EnglishFrenchSpanish

Ad


OnWorks favicon

lshell - Online in the Cloud

Run lshell in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command lshell that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

PROGRAM:

NAME


lshell - Limited Shell

SYNOPSIS


lshell [OPTIONS]

DESCRIPTION


lshell provides a limited shell configured per user. The configuration is done quite
simply using a configuration file. Coupled with ssh's authorized_keys or with /etc/shells
and /etc/passwd , it becomes very easy to restrict user's access to a limited set of
command.

OPTIONS


--config <FILE>
Specify config file

--log <DIR>
Specify the log directory

--<param> <value>
where <param> is *any* config file parameter

-h, --help
Show help message

--version
Show version

CONFIGURATION


You can configure lshell through its configuration file:

On Linux -> /etc/lshell.conf
On *BSD -> /usr/{pkg,local}/etc/lshell.conf

lshell configuration has 4 types of sections:

[global] -> lshell system configuration (only 1)
[default] -> lshell default user configuration (only 1)
[foo] -> UNIX username "foo" specific configuration
[grp:bar] -> UNIX groupname "bar" specific configuration

Order of priority when loading preferences is the following:

1- User configuration
2- Group configuration
3- Default configuration

[global]
logpath
config path (default is /var/log/lshell/)

loglevel
0, 1, 2, 3 or 4 (0: no logs -> 4: logs everything)

logfilename
- set to syslog in order to log to syslog
- set log file name, e.g. %u-%y%m%d (i.e foo-20091009.log): %u -> username
%d -> day [1..31]
%m -> month [1..12]
%y -> year [00..99]
%h -> time [00:00..23:59]

syslogname
in case you are using syslog, set your logname (default: lshell)

include_dir
include a directory containing multiple configuration files. These files can only
contain default/user/group configuration. The global configuration will only be
loaded from the default configuration file. This variable will be expanded (e.g.
/path/*.conf).

[default] and/or [username] and/or [grp:groupname]
aliases
command aliases list (similar to bash's alias directive)

allowed
a list of the allowed commands or set to 'all' to allow all commands in user's PATH

allowed_cmd_path
a list of path; all executable files inside these path will be allowed

env_path
update the environment variable $PATH of the user (optional)

env_vars
set environment variables (optional)

forbidden
a list of forbidden characters or commands

history_file
set the history filename. A wildcard can be used:
%u -> username (e.g. '/home/%u/.lhistory')

history_size
set the maximum size (in lines) of the history file

home_path (deprecated)
set the home folder of your user. If not specified, the home directory is set to
the $HOME environment variable. This variable will be removed in the next version
of lshell, please use your system's tools to set a user's home directory. A
wildcard can be used:
%u -> username (e.g. '/home/%u')

intro set the introduction to print at login

login_script
define the script to run at user login

passwd password of specific user (default is empty)

path list of path to restrict the user geographically. It is possible to use wildcards
(e.g. '/var/log/ap*').

prompt set the user's prompt format (default: username)
%u -> username
%h -> hostname

prompt_short
set sort prompt current directory update - set to 1 or 0 overssh list of command
allowed to execute over ssh (e.g. rsync, rdiff-backup, scp, etc.)

scp allow or forbid the use of scp connection - set to 1 or 0

scpforce
force files sent through scp to a specific directory

scp_download
set to 0 to forbid scp downloads (default is 1)

scp_upload
set to 0 to forbid scp uploads (default is 1)

sftp allow or forbid the use of sftp connection - set to 1 or 0.

WARNING: This option will not work if you are using OpenSSH's internal-sftp service
(e.g. when configured in chroot)

sudo_commands
a list of the allowed commands that can be used with sudo(8). If set to ´all', all
the 'allowed' commands will be accessible through sudo(8).

It is possible to use the -u sudo flag in order to run a command as a different
user than the default root.

timer a value in seconds for the session timer

strict logging strictness. If set to 1, any unknown command is considered as forbidden,
and user's warning counter is decreased. If set to 0, command is considered as
unknown, and user is only warned (i.e. *** unknown synthax)

warning_counter
number of warnings when user enters a forbidden value before getting exited from
lshell. Set to -1 to disable the counter, and just warn the user.

SHELL BUILTIN COMMANDS


Here is the set of commands that are always available with lshell:

clear clears the terminal

help, ?
print the list of allowed commands

history
print the commands history

lpath lists all allowed and forbidden path

lsudo lists all sudo allowed commands

EXAMPLES


$ lshell
Tries to run lshell using default ${PREFIX}/etc/lshell.conf as configuration file.
If it fails a warning is printed and lshell is interrupted. lshell options are
loaded from the configuration file

$ lshell --config /path/to/myconf.file --log /path/to/mylog.log
This will override the default options specified for configuration and/or log file

USE CASE


The primary goal of lshell, was to be able to create shell accounts with ssh access and
restrict their environment to a couple a needed commands. In this example, User 'foo' and
user 'bar' both belong to the 'users' UNIX group:

User foo:
- must be able to access /usr and /var but not /usr/local
- user all command in his PATH but 'su'
- has a warning counter set to 5
- has his home path set to '/home/users'

User bar:
- must be able to access /etc and /usr but not /usr/local
- is allowed default commands plus 'ping' minus 'ls'
- strictness is set to 1 (meaning he is not allowed to type an unknown command)

In this case, my configuration file will look something like this:

# CONFIURATION START
[global]
logpath : /var/log/lshell/
loglevel : 2

[default]
allowed : ['ls','pwd']
forbidden : [';', '&', '|']
warning_counter : 2
timer : 0
path : ['/etc', '/usr']
env_path : ':/sbin:/usr/bin/'
scp : 1 # or 0
sftp : 1 # or 0
overssh : ['rsync','ls']
aliases : {'ls':'ls --color=auto','ll':'ls -l'}

[grp:users]
warning_counter : 5
overssh : - ['ls']

[foo]
allowed : 'all' - ['su']
path : ['/var', '/usr'] - ['/usr/local']
home_path : '/home/users'

[bar]
allowed : + ['ping'] - ['ls']
path : - ['/usr/local']
strict : 1
scpforce : '/home/bar/uploads/'
# CONFIURATION END

NOTES


In order to log a user's warnings into the logging directory (default /var/log/lshell/) ,
you must firt create the folder (if it doesn't exist yet) and chown it to lshell group:

# addgroup --system lshell
# mkdir /var/log/lshell
# chown :lshell /var/log/lshell
# chmod 770 /var/log/lshell

then add the user to the lshell group:

# usermod -aG lshell user_name

In order to set lshell as default shell for a user:

On Linux:
# chsh -s /usr/bin/lshell user_name

On *BSD:
# chsh -s /usr/{pkg,local}/bin/lshell user_name

Use lshell online using onworks.net services


Free Servers & Workstations

Download Windows & Linux apps

  • 1
    AstrOrzPlayer
    AstrOrzPlayer
    AstrOrz Player is a free media player
    software, part based on WMP and VLC. The
    player is in a minimalist style, with
    more than ten theme colors, and can also
    b...
    Download AstrOrzPlayer
  • 2
    movistartv
    movistartv
    Kodi Movistar+ TV es un ADDON para XBMC/
    Kodi que permite disponer de un
    decodificador de los servicios IPTV de
    Movistar integrado en uno de los
    mediacenters ma...
    Download movistartv
  • 3
    Code::Blocks
    Code::Blocks
    Code::Blocks is a free, open-source,
    cross-platform C, C++ and Fortran IDE
    built to meet the most demanding needs
    of its users. It is designed to be very
    extens...
    Download Code::Blocks
  • 4
    Amidst
    Amidst
    Amidst or Advanced Minecraft Interface
    and Data/Structure Tracking is a tool to
    display an overview of a Minecraft
    world, without actually creating it. It
    can ...
    Download Amidst
  • 5
    MSYS2
    MSYS2
    MSYS2 is a collection of tools and
    libraries providing you with an
    easy-to-use environment for building,
    installing and running native Windows
    software. It con...
    Download MSYS2
  • 6
    libjpeg-turbo
    libjpeg-turbo
    libjpeg-turbo is a JPEG image codec
    that uses SIMD instructions (MMX, SSE2,
    NEON, AltiVec) to accelerate baseline
    JPEG compression and decompression on
    x86, x8...
    Download libjpeg-turbo
  • More »

Linux commands

  • 1
    abi-tracker
    abi-tracker
    abi-tracker - visualize ABI changes
    timeline of a C/C++ software library.
    DESCRIPTION: NAME: ABI Tracker
    (abi-tracker) Visualize ABI changes
    timeline of a C/C+...
    Run abi-tracker
  • 2
    abicheck
    abicheck
    abicheck - check application binaries
    for calls to private or evolving symbols
    in libraries and for static linking of
    some system libraries. ...
    Run abicheck
  • 3
    couriermlm
    couriermlm
    couriermlm - The Courier mailing list
    manager ...
    Run couriermlm
  • 4
    couriertcpd
    couriertcpd
    couriertcpd - the Courier mail server
    TCP server daemon ...
    Run couriertcpd
  • 5
    gbklatex
    gbklatex
    bg5latex - Use LaTeX directly on a Big5
    encodedtex file bg5pdflatex - Use
    pdfLaTeX directly on a Big5 encodedtex
    file bg5+latex - Use LaTeX directly on a
    Big5+...
    Run gbklatex
  • 6
    gbkpdflatex
    gbkpdflatex
    bg5latex - Use LaTeX directly on a Big5
    encodedtex file bg5pdflatex - Use
    pdfLaTeX directly on a Big5 encodedtex
    file bg5+latex - Use LaTeX directly on a
    Big5+...
    Run gbkpdflatex
  • More »

Ad