Closed suker413 closed 9 years ago
Unfortunately, it is still not possible to prevent a command from launching another shell. The administrator should only give access to commands that are known as "secure". For example rvim instead of vim, not give access to chmod, etc.
I have just re-tested, unless you give the user the right to execute this script, he should be unable to do so.
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
ghantoos3:~$ ./bin/sh-test
*** forbidden command: ./bin/sh-test
hi,ghantoos,for example: liangsh@dev2:~$ ? clear exit help history lpath lsudo tttt vi
root@dev2:/home/liangsh# cat tttt
echo "change shell to bash"
liangsh@dev2:~$ w *\ forbidden command: w
when modify tttt like this:
liangsh@dev2:~$ vi tttt liangsh@dev2:/home/liangsh# cat tttt
echo "change shell to bash" /bin/bash
liangsh@dev2:~$ tttt change shell to bash liangsh@dev2:~$ w 11:51:23 up 24 min, 3 users, load average: 0.00, 0.01, 0.02 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 172.16.201.1 11:27 3:47 0.12s 0.12s -bash liangsh pts/1 172.16.201.1 11:43 3.00s 0.04s 0.00s w root pts/2 172.16.201.1 11:35 11:15 0.08s 0.08s -bash
In order to have this working, the user must have write access to executable scripts, in which case lshell cannot prevent them from adding content, and escaping from the shell. It is the administrators responsibility to manage this scenario.
There is a solution, using something like noexec (http://noexec.sourceforge.net/), in order to catch escapes, but I'm not sure I want to add this layer of complexity. Unless someone is willing to code it in python? :)
Also, if using vi, you can directly launch a bash session from inside vi. I recommend using rvim combined with lshell.
lshell is a very well project,i like it!!
i have a problem , if user modify a command and add another command in it , for example:
cat /home/bar/test
!/bin/bash
echo "hello bar"
modify like this:
cat /home/bar/test
!/bin/bash
echo "hello bar" /bin/bash
when i run test in lshell ,it will change my shell ,logging and command are all invalid.
thanks!!