search

ghantoos / lshell

lshell is a shell coded in Python, that lets you restrict a user's environment to limited sets of commands, choose to enable/disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing restriction, and more.
GNU General Public License v3.0
436 stars 112 forks source link

cd .ssh ->forbidden syntax #88

Closed sgohl closed 9 years ago

sgohl commented 9 years ago

Hi, can't find a way how to allow a user to access his own .ssh/ - folder to store his authorized_key:

$ cd .ssh *\ forbidden syntax: cd .ssh

I could mkdir "ssh" ".ssh" but not cd ".ssh" or cd "ssh"

xlr-8 commented 9 years ago

Hello,

Seems to work fine here:

# lshell --version
lshell-0.9.16 - Limited Shell
# su - lshell
Password: 
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
lshell:~$ ?
cd  clear  echo  exit  export  help  history  ll  lpath  ls  lsudo  sleep mkdir touch
lshell:~$ cd .ssh
lshell: .ssh: No such file or directory
lshell:~$ mkdir .ssh
lshell:~$ cd .ssh
lshell:~/.ssh$ ls   
lshell:~$ touch test
lshell:~/.ssh$ ls 
test
lshell:~/.ssh$

My config file is very basic, are you using the latest version? Or having special configuration?

Cheers,

sgohl commented 9 years ago

Hi and thanks for your comment, I am also using lshell-0.9.16 I just found out that the problem is related to the following: forbidden : ['sh']

lshell detects the string "sh" in the command "cd .ssh"

Can I work around that with a regular expression?

I just want to forbid users to do "screen sh" which, although "sh" is actually forbidden, it can be fired up using screen. But I need to have screen allowed.

sgohl commented 9 years ago

Oh well, I just found out that in CentOS 7 the /bin/sh is just a symolic link to /bin/bash. I now just deleted this symbolic link :D

sgohl commented 9 years ago

unfortunately that resulted in not being able to sudo anymore, so the symbolic link sh->bash is mandatory. Now then the issue is actually that users are able to spawn a bash by running "screen bash", although the bash is forbidden via lshell.conf

xlr-8 commented 9 years ago

@port22 couldn't you forbid the 'screen' command instead? That would makes more sense to me. Now, regarding the regex issue, I'll try to take a look at it once I freed some time!

sgohl commented 9 years ago

screen is forbidden by default. I allowed it manually because developers have to have the ability to run processes, close their terminals and come back later for stopping those processes like "compass watch", "nodemon" etc.

ghantoos commented 9 years ago

Have you tried the following? You could forbid better match, e.g.:

forbidden       : [';', '&', '`','>','<', '$(', '${', 'screen sh', 'screen bash']

Which results in:

ghantoos:~$ screen sh
*** forbidden syntax: screen sh
ghantoos:~$ screen bash
*** forbidden syntax: screen bash
ghantoos:~$ screen -ls
No Sockets found in /var/run/screen/S-ghantoos.

Tell me if this works for you.

sgohl commented 9 years ago

I'm curious. I'm quite sure I tested that at the very beginning, and it didn't work. Now I tested again, and it forbids it like it should. It'a kinda magic :D Thanks a lot, and sorry for the spam :D btw lshell is very great, love it!

ghantoos commented 9 years ago

:+1: :)