step by step lshell configuration in linux

lshell is a shell that written in python. it's also called limited shell that provides limited access environment to the user. we can define a limit on specific commands, file and directories

Install lshell in CentOS / Rhel

yum install epel*

yum install lshell

Install in Debian 

apt-get update

apt-get install lshell

Configure LShell



lshell.conf configuration file locate in etc directory, There are 4 basic sections in configuration file.



1 - [global]



2 - [default]



3 - [grp:groupname]



4 - [username]





1 - [global] : we can defines the settings which applied globally for all users ( example logs )

[global]



## log directory (default /var/log/lshell/ )

logpath : /var/log/lshell/

## set log level to 0, 1, 2, 3 or 4 (0: no logs, 1: least verbose,

## 4: log all commands)

loglevel : 2

## configure log file name (default is %u i.e. username.log)

#logfilename : %y%m%d-%u

#logfilename : syslog

## in case you are using syslog, you can choose your logname

#syslogname : myapp







Default allowed /var/log/lshell directory with log lever 2, for all users.





2 - [default] : we can set default values which applied all users and groups.



[default]



## a list of the allowed commands or 'all' to allow all commands in user's PATH

allowed : ['ls','echo','cd','ll', ‘cat’,’elinks’, ‘ip’]

# We allow cat , ip and elinks command

## a list of forbidden character or commands -- deny vim, as it allows to escape lshell

forbidden : [';', '&', '|','`','>','<', '$(', '${']

## a list of allowed command to use with sudo(8)

sudo_commands : ['ls', ‘ifconfig’ 'more']

# We allow ifconfig command

## number of warnings when user enters a forbidden value before getting

## exited from lshell, set to -1 to disable.

warning_counter : 2

## command aliases list (similar to bash’s alias directive)

aliases : {'ll':'ls -l', 'vim':'rvim', ‘cat:cat’, ‘link: ip r’, ‘elinks: link }

We set alias for checking route with “ip r” command as “link”

## introduction text to print (when entering lshell)

#intro : "== My personal intro ==\nWelcome to lshell\nType '?' or 'help' to get the list of allowed commands"

## configure your promt using %u or %h (default: username)

#prompt : "%u@%h"

## set sort prompt current directory update (default: 0)

#prompt_short : 0

## a value in seconds for the session timer

#timer : 5

## list of path to restrict the user "geographicaly"

#path : ['/home/bla/','/etc']

## set the home folder of your user. If not specified the home_path is set to

## the $HOME environment variable

#home_path : '/home/bla/'

## update the environment variable $PATH of the user

#env_path : ':/usr/local/bin:/usr/sbin'

## a list of path; all executable files inside these path will be allowed

#allowed_cmd_path: ['/home/bla/bin','/home/bla/stuff/libexec']

## add environment variables

#env_vars : {'foo':1, 'bar':'helloworld'}

## allow or forbid the use of scp (set to 1 or 0)

#scp : 1

## forbid scp upload

#scp_upload : 0

## forbid scp download

#scp_download : 0

## allow of forbid the use of sftp (set to 1 or 0)

#sftp : 1

## list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.)

#overssh : ['ls', 'rsync']

## logging strictness. If set to 1, any unknown command is considered as

## forbidden, and user's warning counter is decreased. If set to 0, command is

## considered as unknown, and user is only warned (i.e. *** unknown synthax)

strict : 0

## force files sent through scp to a specific directory

#scpforce : '/home/bla/uploads/'

## history file maximum size

#history_size : 100

## set history file name (default is /home/%u/.lhistory)

#history_file : "/home/%u/.lshell_history"

## define the script to run at user login

#login_script : "/path/to/myscript.sh"

3 - [grp:group name] : we specify a group with specific settings for all users of group



## Add Group



[grp:network]



allowed : + ['ping','ifconfig','traceroute','tracepath','routes','ssh','tail','cd','pwd','ls','lynx','cat','df','telnet']

aliases : {'ll':'ls -l', 'vim':'rvim', 'routes':'ip a'}

path : ['/tmp','/var/log','/var/www/html']









We create network support group and allowed some network related command, and allow to see logs folder


4 - [username] : we can specify user with specific settings, command and more to user only



# Add User



[lokesh]



allowed : ['ifconfig','APACHESTOP','APACHESTART','DBSTART','DBSTOP','traceroute','ping','tracepath','date','su']

aliases : {'ll':'ls -l', 'vim':'rvim','APACHESTOP': 'sudo /usr/bin/systemctl stop httpd.service','APACHESTART': 'sudo /usr/bin/systemctl start httpd.service','APACHESTART': 'sudo /usr/bin/systemctl start mariadb.service','DBSTOP': 'sudo /usr/bin/systemctl stop mariadb.service'}

forbidden : [';', '&', '|','`','>','<', '$(', '${']

warning_counter : 2

strict : 0

env_path : ':/usr/local/bin:/usr/sbin:/usr/bin:/sbin'







We Create Lokesh User and and allowed some service level command


Create New User and change there shell

adduser lokesh

set password of lokesh

passwd lokesh

change shell of lokesh

chsh lokesh

Login and Check






Add Existing User for lshell

chsh linuxtopic

Login and Check default 

su linuxtopic

Add linuxtopic user in network support group

usermod -aG network linuxtopic