ghantoos / lshell

lshell is a shell coded in Python, that lets you restrict a user's environment to limited sets of commands, choose to enable/disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing restriction, and more.
GNU General Public License v3.0
436 stars 111 forks source link

path settings #113

Closed lmarkov closed 9 years ago

lmarkov commented 9 years ago

Hello,

I use

##  list of path to restrict the user "geographicaly"
path            : ['/']
##  set the home folder of your user. If not specified the home_path is set to
##  the $HOME environment variable
home_path   : '/'

for my configuration for user. It's only for tests. I want this user to have access to all folders but I receive error:

~home$ ls -la
ls: cannot open directory .: Permission denied
~home$ pwd
/home 

What can cause this?

ghantoos commented 9 years ago

It looks like your system permissions is not allowing your user to list /home. This is not an lshell output, but an ls(1) output.

Can you check the permissions, outside of lshell?

lmarkov commented 9 years ago

stat /home/ File: `/home/' Size: 4096 Blocks: 8 IO Block: 4096 directory Device: ca01h/51713d Inode: 393217 Links: 13 Access: (0711/drwx--x--x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2015-09-17 13:28:34.772000021 +0300 Modify: 2015-09-17 12:25:33.995000019 +0300 Change: 2015-09-17 12:25:33.995000019 +0300

The second user is set with root permissions and privileges but still don't have access.

lmarkov commented 9 years ago

Another information with command

echo $HOME /

when I log in with the second user everything looks like it is set.

The purpose is to use lshell mainly for logs end forbidden several commands but I want the user to have access to all other system folders and custom scripts. Can you give me an example for this configuration?

ghantoos commented 9 years ago

It looks like you are missing some permissions, 711 is not enough for a user in the root group to read the /home directory. You should at least set it to 751 or 755.

ghantoos commented 9 years ago

You should set up log verbosity to the one you wish. You can use the following to allow all commands, except some of them.

# allow all commands except zdiff
allowed : 'all' - ['zdiff']

To allow the user to all the system paths, except some directory

path            : ['/'] - ['/var/log']

You need to check that your system allows the user to read the files/directories, with the proper permissions.