Closed sgohl closed 9 years ago
Hello,
Seems to work fine here:
# lshell --version
lshell-0.9.16 - Limited Shell
# su - lshell
Password:
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
lshell:~$ ?
cd clear echo exit export help history ll lpath ls lsudo sleep mkdir touch
lshell:~$ cd .ssh
lshell: .ssh: No such file or directory
lshell:~$ mkdir .ssh
lshell:~$ cd .ssh
lshell:~/.ssh$ ls
lshell:~$ touch test
lshell:~/.ssh$ ls
test
lshell:~/.ssh$
My config file is very basic, are you using the latest version? Or having special configuration?
Cheers,
Hi and thanks for your comment, I am also using lshell-0.9.16 I just found out that the problem is related to the following: forbidden : ['sh']
lshell detects the string "sh" in the command "cd .ssh"
Can I work around that with a regular expression?
I just want to forbid users to do "screen sh" which, although "sh" is actually forbidden, it can be fired up using screen. But I need to have screen allowed.
Oh well, I just found out that in CentOS 7 the /bin/sh is just a symolic link to /bin/bash. I now just deleted this symbolic link :D
unfortunately that resulted in not being able to sudo anymore, so the symbolic link sh->bash is mandatory. Now then the issue is actually that users are able to spawn a bash by running "screen bash", although the bash is forbidden via lshell.conf
@port22 couldn't you forbid the 'screen' command instead? That would makes more sense to me. Now, regarding the regex issue, I'll try to take a look at it once I freed some time!
screen is forbidden by default. I allowed it manually because developers have to have the ability to run processes, close their terminals and come back later for stopping those processes like "compass watch", "nodemon" etc.
Have you tried the following? You could forbid better match, e.g.:
forbidden : [';', '&', '`','>','<', '$(', '${', 'screen sh', 'screen bash']
Which results in:
ghantoos:~$ screen sh
*** forbidden syntax: screen sh
ghantoos:~$ screen bash
*** forbidden syntax: screen bash
ghantoos:~$ screen -ls
No Sockets found in /var/run/screen/S-ghantoos.
Tell me if this works for you.
I'm curious. I'm quite sure I tested that at the very beginning, and it didn't work. Now I tested again, and it forbids it like it should. It'a kinda magic :D Thanks a lot, and sorry for the spam :D btw lshell is very great, love it!
:+1: :)
Hi, can't find a way how to allow a user to access his own .ssh/ - folder to store his authorized_key:
$ cd .ssh *\ forbidden syntax: cd .ssh
I could mkdir "ssh" ".ssh" but not cd ".ssh" or cd "ssh"