\n\t\u6709\u4e9b\u7279\u6b8a\u60c5\u51b5\u4e0b\u9700\u8981\u5b9e\u73b0\u5c06\u7cfb\u7edf\u5185\u666e\u901a\u7528\u6237\u9650\u5b9a\u5728\u6307\u5b9a\u76ee\u5f55\u4e0b,\u5e76\u4e14\u53ea\u80fd\u4f7f\u7528\u7cfb\u7edf\u7ba1\u7406\u5458\u8bbe\u5b9a\u7684\u547d\u4ee4\u3002lshell\u5c31\u662f\u5b9e\u73b0\u8fd9\u6837\u529f\u80fd\u7684\u4e00\u4e2a\u795e\u5668\u3002\n<\/p>\n
\n\tlshell\u63d0\u4f9b\u4e86\u4e00\u4e2a\u9488\u5bf9\u6bcf\u4e2a\u7528\u6237\u53ef\u914d\u7f6e\u7684\u9650\u5236\u6027shell\uff0clshell\u7684\u914d\u7f6e\u6587\u4ef6\u975e\u5e38\u7684\u7b80\u5355\uff0c\u53ef\u4ee5\u548cssh\u7684authorized_keys\u6216\u8005\/etc\/shell\u3001\/etc\/passwd\u8026\u5408\u4f7f\u7528\uff0clshell\u53ef\u4ee5\u5f88\u5bb9\u6613\u7684\u4e25\u683c\u9650\u5236\u7528\u6237\u53ef\u4ee5\u8bbf\u95ee\u54ea\u4e9b\u547d\u4ee4\u3002\n<\/p>\n
\n\t\u9879\u76ee\u5730\u5740: https:\/\/github.com\/ghantoos\/lshell\n<\/p>\n
\n\tRHEL\u3001CentOS\n<\/p>\n
$ yum install lshell #EPEL\u6e90<\/pre>\n\n\tDebian\u3001Ubuntu\n<\/p>\n
$ apt-get install lshell<\/pre>\n\n\tlshell\u4f7f\u7528
\n<\/h3>\n\n
- \n
\n\t\t\tlshell\u8bed\u6cd5\u683c\u5f0f\n\t\t<\/p>\n<\/li>\n<\/ul>\n
$ lshell --help\r\nUsage: lshell [OPTIONS]\r\n --config: Config file location (default \/etc\/lshell.conf) #\u6307\u5b9a\u914d\u7f6e\u6587\u4ef6\r\n --log : Log files directory #\u6307\u5b9a\u65e5\u5fd7\u76ee\u5f55\r\n -h, --help : Show this help message #\u663e\u793a\u5e2e\u52a9\u4fe1\u606f\r\n --version : Show version #\u663e\u793a\u7248\u672c\u4fe1\u606f<\/pre>\n\n
- \n
\n\t\t\tlshell\u914d\u7f6e\n\t\t<\/p>\n<\/li>\n<\/ul>\n
\n\tLinux\u4e0b\u914d\u7f6e\u6587\u4ef6\u4e3a\/etc\/lshell.conf\n<\/p>\n
# lshell.py configuration file\r\n#\r\n# $Id: lshell.conf,v 1.27 2010\/10\/18 19:05:17 ghantoos Exp $\r\n\r\n[global]\r\n## log directory (default \/var\/log\/lshell\/ )\r\nlogpath : \/var\/log\/lshell\/\r\n## set log level to 0, 1, 2, 3 or 4 (0: no logs, 1: least verbose,\r\n## 4: log all commands)\r\nloglevel : 2\r\n## configure log file name (default is %u i.e. username.log)\r\n#logfilename : %y%m%d-%u\r\n#logfilename : syslog\r\n\r\n## in case you are using syslog, you can choose your logname\r\n#syslogname : myapp\r\n\r\n[default]\r\n## a list of the allowed commands or 'all' to allow all commands in user's PATH\r\nallowed : ['ls','echo','cd','ll']\r\n\r\n## a list of forbidden character or commands\r\nforbidden : [';', '&', '|','`','>','<', '$(', '${']\r\n\r\n## a list of allowed command to use with sudo(8)\r\n#sudo_commands : ['ls', 'more']\r\n\r\n## number of warnings when user enters a forbidden value before getting \r\n## exited from lshell, set to -1 to disable.\r\nwarning_counter : 2\r\n\r\n## command aliases list (similar to bash\u2019s alias directive)\r\naliases : {'ll':'ls -l', 'vi':'vim'}\r\n\r\n## introduction text to print (when entering lshell)\r\n#intro : \"== My personal intro ==\\nWelcome to lshell\\nType '?' or 'help' to get the list of allowed commands\"\r\n\r\n## configure your promt using %u or %h (default: username)\r\n#prompt : \"%u@%h\"\r\n\r\n## a value in seconds for the session timer\r\n#timer : 5\r\n\r\n## list of path to restrict the user \"geographicaly\"\r\n#path : ['\/home\/bla\/','\/etc']\r\n\r\n## set the home folder of your user. If not specified the home_path is set to \r\n## the $HOME environment variable\r\n#home_path : '\/home\/bla\/'\r\n\r\n## update the environment variable $PATH of the user\r\n#env_path : ':\/usr\/local\/bin:\/usr\/sbin'\r\n\r\n## add environment variables\r\n#env_vars : {'foo':1, 'bar':'helloworld'}\r\n\r\n## allow or forbid the use of scp (set to 1 or 0)\r\n#scp : 1\r\n\r\n## forbid scp upload\r\n#scp_upload : 0\r\n\r\n## forbid scp download\r\n#scp_download : 0\r\n\r\n## allow of forbid the use of sftp (set to 1 or 0)\r\n#sftp : 1\r\n\r\n## list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.)\r\n#overssh : ['ls', 'rsync']\r\n\r\n## logging strictness. If set to 1, any unknown command is considered as \r\n## forbidden, and user's warning counter is decreased. If set to 0, command is\r\n## considered as unknown, and user is only warned (i.e. *** unknown synthax)\r\n#strict : 1\r\n\r\n## force files sent through scp to a specific directory\r\n#scpforce : '\/home\/bla\/uploads\/'\r\n\r\n## history file maximum size \r\n#history_size : 100\r\n\r\n## set history file name (default is \/home\/%u\/.lhistory)\r\n#history_file : \"\/home\/%u\/.lshell_history\"<\/pre>\n\n
- \n
\n\t\t\tlshell\u7684\u914d\u7f6e\u6587\u4ef6\u8be6\u89e3\n\t\t<\/p>\n<\/li>\n<\/ul>\n
\n\n\t\t\u914d\u7f6e\u6587\u4ef6\u4e00\u5171\u6709\u56db\u4e2a\u5c0f\u8282
\n[global] -lshell\u7684\u7cfb\u7edf\u914d\u7f6e(\u53ea\u80fd\u6709\u4e00\u4e2a)
\n[default] -lshell\u7684\u9ed8\u8ba4\u7528\u6237\u914d\u7f6e(\u53ea\u80fd\u6709\u4e00\u4e2a)
\n[foo] -\u6307\u5b9aUNIX\u7684\u7cfb\u7edf\u7528\u6237\u201dfoo\u201d\u7684\u7279\u522b\u7684\u914d\u7f6e
\n[grp:bar] -\u6307\u5b9aUNIX\u7528\u6237\u7ec4\u201dbar\u201d\u7684\u7279\u522b\u7684\u914d\u7f6e\n\t<\/p>\n\n\t\t\u5f53\u52a0\u8f7d\u53c2\u6570\u7684\u65f6\u5019\u9075\u5faa\u4ee5\u4e0b\u987a\u5e8f
\n1.User configuration
\n2.Group configuration
\n3.Default configuration\n\t<\/p>\n\n\t\tlogpath
\n\u65e5\u5fd7\u8def\u5f84(\u9ed8\u8ba4\u662f\/var\/log\/lshell\/)\n\t<\/p>\n\n\t\tloglevel
\n\u65e5\u5fd7\u8bb0\u5f55\u7ea7\u522b,0, 1, 2, 3 or 4 (0: no logs -4: logs everything)\n\t<\/p>\n\n\t\tlogfilename
\n\u5982\u679c\u8bbe\u7f6e\u6210syslog\u5173\u952e\u5b57\uff0c\u5219\u8868\u793a\u65e5\u5fd7\u8bb0\u5f55\u5230syslog\u4e2d
\n\u5982\u679c\u8bbe\u7f6e\u6210\u4e00\u4e2a\u6587\u4ef6\u540d, e.g. %u-%y%m%d (i.e foo-20091009.log):\n\t<\/p>\n\n\t\t%u -username
\n%d -day [1..31]
\n%m -month [1..12]
\n%y -year [00..99]
\n%h -time [00:00..23:59]\n\t<\/p>\n\n\t\tsyslogname
\n\u5982\u679c\u4f60\u6253\u7b97\u8bb0\u5f55\u8fdbsyslog\u4e2d\uff0c\u5219\u8981\u8bbe\u7f6e\u4f60\u7684syslog\u540d\u79f0\uff0c\u9ed8\u8ba4\u662flshell\n\t<\/p>\n\n\t\t[default]\u6216\u8005[username]\u6216\u8005[grp:groupname] \u4e09\u4e2a\u5c0f\u8282\u53ef\u7528\u7684\u914d\u7f6e\u9879\n\t<\/p>\n
\n\t\taliases
\n\u547d\u4ee4\u522b\u540d\n\t<\/p>\n\n\t\tallowed
\n\u4e00\u4e2a\u5141\u8bb8\u6267\u884c\u7684\u547d\u4ee4\u5217\u8868\uff0c\u6216\u8005\u8bbe\u7f6e\u6210all\uff0c\u5219\u5141\u8bb8\u5728user PATH\u4e2d\u7684\u6240\u6709\u547d\u4ee4\u53ef\u7528\n\t<\/p>\n\n\t\tallowed_cmd_path
\n\u4e00\u4e2a\u8def\u5f84\u7ec4\u6210\u7684\u5217\u8868\uff0c\u6240\u6709\u5728\u8def\u5f84\u4e2d\u7684\u53ef\u6267\u884c\u6587\u4ef6\u90fd\u88ab\u5141\u8bb8\n\t<\/p>\n\n\t\tenv_path
\n\u66f4\u65b0\u7528\u6237\u7684\u73af\u5883\u53d8\u91cfPATH\n\t<\/p>\n\n\t\tenv_vars
\n\u8bbe\u7f6e\u7528\u6237\u7684\u73af\u5883\u53d8\u91cf\n\t<\/p>\n\n\t\tforbidden
\n\u4e00\u4e2a\u975e\u6cd5\u5b57\u7b26\u6216\u8005\u547d\u4ee4\u7ec4\u6210\u7684\u5217\u8868\n\t<\/p>\n\n\t\thistory_file
\nhistory\u7684\u6587\u4ef6\u540d,%u -username (e.g. \u2018\/home\/%u\/.lhistory\u2019)\n\t<\/p>\n\n\t\thistory_size
\nhistory\u6587\u4ef6\u8bb0\u5f55\u7684maximum size(in lines)\n\t<\/p>\n\n\t\thome_path (deprecated)
\n\u9ed8\u8ba4\u662f$HOME\uff0c\u4e0d\u8d5e\u6210\u4f7f\u7528\uff0c\u4e0b\u4e00\u7248\u4f1a\u53d6\u6d88\u3002%u -username (e.g. \u2018\/home\/%u\u2019)\n\t<\/p>\n\n\t\tintro
\n\u5728\u767b\u9646\u65f6\u6253\u5370\u51fa\u5165\u95e8\u4fe1\u606f\n\t<\/p>\n\n\t\tlogin_script
\n\u7528\u6237\u767b\u9646\u65f6\u6267\u884c\u7684\u811a\u672c\n\t<\/p>\n\n\t\tpasswd
\n\u6307\u5b9a\u7528\u6237\u7684\u5bc6\u7801(\u9ed8\u8ba4\u4e3a\u7a7a)\n\t<\/p>\n\n\t\tpath
\n\u4e25\u683c\u9650\u5236\u7528\u6237\u53ef\u4ee5\u53bb\u7684\u7cfb\u7edf\u8def\u5f84\uff0c\u53ef\u4ee5\u4f7f\u7528\u901a\u914d\u7b26(e.g. \u2018\/var\/log\/ap*\u2019)\n\t<\/p>\n\n\t\tprompt
\n\u8bbe\u7f6e\u7528\u6237\u7684prompt\u683c\u5f0f(default: username)
\n%u -username
\n%h -hostname\n\t<\/p>\n\n\t\tscp
\n\u5141\u8bb8\u6216\u8005\u7981\u6b62\u4f7f\u7528scp\u8fde\u63a5(0\u7981\u6b62\u30011\u5141\u8bb8)\u3002\n\t<\/p>\n\n\t\tscpforce
\n\u5f3a\u5236\u6587\u4ef6\u901a\u8fc7scp\u4f20\u8f93\u5230\u4e00\u4e2a\u7279\u5b9a\u76ee\u5f55\n\t<\/p>\n\n\t\tscp_download
\n\u5141\u8bb8\u6216\u8005\u7981\u6b62\u4f7f\u7528scp\u4e0b\u8f7d(0\u7981\u6b62\u30011\u5141\u8bb8)\u3002\n\t<\/p>\n\n\t\tscp_upload
\n\u5141\u8bb8\u6216\u8005\u7981\u6b62\u4f7f\u7528scp\u4e0a\u4f20(0\u7981\u6b62\u30011\u5141\u8bb8,\u9ed8\u8ba4\u4e3a1)\u3002\n\t<\/p>\n\n\t\tsftp
\n\u5141\u8bb8\u6216\u8005\u7981\u6b62\u4f7f\u7528sftp\u8fde\u63a5(0\u7981\u6b62\u30011\u5141\u8bb8)\u3002\n\t<\/p>\n\n\t\tsudo_commands
\n\u4e00\u7ec4\u547d\u4ee4\u7ec4\u6210\u7684\u5217\u8868\uff0c\u7528\u6237\u53ef\u4ee5\u6267\u884csudo\n\t<\/p>\n\n\t\ttimer
\n\u4f1a\u8bdd\u7ef4\u6301\u7684\u79d2\u6570\n\t<\/p>\n\n\t\tstrict
\n\u65e5\u5fd7\u4e25\u683c\u8bb0\u5f55\uff0c\u5982\u679c\u8bbe\u7f6e\u62101\uff0c\u4efb\u4f55unknow\u7684\u547d\u4ee4\u90fd\u88ab\u7981\u6b62\uff0c\u5e76\u4e14\u964d\u4f4e\u7528\u6237\u8b66\u544a\u6570\uff0c\u5982\u679c\u8bbe\u7f6e\u62100\uff0cunknow\u547d\u4ee4\u53ea\u662f\u8b66\u544a\u3002 (i.e. *<\/em> unknown synthax)\n\t<\/p>\n\n\t\twarning_counter
\n\u8b66\u544a\u6b21\u6570\uff0c\u5982\u679c\u7528\u6237\u8fbe\u5230\u8be5\u8b66\u544a\u6b21\u6570\uff0c\u5219\u4f1a\u88ab\u5f3a\u5236\u9000\u51falshell\uff0c\u8bbe\u7f6e\u6210-1\uff0c\u5219\u7981\u6b62\u8ba1\u6570\u3002\n\t<\/p>\n<\/blockquote>\n\n
- \n
\n\t\t\tlshell\u4e0b\u59cb\u7ec8\u53ef\u4f7f\u7528\u7684\u6307\u4ee4\n\t\t<\/p>\n<\/li>\n<\/ul>\n
\u6e05\u5c4f\r\nclear\r\n\r\n\u6253\u5370\u53ef\u7528\u547d\u4ee4\r\nhelp, ?\r\n\r\n\u6253\u5370\u547d\u4ee4\u5386\u53f2\r\nhistory\r\n\r\n\u5217\u51fa\u6240\u6709\u5141\u8bb8\u548c\u7981\u6b62\u7684\u8def\u5f84\r\nlpath \r\n\r\n\u5217\u51fa\u6240\u6709\u5141\u8bb8sudo\u7684\u547d\u4ee4\r\nlsudo<\/pre>\n\n\tlshell\u5b9e\u4f8b
\n<\/h3>\n\n\t\u4e3a\u4e86\u8bb0\u5f55\u7528\u6237\u65e5\u5fd7\uff0c\u9996\u5148\u9700\u8981\u521b\u5efa\u76f8\u5173\u76ee\u5f55\n<\/p>\n
$ groupadd --system lshell\r\n$ mkdir \/var\/log\/lshell\r\n$ chown :lshell \/var\/log\/lshell\r\n$ chmod 770 \/var\/log\/lshell<\/pre>\n\n\t\u6dfb\u52a0test\u7528\u6237\n<\/p>\n
$ useradd test -d \/home\/test -s \/usr\/bin\/lshell<\/pre>\n\n\t\u7136\u540e\u589e\u52a0test\u7528\u6237\u5230lshell group\n<\/p>\n
$ usermod -aG lshell test<\/pre>\n\n\t\u6539\u53d8test\u7528\u6237\u9ed8\u8ba4shell\uff0c\u4f7f\u7528lshell\u4f5c\u4e3a\u9ed8\u8ba4shell\n<\/p>\n
$ chsh -s \/usr\/bin\/lshell test<\/pre>\n\n\t\u4fee\u6539\u914d\u7f6e\u6587\u4ef6\u8ba9test\u7528\u6237\u53ea\u80fd\u4f7f\u7528\u53d7\u9650\u547d\u4ee4\n<\/p>\n
[test]\r\nallowed : ['ls','echo','cd','ll'] ##\u5141\u8bb8\u4f7f\u7528\u7684\u547d\u4ee4\r\nhome_path : '\/home\/test' ##\u8bbe\u7f6e\u7528\u6237\u7684\u5bb6\u76ee\u5f55\r\npath : ['\/home\/test','\/tmp'] ##\u9650\u5236\u7528\u6237\u7684\u76ee\u5f55<\/pre>\n\n\thome_path\u548cpath\u6ce8\u91ca\u6389\u5219\u9650\u5236\u7528\u6237\u53ea\u80fd\u8bbf\u95ee\u81ea\u5df1\u7684\u5bb6\u76ee\u5f55\u53ca\u5176\u5b50\u76ee\u5f55\u3002\u5982\u679c\u9700\u8981\u80fd\u8bbf\u95ee\u5176\u4ed6\u76ee\u5f55\uff0c\u5219\u9700\u8981\u5728path\u4e2d\u52a0\u5165\u76f8\u5e94\u7684\u76ee\u5f55\uff0c\u5f53\u524d\u8bbe\u7f6e\u4e0b\u7528\u6237\u53ef\u4ee5\u8bbf\u95ee\u5bb6\u76ee\u5f55\u53ca\u5176\u5b50\u76ee\u5f55\uff0c\u4e5f\u53ef\u4ee5\u8bbf\u95ee\/tmp\u76ee\u5f55\u53ca\u5176\u5b50\u76ee\u5f55\uff0c\u4f46\u4e0d\u80fd\u8bbf\u95ee\u8fd9\u4ee5\u5916\u7684\u76ee\u5f55\uff0c\u6bd4\u5982\/etc\u3002\n<\/p>\n
\n\tallowed\u4e2d\u6dfb\u52a0\u6211\u4eec\u9650\u5b9a\u7528\u6237\u6240\u80fd\u4f7f\u7528\u7684\u547d\u4ee4\uff0c\u8fd9\u91cc\u9650\u5b9a\u53ea\u80fd\u4f7f\u7528ls\u3001echo\u3001cd\u3001ll\u56db\u4e2a\u547d\u4ee4\u3002\n<\/p>\n
\n\t\u6d4b\u8bd5\u767b\u9646\n<\/p>\n
$ ssh test@127.0.0.1 \r\ntest@127.0.0.1's password: \r\nYou are in a limited shell.\r\nType '?' or 'help' to get the list of allowed commands\r\ntest:~$<\/pre>\n\n\t\u547d\u4ee4\u4f7f\u7528\n<\/p>\n
test:~$ cd \/etc\r\n*** forbidden path -> \"\/etc\/\"\r\n*** You have 1 warning(s) left, before getting kicked out.\r\nThis incident has been reported.\r\n\r\ntest:~$ touch test.txt\r\n*** unknown command: touch<\/pre>\n\n\t\u53c2\u8003\u6587\u6863
\n<\/h3>\n\n\thttp:\/\/www.google.com
\nhttps:\/\/github.com\/ghantoos\/lshell
\nhttp:\/\/m.oschina.net\/blog\/337374\n<\/p>\n\n\thttp:\/\/www.ttlsa.com\/safe\/restricted-user-shell-environment\/<\/p>\n","protected":false},"excerpt":{"rendered":"
\u6709\u4e9b\u7279\u6b8a\u60c5\u51b5\u4e0b\u9700\u8981\u5b9e\u73b0\u5c06\u7cfb\u7edf\u5185\u666e\u901a\u7528\u6237\u9650\u5b9a\u5728\u6307\u5b9a\u76ee\u5f55\u4e0b,\u5e76\u4e14\u53ea\u80fd\u4f7f\u7528\u7cfb\u7edf\u7ba1\u7406\u5458\u8bbe\u5b9a\u7684\u547d\u4ee4\u3002lshell\u5c31\u662f\u5b9e\u73b0\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-746","post","type-post","status-publish","format-standard","hentry","category-os"],"_links":{"self":[{"href":"https:\/\/www.shuran.cn\/index.php?rest_route=\/wp\/v2\/posts\/746","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shuran.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shuran.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shuran.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shuran.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=746"}],"version-history":[{"count":4,"href":"https:\/\/www.shuran.cn\/index.php?rest_route=\/wp\/v2\/posts\/746\/revisions"}],"predecessor-version":[{"id":770,"href":"https:\/\/www.shuran.cn\/index.php?rest_route=\/wp\/v2\/posts\/746\/revisions\/770"}],"wp:attachment":[{"href":"https:\/\/www.shuran.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=746"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shuran.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=746"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shuran.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=746"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}