Posts tagged limited users

As described by apt-cache, the method which I usually begin a package search for in a Ubuntu Server 10.04 environment:

z@zentury ~$ apt-cache search lshell
lshell - restricts a user's shell environment to limited sets of commands

This is an extremely useful way to restrict a Linux users capabilities. Alternative shells, such as rssh, limit you to toggle a specific set of applications, (scp, sftp, cvs, svn, rsync or rdist). A limited shell is helpful for reasons such as backups or game/application servers where you know/want the user to be able to execute only a specific set of actions. You can however, consider other reasons for restricting users on a Linux based machine.

A typical use case is provided in the lshell wiki.

Ubuntu also provides a default in etc/lshell.conf, which serves as a good example:

# lshell.py configuration file
#
# $Id: lshell.conf,v 1.20 2009/06/09 19:53:46 ghantoos Exp $

[global]
##  log directory (default /var/log/lshell/ )
logpath         : /var/log/lshell/
##  set log level to 0, 1, 2 or 3  (0: no logs, 1: least verbose)
loglevel        : 2
##  configure log file name (default is %u i.e. username.log)
#logfilename     : %y%m%d-%u

[default]
##  a list of the allowed commands or 'all' to allow all commands in user's PATH
allowed         : ['ls','echo','cd','ll']

##  a list of forbidden character or commands
forbidden       : [';', '&', '|','`','>','<', '$(', '${']

##  number of warnings when user enters a forbidden value before getting
##  exited from lshell
warning_counter : 2

##  command aliases list (similar to bash’s alias directive)
aliases         : {'ll':'ls -l', 'vi':'vim'}

##  a value in seconds for the session timer
#timer           : 5

##  list of path to restrict the user "geographicaly"
#path            : ['/home/bla/','/etc']

##  set the home folder of your user. If not specified the home_path is set to
##  the $HOME environment variable
#home_path       : '/home/bla/'

##  update the environment variable $PATH of the user
#env_path        : ':/usr/local/bin:/usr/sbin'

##  allow or forbid the use of scp (set to 1 or 0)
#scp             : 1

##  allow of forbid the use of sftp (set to 1 or 0)
#sftp            : 1

##  list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.)
#overssh         : ['ls', 'rsync']

##  logging strictness. If set to 1, any unknown command is considered as
##  forbidden, and user's warning counter is decreased. If set to 0, command is
##  considered as unknown, and user is only warned (i.e. *** unknown synthax)
#strict          : 1

##  force files sent through scp to a specific directory
#scpforce        : '/home/bla/uploads/'

If this looks like something you would like to be able to do, you can install it with apt-get:

z@zentury ~$ apt-get install lshell

You can change a current user to have the limited shell with the following command:

sudo chsh -s /usr/bin/lshell backupbot

You can add a new user with a limited shell with the following command (-m creates the home directory):

sudo useradd -m -s /usr/bin/lshell backupbot

A more detailed configuration guide can be found here