search

ghantoos / lshell

lshell is a shell coded in Python, that lets you restrict a user's environment to limited sets of commands, choose to enable/disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing restriction, and more.
GNU General Public License v3.0
436 stars 112 forks source link

after installing lshell not able to login with user having default shell is lshell #76

Closed unb-read closed 9 years ago

unb-read commented 10 years ago

i am getting below error after configuring lshell for the user onlinets account.

[root@primeonline2 ~]# su - onlinets
Traceback (most recent call last):
  File "/usr/bin/lshell", line 27, in ?
    from lshell.checkconfig import CheckConfig
ImportError: No module named lshell.checkconfig
[root@primeonline2 ~]# uname -a
Linux primeonline2 2.6.9-42.ELsmp #1 SMP Wed Jul 12 23:27:17 EDT 2006 i686 i686 i386 GNU/Linux
[root@primeonline2 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 4)
[root@primeonline2 ~]# cat /etc/passwd |grep -i onlinets
onlinets:x:1027:1027::/home/onlinets:/usr/bin/lshell

Kindly let me know what could be the issue i have used same steps to other server who has same hardware + OS there it is working but not with this system.

xlr-8 commented 10 years ago

I would like to have further information to dig into your issue. May you answer the following question:

unb-read commented 10 years ago

What version of lshell are you using? lshell-0.9.16 What version of python are you using? /usr/bin/python2.3 Could you provide your lshell config file as well?

# lshell.py configuration file
#
# $Id: lshell.conf,v 1.27 2010-10-18 19:05:17 ghantoos Exp $

[global]
##  log directory (default /var/log/lshell/ )
logpath         : /var/log/lshell/
##  set log level to 0, 1, 2, 3 or 4  (0: no logs, 1: least verbose,
##                                                 4: log all commands)
loglevel        : 2
##  configure log file name (default is %u i.e. username.log)
#logfilename     : %y%m%d-%u
#logfilename     : syslog

##  in case you are using syslog, you can choose your logname
#syslogname      : myapp

[default]
##  a list of the allowed commands or 'all' to allow all commands in user's PATH
allowed         : ['ls','echo','cd','ll']

##  a list of forbidden character or commands -- deny vim, as it allows to escape lshell
forbidden       : [';', '&', '|','`','>','<', '$(', '${']

##  a list of allowed command to use with sudo(8)
#sudo_commands   : ['ls', 'more']

##  number of warnings when user enters a forbidden value before getting
##  exited from lshell, set to -1 to disable.
warning_counter : 2

##  command aliases list (similar to bashâs alias directive)
aliases         : {'ll':'ls -l', 'vim':'rvim'}

##  introduction text to print (when entering lshell)
#intro           : "== My personal intro ==\nWelcome to lshell\nType '?' or 'help' to get the list of allowed commands"

##  configure your promt using %u or %h (default: username)
#prompt          : "%u@%h"

##  set sort prompt current directory update (default: 0)
#prompt_short    : 0

##  a value in seconds for the session timer
#timer           : 5

##  list of path to restrict the user "geographicaly"
#path            : ['/home/bla/','/etc']

##  set the home folder of your user. If not specified the home_path is set to
##  the $HOME environment variable
#home_path       : '/home/bla/'

##  update the environment variable $PATH of the user
#env_path        : ':/usr/local/bin:/usr/sbin'

##  a list of path; all executable files inside these path will be allowed
#allowed_cmd_path: ['/home/bla/bin','/home/bla/stuff/libexec']

##  add environment variables
#env_vars        : {'foo':1, 'bar':'helloworld'}

##  allow or forbid the use of scp (set to 1 or 0)
#scp             : 1

## forbid scp upload
#scp_upload       : 0

## forbid scp download
#scp_download     : 0

##  allow of forbid the use of sftp (set to 1 or 0)
#sftp            : 1

##  list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.)
#overssh         : ['ls', 'rsync']

##  logging strictness. If set to 1, any unknown command is considered as
##  forbidden, and user's warning counter is decreased. If set to 0, command is
##  considered as unknown, and user is only warned (i.e. *** unknown synthax)
strict          : 0

##  force files sent through scp to a specific directory
#scpforce        : '/home/bla/uploads/'

##  history file maximum size
#history_size     : 100

##  set history file name (default is /home/%u/.lhistory)
#history_file     : "/home/%u/.lshell_history"

##  define the script to run at user login
#login_script     : "/path/to/myscript.sh"
ghantoos commented 10 years ago

It looks like your Python installation isn't looking for the files at the right place.

Could you please send me the list of the installed files of your lshell installation (e.g. rpm -ql lshell)?

Also, could you send the output of the following command, in order to see where you python installation library paths.

python -c "import sys; print sys.path"

Thanks

cd127 commented 9 years ago

Hey, I'm having exactly the same problem. I see this has been "pending" for the past 3 weeks, so maybe I can help with the output.

What version of lshell are you using? lshell-0.9.16 What version of python are you using? /usr/bin/python3.4 (<-Note: different to user unb-read) Could you provide your lshell config file as well? I started with the default config, then I took the example from man

         # lshell.py configuration file
         #
         # $Id: lshell.conf,v 1.27 2010-10-18 19:05:17 ghantoos Exp $

          # CONFIURATION START
          [global]
          logpath         : /var/log/lshell/
          loglevel        : 2

          [default]
          allowed         : ['ls','pwd']
          forbidden       : [';', '&', '|']
          warning_counter : 2
          timer           : 0
          path            : ['/etc', '/usr']
          env_path        : ':/sbin:/usr/bin/'
          scp             : 1 # or 0
          sftp            : 1 # or 0
          overssh         : ['rsync','ls']
          aliases         : {'ls':'ls --color=auto','ll':'ls -l'}

          [grp:users]
          warning_counter : 5
          overssh         : - ['ls']

          [emailuser]
          allowed         : 'all' - ['su']
          path            : ['/var', '/usr'] - ['/usr/local']
          home_path       : '/home/emailuser'

          [bar]
          allowed         : + ['ping'] - ['ls']
          path            : - ['/usr/local']
          strict          : 1
          scpforce        : '/home/bar/uploads/'
          # CONFIURATION END

Could you please send me the list of the installed files of your lshell installation (e.g. rpm -ql lshell)? I could not figure out how to do this in Arch linux - can you help? I tried the (seemingly) equivalent "pacman -Ql lshell" but I get the error 

         error: package 'lshell' was not found
         warning: 'lshell' is a file, you might want to use -p/--file.

(also tried with -p)

Also, could you send the output of the following command, in order to see where you python installation library paths.

         $ python -c "import sys; print (sys.path)"
         ['', '/usr/lib/python34.zip', '/usr/lib/python3.4', '/usr/lib/python3.4/plat-linux', '/usr/lib/python3.4/lib-dynload', '/usr/lib/python3.4/site-packages']

I am very much looking forward to figuring this out and trying out your lshell. Thanks in advance

unb-read commented 9 years ago

Installation log :-

[root@primeonline2 lshell-0.9.16]# python setup.py install --no-compile --install-scripts=/usr/bin/ running install running build running build_py creating build creating build/lib creating build/lib/lshell copying lshell/shellcmd.py -> build/lib/lshell copying lshell/checkconfig.py -> build/lib/lshell copying lshell/init.py -> build/lib/lshell copying lshell/utils.py -> build/lib/lshell running build_scripts creating build/scripts-2.3 copying and adjusting bin/lshell -> build/scripts-2.3 changing mode of build/scripts-2.3/lshell from 640 to 755 running install_lib running install_scripts copying build/scripts-2.3/lshell -> /usr/bin changing mode of /usr/bin/lshell to 755 running install_data copying README -> /usr/share/doc/lshell

lshell Config file : 

# lshell.py configuration file
#
# $Id: lshell.conf,v 1.27 2010-10-18 19:05:17 ghantoos Exp $

[global]
##  log directory (default /var/log/lshell/ )
logpath         : /var/log/lshell/
##  set log level to 0, 1, 2, 3 or 4  (0: no logs, 1: least verbose,
##                                                 4: log all commands)
loglevel        : 2
##  configure log file name (default is %u i.e. username.log)
#logfilename     : %y%m%d-%u
#logfilename     : syslog

##  in case you are using syslog, you can choose your logname
#syslogname      : myapp

[default]
##  a list of the allowed commands or 'all' to allow all commands in user's PATH
allowed         : ['ls','echo','cd','ll']

##  a list of forbidden character or commands -- deny vim, as it allows to escape lshell
forbidden       : [';', '&', '|','`','>','<', '$(', '${']

##  a list of allowed command to use with sudo(8)
#sudo_commands   : ['ls', 'more']

##  number of warnings when user enters a forbidden value before getting
##  exited from lshell, set to -1 to disable.
warning_counter : 2

##  command aliases list (similar to bashâs alias directive)
aliases         : {'ll':'ls -l', 'vim':'rvim'}

##  introduction text to print (when entering lshell)
#intro           : "== My personal intro ==\nWelcome to lshell\nType '?' or 'help' to get the list of allowed commands"

##  configure your promt using %u or %h (default: username)
#prompt          : "%u@%h"

##  set sort prompt current directory update (default: 0)
#prompt_short    : 0

##  a value in seconds for the session timer
#timer           : 5

##  list of path to restrict the user "geographicaly"
#path            : ['/home/bla/','/etc']

##  set the home folder of your user. If not specified the home_path is set to
##  the $HOME environment variable
#home_path       : '/home/bla/'

##  update the environment variable $PATH of the user
#env_path        : ':/usr/local/bin:/usr/sbin'

##  a list of path; all executable files inside these path will be allowed
#allowed_cmd_path: ['/home/bla/bin','/home/bla/stuff/libexec']

##  add environment variables
#env_vars        : {'foo':1, 'bar':'helloworld'}

##  allow or forbid the use of scp (set to 1 or 0)
#scp             : 1

## forbid scp upload
#scp_upload       : 0

## forbid scp download
#scp_download     : 0

##  allow of forbid the use of sftp (set to 1 or 0)
#sftp            : 1

##  list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.)
#overssh         : ['ls', 'rsync']

##  logging strictness. If set to 1, any unknown command is considered as
##  forbidden, and user's warning counter is decreased. If set to 0, command is
##  considered as unknown, and user is only warned (i.e. *** unknown synthax)
strict          : 0

##  force files sent through scp to a specific directory
#scpforce        : '/home/bla/uploads/'

##  history file maximum size
#history_size     : 100

##  set history file name (default is /home/%u/.lhistory)
#history_file     : "/home/%u/.lshell_history"

##  define the script to run at user login
#login_script     : "/path/to/myscript.sh"

i have not used the RPM now so installed with tar.

python output:

[root@primeonline2 lshell-0.9.16]# python -c "import sys; print (sys.path)" ['', '/usr/lib/python23.zip', '/usr/lib/python2.3', '/usr/lib/python2.3/plat-linux2', '/usr/lib/python2.3/lib-tk', '/usr/lib/python2.3/lib-dynload', '/usr/lib/python2.3/site-packages', '/usr/lib/python2.3/site-packages/gtk-2.0']

unb-read commented 9 years ago

[root@primeonline2 lshell-0.9.16]# find / |grep -i lshel | grep -iv home /etc/lshell.conf.rpmsave /etc/logrotate.d/lshell /etc/logrotate.d/lshell.bkp /etc/logrotate.d/lshell.rpmnew /etc/lshell.conf.rpmnew /etc/lshell.conf.new /etc/lshell.conf /etc/lshell.conf.orig /etc/lshell.conf.bkp /var/log/lshell /var/log/lshell/20140610-root.log /var/log/lshell/root.log /var/log/lshell/20140522-root.log /var/log/lshell/onlinets.log /var/log/lshell/20140610-onlinets.log /usr/src/redhat/BUILD/lshell-0.9.15.1 /usr/src/redhat/BUILD/lshell-0.9.15.1/build /usr/src/redhat/BUILD/lshell-0.9.15.1/build/lib /usr/src/redhat/BUILD/lshell-0.9.15.1/build/lib/lshell.py /usr/src/redhat/BUILD/lshell-0.9.15.1/build/scripts-2.3 /usr/src/redhat/BUILD/lshell-0.9.15.1/build/scripts-2.3/lshell /usr/src/redhat/BUILD/lshell-0.9.15.1/etc /usr/src/redhat/BUILD/lshell-0.9.15.1/etc/lshell.conf /usr/src/redhat/BUILD/lshell-0.9.15.1/etc/logrotate.d /usr/src/redhat/BUILD/lshell-0.9.15.1/etc/logrotate.d/lshell /usr/src/redhat/BUILD/lshell-0.9.15.1/debian /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/lshell-makejail.conf /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/lshell.docs /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/lshell.examples /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/copyright /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/lshell.postrm /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/lshell.dirs /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/pyversions /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/compat /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/source /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/source/format /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/lshell.postinst /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/rules /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/control /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/watch /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/pycompat /usr/src/redhat/BUILD/lshell-0.9.15.1/debian/changelog /usr/src/redhat/BUILD/lshell-0.9.15.1/COPYING /usr/src/redhat/BUILD/lshell-0.9.15.1/MANIFEST.in /usr/src/redhat/BUILD/lshell-0.9.15.1/CHANGES /usr/src/redhat/BUILD/lshell-0.9.15.1/bin /usr/src/redhat/BUILD/lshell-0.9.15.1/bin/lshell /usr/src/redhat/BUILD/lshell-0.9.15.1/INSTALLED_FILES /usr/src/redhat/BUILD/lshell-0.9.15.1/README /usr/src/redhat/BUILD/lshell-0.9.15.1/man /usr/src/redhat/BUILD/lshell-0.9.15.1/man/lshell.1 /usr/src/redhat/BUILD/lshell-0.9.15.1/debugfiles.list /usr/src/redhat/BUILD/lshell-0.9.15.1/debugsources.list /usr/src/redhat/BUILD/lshell-0.9.15.1/setup.py /usr/src/redhat/BUILD/lshell-0.9.15.1/rpm /usr/src/redhat/BUILD/lshell-0.9.15.1/rpm/postuninstall /usr/src/redhat/BUILD/lshell-0.9.15.1/rpm/preinstall /usr/src/redhat/BUILD/lshell-0.9.15.1/rpm/postinstall /usr/src/redhat/BUILD/lshell-0.9.15.1/rpm/lshell.spec /usr/src/redhat/BUILD/lshell-0.9.15.1/test /usr/src/redhat/BUILD/lshell-0.9.15.1/test/test_lshell.py /usr/src/redhat/BUILD/lshell-0.9.15.1/lshellmodule /usr/src/redhat/BUILD/lshell-0.9.15.1/lshellmodule/lshell.py /usr/src/redhat/BUILD/lshell-0.9.15.1/Makefile /usr/src/redhat/BUILD/lshell-0.9.15.1/TODO /usr/src/redhat/RPMS/noarch/lshell-0.9.15.1-1.noarch.rpm /usr/lib/python2.3/site-packages/lshell /usr/lib/python2.3/site-packages/lshell/init.pyc /usr/lib/python2.3/site-packages/lshell/utils.pyc /usr/lib/python2.3/site-packages/lshell/utils.py /usr/lib/python2.3/site-packages/lshell/init.py /usr/lib/python2.3/site-packages/lshell/shellcmd.py /usr/lib/python2.3/site-packages/lshell/shellcmd.pyc /usr/lib/python2.3/site-packages/lshell/checkconfig.pyc /usr/lib/python2.3/site-packages/lshell/checkconfig.py /usr/bin/lshell.bkp /usr/bin/lshell /usr/bin/lshell.lastbkp /usr/share/doc/lshell /usr/share/doc/lshell/README.md /usr/share/doc/lshell/COPYING /usr/share/doc/lshell/CHANGES /usr/share/doc/lshell/README /usr/share/man/man1/lshell.1

cd127 commented 9 years ago

Any advances on this thread? I'm still hoping to get it working some day :)

ghantoos commented 9 years ago

We you able to resolve this issue?

cd127 commented 9 years ago

No, unfortunately not. I gave up and went for an alternative :/

ghantoos commented 9 years ago

I was re-reading the thread yesterday. I think the best to resolve this (if it is still relevant :)), is to contact the maintainer of the lshell package for your distribution. I will do my best to test this on a RHEL instance. I'm keeping the issue open till then.

Sorry you had to go with an alternative, but happy you found one. :)

ghantoos commented 9 years ago

Unable to reproduce with centos6+python2.6.5 fresh install. What I did:

Python3 is not yet supported.

siru88 commented 5 years ago

It is because the normal user has no privilege to access the following folders/files. chmod 755 /usr/lib/python2.7/site-packages/lshell/ -R and chmod 644 /etc/lshell.conf