lshell is a shell coded in Python, that lets you restrict a user's environment to limited sets of commands, choose to enable/disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing restriction, and more.
In our environment, our user need to run newgrp command to switch different environment. I notice that the user may potentially escape from lshell by running newgrp. Here is example.
Environment 'fake' set.
Type '?' or 'help' to get the list of allowed commands
Type 'lpath' to get the list of allowed folder
In our environment, our user need to run newgrp command to switch different environment. I notice that the user may potentially escape from lshell by running newgrp. Here is example.
Environment 'fake' set. Type '?' or 'help' to get the list of allowed commands Type 'lpath' to get the list of allowed folder
s_testuser@test(fake):~$ id uid=5684(s_testuser) gid=5669(d_fake) groups=5669(d_fake),5677(csusers),5682(cshadow) s_testuser@test(fake):~$ newgrp - csusers invalid option
s_testuser@test:(RC=0):/home/s_testuser (It regain the bash access from lshell) 11:10:57 #