Configuration
lshell needs a configuration file to start. By default, you can find lshell.conf in:
on LINUX |
/etc/lshell.conf |
on *BSD |
/usr/{pkg,local}/etc/lshell.conf |
lshell configuration file includes 4 possible sections:
[global] |
lshell system configuration (applies to all users, mandatory) |
[default] |
lshell default user configuration (applies to all users) |
[blah] |
UNIX username "blah" specific configuration (applies only to user blah, more than one [user] section can be added) |
[grp:blahgroup] |
UNIX groupname "blahgroup" specific configuration (applies only to users in the blahgroup group, more than one [grp:groupname] section can be added) |
[global] Section
This section set lshell fonctionnal variables:
logpath : config path (default is /var/log/lshell/)
loglevel : 0, 1, 2, 3 or 4 (0: no logs -> 4: logs everything)
logfilename : set log file name, e.g. %u-%y%m%d (i.e foo-20091009.log)
%u
username
%d
day [1..31]
%m
month [1..12]
%y
year [00..99]
%h
time [00:00..23:59]
[default], [username] and [grp:groupname] Sections
The 3 type of sections are configured using the same. Order of priority when loading preferences is the following:
1 |
User configuration |
2 |
Group configuration |
3 |
Default configuration |
This means that [username] section overrides [grp:groupname] section, which overides the [default] section. (if this is clear..)
Here is the list of the keys used to configure every section:
allowed : a list of the allowed commands or 'all' to allow all commands in user's PATH
forbidden : a list of forbidden character or commands
warning_counter : number of warnings when user enters a forbidden value before getting exited from lshell.
timer : a value in seconds for the session timer
passwd : password of specific user
path : list of path to restrict the user geographically
home_path : set the home folder of your user. If not specified, the home_path is set to the $HOME env. variable
env_path : update the environment variable $PATH of the user
scp : allow or forbid the use of scp connection - set to 1 or 0
sftp : allow or forbid the use of sftp connection - set to 1 or 0
overssh : list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, scp, etc.)
strict : logging strictness. If set to 1, any unknown command is considered as forbidden, as warning counter is decreased. If set to 0, command is considered as unknown
scpforce : force files sent through scp to a specific directory
aliases : dict of command aliases (similar to bash’s alias directive)