使用lshell构建受限的shell环境

2018年12月29日 发表评论 阅读评论

2013年我写过一篇博文《linux下自建ssh堡垒机》,其核以是通过chroot和google Authenticator实现的。最近在研究一些web ssh平台时,无意中注意到一个python写的类似于chroot限定shell产品lshell 。本篇就记录下该工具的安装和使用。

一、lshell的安装 

安装非常简单,几条命令的事,如下:

[root@361way srv]# git clone https://github.com/ghantoos/lshell
[root@361way srv]# cd lshell/
[root@361way lshell]# python setup.py install --no-compile --install-scripts=/usr/bin/

默认的配置文件是 /etc/lshell.conf文件,在任一用户下使用如下命令执行后就会进行受限shell下:

lshell --config /etc/lshell.conf

lshell

二、lshell的使用

对于一个已经存在的用户,可以通过修改shell类型的方式,将其shell类型修改为lshell,如下:

[root@361way lshell]# cat /etc/passwd|grep test
test:x:500:500::/home/test:/bin/bash
[root@361way lshell]# chsh -s /usr/bin/lshell test
Changing shell for test.
Warning: "/usr/bin/lshell" is not listed in /etc/shells.
Shell changed.
[root@361way lshell]# su - test
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
test:~$ ?
cd  clear  echo  exit  help  history  ll  lpath  ls  lsudo
test:~$ 

使用问号输出的命令是test用户可以使用的命令,对于新建的用户,也可以直接将其shell设置为lshell,如下:

[root@361way lshell]# useradd  test1 -s /usr/bin/lshell
[root@361way lshell]# su - test1
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
test1:~$ ?
cd  clear  echo  exit  help  history  ll  lpath  ls  lsudo

三、lshell的配置

lshell.conf中有四部分配置,除了global全局配置外,根据配置的优先级又有如下三部分配置:

User配置
Group配置
Default配置

1、global全局配置

全局配置主要配置日志信息,日志信息可以记录用户执行过的所有操作:

logpath : config path (default is /var/log/lshell/)
loglevel : 0, 1, 2, 3 or 4 (0: no logs -> 4: logs everything)
logfilename : set log file name, e.g. %u-%y%m%d (i.e foo-20091009.log)

2、user、group、default配置

这三部分配置是,如果能在用户配置下匹配的,会到用户配置下先匹配,匹配不到的,再找组配置,组配置也匹配不上的,就使用默认配置。其参数有如下部分:

aliases : command aliases list (similar to bash's alias directive)
allowed : a list of the allowed commands or 'all' to allow all commands in user's PATH
env_path : update the environment variable $PATH of the user
forbidden : a list of forbidden character or commands
history_file : set the history filename. A wildcard can be used: %u -> username (e.g. '/home/%u/.lhistory')
history_size : set the maximum size (in lines) of the history file
home_path : set the home folder of your user. If not specified, the home_path is set to the $HOME environment variable. A wildcard can be used: %u -> username (e.g. '/home/%u') This variable will be removed in the next version of lshell, please use your system's tools to set a user's home directory.
intro : set the introduction to print at login
passwd : password of specific user
path : list of path to restrict the user geographically
overssh : list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, scp, etc.)
scp : allow or forbid the use of scp connection - set to 1 or 0
scpforce : force files sent through scp to a specific directory
scp_download : set to 0 to forbid scp downloads (default is 1)
scp_upload : set to 0 to forbid scp uploads (default is 1)
sftp : allow or forbid the use of sftp connection - set to 1 or 0
sudo_commands : a list of the allowed commands that can be used with sudo(8)
timer : a value in seconds for the session timer
strict : logging strictness. If set to 1, any unknown command is considered as forbidden, and user's warning counter is decreased. If set to 0, command is considered as unknown, and user is only warned (i.e. *** unknown synthax)
warning_counter : number of warnings when user enters a forbidden value before getting exited from lshell.

这部分具体可以参看/etc/lshell.conf里的配置示例。

四、配置示例

这里使用的是官方给出的示例,为了便于查看,这里把需求翻译成中文,如下:

用户foo:
1)可以访问/usr和/var,无法访问/usr/local
2)可以执行除了su以外的命令
3)家目录/home/users
用户bar:
1)可以访问/usr和/etc,无法访问/usr/local
2)除了default的命令还可以执行ping,无法执行ls
3)开启strict(1:表示每个unknown命令都会减少warning counter的数量;0:针对unknown命令只是提醒,不会减少warning counter的数量)

配置文件示例如下:

# CONFIGURATION START
[global]
logpath         : /var/log/lshell/
loglevel        : 2
[default]
allowed         : ['ls','pwd']
forbidden       : [';', '&', '|']
warning_counter : 2
timer           : 0
path            : ['/etc', '/usr']
env_path        : ':/sbin:/usr/foo'
scp             : 1 # or 0
sftp            : 1 # or 0
overssh         : ['rsync','ls']
aliases         : {'ls':'ls --color=auto','ll':'ls -l'}
[grp:users]
warning_counter : 5
overssh         : - ['ls']
[foo]
allowed         : 'all' - ['su']
path            : ['/var', '/usr'] - ['/usr/local']
home_path       : '/home/users'
[bar]
allowed         : + ['ping'] - ['ls']
path            : - ['/usr/local']
strict          : 1
scpforce        : '/home/bar/uploads/'
# CONFIGURATION END

五、注意事项

lshell功能总体上来说还是比较人性化和好用的,不过在使用的时候需要注意,不要把bash 、csh这类的命令赋予给用户,因为有chsh -l 输出的shell类型的权限时,其是可以进行越权的。其通过执行bash就跳到bash shell里了,lshell里设置的各项限制就对其不生效了。

参考配置文件:lshell官方wiki页




本站的发展离不开您的资助,金额随意,欢迎来赏!

You can donate through PayPal.
My paypal id: itybku@139.com
Paypal page: https://www.paypal.me/361way

分类: 安全/漏洞 标签: , ,
  1. 本文目前尚无任何评论.
  1. 本文目前尚无任何 trackbacks 和 pingbacks.