Sometimes, in otherwise restricted Linux environments, system administrators need to give shell access to users to accomplish certain tasks. Yet from the shell, savvy users can do almost anything on a system. One tool that can help resolve the conflict is lshell, a shell that lets you restrict a user or group’s environment to a limited sets of path and commands. Using lshell, an administrator can give a user who need, for instance, SSH access, only the commands he needs, without setting up a chroot environment or playing with system rights and ACLs. Everything is set up and controlled through one configuration file.
Developer Ignace Mouzannar created lshell more than two years ago when he needed to grant a router SSH access to one of his servers so it could update some DNS fields then disconnect. “I started searching on the web for an application that would allow me to restrict a user’s SSH connection in time while offering him just a couple of commands, but I was unable to spot anything interesting, so I started coding lshell. I had just discovered Python and was (still am) under its charm, so I wrote lshell in that language, using Vim and IPython.”
Mouzannar has engineered lshell with some clever features. “One cool thing is the way it deals with SCP connections. Not only can you allow or forbid SCP connections, you can also set up ‘download only’ or ‘upload only’ accounts, or even force the target path of the SCP connections. Another handy feature is the ability to set a maximum time for a user’s connection, after which he gets disconnected. lshell also logs all the warnings given to the users (e.g. when executing a forbidden command, changing to a restricted directory, etc.), and it can also log all the commands issued by a user, which can sometimes come in handy for sysadmins.”
However, the utility isn’t completely bulletproof yet, Mouzannar says. “When you connect through SFTP (if you’re allowed to), lshell spawns the SFTP subsystem shipped with OpenSSH, and therefore cannot restrict its content. I am working on integrating an SFTP server with lshell using the Python Paramiko module in order to add the ‘restricted SFTP’ feature.
“I would be glad to have some help on any part of the project, and especially for the SFTP server. I am open to any suggestions about anything that could take this project forward. The best place to have these kind of discussions is on the forum on lshell’s SourceForge.net page.”