but for the moment I've no idea

Best regards

Houdihou

I have some problems getting AeroFS running as a lshell'ed user. The installer checks for network connections (Port 80/443 outgoing) but it does not work.
As I do not have these problems anywhere else, I think this has to be lshell related.

Does is something with iptables or something like this?

I tried wget and that worked well...

Thank you for hints :)

Michel

I see the report about lshell being tricked by '..' was addressed here https://sourceforge.net/tracker/?func=detail&aid=2977391&group_id=215792&atid=1035093 So I would like to report similar inconvenience: if I run a command 'dir .' I can see the content of parent directory. And the whole idea for me to switch from bash to lshell was the necessity for me to restrict users in their home directories only.

Otherwise I find that lshell is an excellent implementation. It just needs to advance further. Thanks for lshell!

hi, i am trying to allow a user to sudo to all commands, jus like this line in the sudoers:
oper ALL=(ALL) ALL

is there any way to do this?
Thanks

Hi,

I'm trying to configure lshell so that an initial script could be started just after login.

How can I configure this?

Thanks,

Laurent.

Hello,

I'm running lshell lshell-0.9.15.1 on Ubuntu 10.04 x64.

I keep having this error although this command doesn't contain any forbidden character :

*** forbidden char/command over SSH: "git --git-dir='/git/206c7835-ef7f-4133-8a1b-3889a95e1b7f/f7de831d-7437-4911-8283-971744387f6e/mygit.git' log -1 --pretty=format:"%an;%ai" -- "Quick start.pdf""

Here's my conf :
allowed : ['git','git-upload-pack','git-cvsserver','gitk','git-receive-pack','git-shell','git-upload-archive','cd']
forbidden : ['&','|','`','>','<','$(','${']

And I allowed only /git directory in my conf but for some git commands, / is relative to the repository and lshell complains that the path is forbidden :
2012-05-03 11:21:23,734 (sonhuytran): *** forbidden path over SSH: "git --git-dir='/git/206c7835-ef7f-4133-8a1b-3889a95e1b7f/f7de831d-7437-4911-8283-971744387f6e/mygit.git' log -1 --pretty=format:"%an;%ai" -- "/David_Cook-This_Loud_Morning-(Deluxe_Edition)-2011-C4/00-david_cook-this_loud_morning-(deluxe_edition)-2011-scan.jpg""

Regards,

Shadok

Hi, i am trying to allow one user to sudo to all commands, like this line in the sudoers:
oper ALL=(ALL) ALL
is there any way to do this?
Thanks

Hello,

The '&&' shell command connector does not have the correct behaviour in lshell. For example:

ls inexstantfile && echo "file exists"

the second command (echo) after the AND should NOT get run if command 1 (ls) returns an return code different from 0.

Unfortunately under lshell command 2 does get run no matter what is the return code from command 1.

Is it possible to fix this?

Thanks & best regards,
H.N.

Per instructions on http://lshell.ghantoos.org/Todo I tried to

chown :lshellg /var/log/lshell

and

usermod -aG lshellg user_name

however it outputs:

root@ns1:/home/user_name#
chown :lshellg /var/log/lshell
chown: `:lshellg': invalid group
root@ns1:/home/user_name#
usermod -aG lshellg user_name
usermod: unknown group lshellg

So there is no group by the name 'lshellg' by default. Should I create one? Should documentation to be corrected to save new users form confusion?

Hello ,

I have a user called naruto , we do ssh naruto@box , naruto have a lshell

In box , i want :

• no shell for user , just command execution , and if something is not defined it's "no"
• in /directory/rep1 , i want naruto can only execute some of the scripts
• in /directory3/rep2 and recursive , i want naruto can execute all scripts in them
• in /directory4/rep3 , i want naruto read and write only

I think that this mix is not easy to put in a lshell.conf , especially

• in /directory3/rep2 and recursive , i want naruto can execute all scripts in them

Some have clue / ideas ? :)

IS

Hi,

i have just installed lshell in my compagny to secure a server.

I have allowed the bzgrep command and the usage of pipe ( | ).

A simple pipe work (for example "cat file.txt | more" work good), but if I put a pipe int the search filed of bzgrep, it don't work:

bzgrep -e "_1nC4z1j-03|EDMA_0000000014232" 20130325.txt.bz2
*** unknown command: EDMA_0000000014232"

This command work with bash.
I tried several different configuration with a " ' " for it doesn't work.

is it normal?

Thx a lot for your work on this product!

I tried an empty string as "prompt" (aka, prompt: ""), then I got the error:

CONF: Incomplete prompt field in configuration file

This would be a bug :)

Hi,

I would like a user to be able to start and stop the Apache Tomcat container so I added the start and stop scripts to the allowed commands. So the user starts the tomcat process but unfortunately as soon as he logs out of his lshell session it kills the Tomcat process :(

Is there anyway to avoid that?

Many thanks for your feedback.
H.N.

Hi,

When I used user with shell lshell, I don't access via ftp.

Oct 5 16:25:47 labhospedagem proftpd[8811]: 127.0.0.1 (::ffff:192.168.12.27[::ffff:192.168.12.27]) - USER teste (Login failed): Invalid shell: '/usr/bin/lshell'
Oct 5 16:27:11 labhospedagem proftpd[8812]: 127.0.0.1 (::ffff:192.168.12.27[::ffff:192.168.12.27]) - USER teste (Login failed): Invalid shell: '/usr/bin/lshell

[root@labhospedagem ~]# whereis lshell
lshell: /usr/bin/lshell /etc/lshell.conf /usr/share/man/man1/lshell.1

Is necessary some config special?

Hi:
I have some users trying to use ssh in my lshell instalation but it don't work. I check to put ssh in allowed commands and so on but steel don't work. Any idea?
Thanks in advance

Updating to say that this is still and issue. Has anyone else experienced this?

I am using lshell v 0.9.15.1-1. When adding aliases to lshell.conf I receive an error message. I have tried different aliases always adding the command to the allowed list. Currently I only have ll set as an alias.

RHEL 5.9
python-2.4.3-56.el5

lshell.conf file

allowed : ['sudo','sudoedit','passwd','mkdir','rmdir','ls','ll','cd','pwd','less','grep','tar','gzip']

aliases : {'ll':'ls -l'}

executed command

ll

Error message

Traceback (most recent call last):
File "/usr/bin/lshell", line 27, in ?
lshell.main()
File "/usr/lib/python2.4/site-packages/lshell.py", line 1450, in main
cli.cmdloop()
File "/usr/lib/python2.4/site-packages/lshell.py", line 556, in cmdloop
stop = self.onecmd(line)
File "/usr/lib/python2.4/site-packages/lshell.py", line 678, in onecmd
func = getattr(self, 'do_' + cmd)
File "/usr/lib/python2.4/site-packages/lshell.py", line 163, in getattr
self.g_line = get_aliases(self.g_line, self.conf['aliases'])
File "/usr/lib/python2.4/site-packages/lshell.py", line 1425, in get_aliases
line = re.sub(reg2, "%s%s%s" % (before, aliaskey,
UnboundLocalError: local variable 'aliaskey' referenced before assignment

I am trying to export a shell variable such as:

export MYVAR="hello"

this command runs fine without any errors but my variable MYVAR is not available. So running:

echo $MYVAR

gives me no output, just an empty line.

Thanks for adding the support for export! The only problem was that it wasn't working. It looks like a minor tweak is needed to get it working by adding it to the standard list of commands to be expanded by default.

    # initialize list to common shell builtins
    expanded_all = ['bg', 'break', 'case', 'cd', 'continue', 'eval', \
                    'exec', 'exit', 'fg', 'if', 'jobs', 'kill', 'login', \
                    'logout', 'set', 'shift', 'stop', 'suspend', 'umask', \
                    'unset', 'wait', 'while', 'export' ]

Before fix:
:~$ export
*** unknown command: export

After fix:
:$ export a=b
:$ echo $a
b

:~$ lshell --version
lshell-0.9.15.1 - Limited Shell

Hello

Below it is a sample of several commands to reproduce the issue. A user "can go" to a not authorized directory (in the sample the restricted user home is /externals/restricteduser). I can generate the issue with lshell version 0.9.15 of jan 22, 2012. The config file is the default one in the git repository (same version, same date).

sudo su - restricteduser
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
restricteduser:$ ?
cd clear echo exit help history ll lpath ls lsudo
restricteduser:$ cd /home
restricteduser:/home$ ls
*** Forbidden path: /home/ls
restricteduser:/home$ ls /home
*** Forbidden path: /home/ls /home
restricteduser:/home$ cd -
*** Forbidden path: /home/cd -
restricteduser:/home$

Hello,

We have discovered that if we list forbidden commands with spaces,
since we want to allow some of them like "drush allow", but want
to deny commands like "drush foo" and "drush bar", that it is easy
to skip this restriction by using extra space, like "drush foo".

This is probably an edge case, but maybe it could be possible
to avoid that security hole for commands with spaces?

Kind Regards,

http://omega8.cc
[email protected]

When you have a command like foo bar listed as forbidden, the protection filtering will not work if the user will add one or more extra spaces between foo and bar. The patch will follow.

Hi,

No matter what command runs in lshell, the exit status is always zero.

lshell:~$ cd /tmp
*** forbidden path: /private/tmp/
lshell:~$ echo $?
0
lshell:~$ ls /
*** forbidden path: /
lshelli:~$ echo $?
0
lshell:~$ khkjdghdfgd
*** forbidden command: khkjdghdfgd
lshell:~$ echo $?
0

When configuration is edited, lshell reloads it automatically. This currently fails.

ghantoos:~$ ls
Traceback (most recent call last):
  File "./bin/lshell", line 54, in <module>
    main()
  File "./bin/lshell", line 44, in main
    cli.cmdloop()
  File "/home/ghantoos/src/lshell/lshell/shellcmd.py", line 554, in cmdloop
    stop = self.onecmd(line)
  File "/home/ghantoos/src/lshell/lshell/shellcmd.py", line 677, in onecmd
    func = getattr(self, 'do_' + cmd)
  File "/home/ghantoos/src/lshell/lshell/shellcmd.py", line 95, in __getattr__
    self.conf = CheckConfig(self.args).returnconf()
  File "/home/ghantoos/src/lshell/lshell/checkconfig.py", line 99, in __init__
    self.conf['config_mtime'] = self.get_config_mtime(configfile)
  File "/home/ghantoos/src/lshell/lshell/checkconfig.py", line 739, in get_config_mtime
    return os.path.getmtime(configfile)
  File "/usr/lib/python2.7/genericpath.py", line 54, in getmtime
    return os.stat(filename).st_mtime
OSError: [Errno 2] No such file or directory: '/home/lshell.conf'