-
Notifications
You must be signed in to change notification settings - Fork 112
/
lshell.conf
143 lines (112 loc) · 5.48 KB
/
lshell.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# lshell.py configuration file
#
# $Id: lshell.conf,v 1.27 2010-10-18 19:05:17 ghantoos Exp $
[global]
## log directory (default /var/log/lshell/ )
logpath : /var/log/lshell/
## set log level to 0, 1, 2, 3 or 4 (0: no logs, 1: least verbose,
## 4: log all commands)
loglevel : 2
## configure log file name (default is %u i.e. username.log)
#logfilename : %y%m%d-%u
#logfilename : syslog
## in case you are using syslog, you can choose your logname
#syslogname : myapp
## Set path to sudo noexec library. This path is usually autodetected, only
## set this variable to use alternate path. If set and the shared object is
## not found, lshell will exit immediately. Otherwise, please check your logs
## to verify that a standard path is detected.
##
## while this should not be a common practice, setting this variable to an empty
## string will disable LD_PRELOAD prepend of the commands. This is done at your
## own risk, as lshell becomes easily breached using some commands like find(1)
## using the -exec flag.
#path_noexec : /usr/libexec/sudo_noexec.so
## include a directory containing multiple configuration files. These files
## can only contain default/user/group configuration. The global configuration will
## only be loaded from the default configuration file.
## e.g. splitting users into separate files
#include_dir : /etc/lshell.d/*.conf
[default]
## a list of the allowed commands without execution privileges or 'all' to
## allow all commands in user's PATH
##
## if sudo(8) is installed and sudo_noexec.so is available, it will be loaded
## before running every command, preventing it from running further commands
## itself. If not available, beware of commands like vim/find/more/etc. that
## will allow users to execute code (e.g. /bin/sh) from within the application,
## thus easily escaping lshell. See variable 'path_noexec' to use an alternative
## path to library.
allowed : ['ls', 'echo','ll']
## A list of the allowed commands that are permitted to execute other
## programs (e.g. shell scripts with exec(3)). Setting this variable to 'all'
## is NOT allowed. Warning do not put here any command that can execute
## arbitrary commands (e.g. find, vim, xargs)
##
## Important: commands defined in 'allowed_shell_escape' override their
## definition in the 'allowed' variable
#allowed_shell_escape : ['man','zcat']
## a list of forbidden character or commands
forbidden : [';', '&', '|','`','>','<', '$(', '${']
## a list of allowed command to use with sudo(8)
## if set to ´all', all the 'allowed' commands will be accessible through sudo(8)
#sudo_commands : ['ls', 'more']
## number of warnings when user enters a forbidden value before getting
## exited from lshell, set to -1 to disable.
warning_counter : 2
## command aliases list (similar to bash’s alias directive)
aliases : {'ll':'ls -l'}
## introduction text to print (when entering lshell)
#intro : "== My personal intro ==\nWelcome to lshell\nType '?' or 'help' to get the list of allowed commands"
## configure your promt using %u or %h (default: username)
#prompt : "%u@%h"
## set sort prompt current directory update (default: 0)
#prompt_short : 0
## a value in seconds for the session timer
#timer : 5
## list of path to restrict the user "geographicaly"
## warning: many commands like vi and less allow to break this restriction
#path : ['/home/bla/','/etc']
## set the home folder of your user. If not specified the home_path is set to
## the $HOME environment variable
#home_path : '/home/bla/'
## update the environment variable $PATH of the user
#env_path : ':/usr/local/bin:/usr/sbin'
## a list of path; all executable files inside these path will be allowed
#allowed_cmd_path: ['/home/bla/bin','/home/bla/stuff/libexec']
## add environment variables
#env_vars : {'foo':1, 'bar':'helloworld'}
## allow or forbid the use of scp (set to 1 or 0)
#scp : 1
## forbid scp upload
#scp_upload : 0
## forbid scp download
#scp_download : 0
## allow of forbid the use of sftp (set to 1 or 0)
## this option will not work if you are using OpenSSH's internal-sftp service
#sftp : 1
## list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.)
#overssh : ['ls', 'rsync']
## logging strictness. If set to 1, any unknown command is considered as
## forbidden, and user's warning counter is decreased. If set to 0, command is
## considered as unknown, and user is only warned (i.e. *** unknown synthax)
strict : 0
## force files sent through scp to a specific directory
#scpforce : '/home/bla/uploads/'
## Enable support for WinSCP with scp mode (NOT sftp)
## When enabled, the following parameters will be overridden:
## - scp_upload: 1 (uses scp(1) from within session)
## - scp_download: 1 (uses scp(1) from within session)
## - scpforce - Ignore (uses scp(1) from within session)
## - forbidden: -[';']
## - allowed: +['scp', 'env', 'pwd', 'groups', 'unset', 'unalias']
#winscp: 0
## history file maximum size
#history_size : 100
## set history file name (default is /home/%u/.lhistory)
#history_file : "/home/%u/.lshell_history"
## define the script to run at user login
#login_script : "/path/to/myscript.sh"
## disable user exit, this could be useful when lshell is spawned from another
## none-restricted shell (e.g. bash)
#disable_exit : 0