linux 限制用户命令方法

发表于 | 分类于 | | 游览

linux 限制用户命令方法

linux 上想限制用户可以执行的命令,可以通过环境变量和安装lshell工具方式。

环境变量的方式

脚本放在 /etc/profile.d/ 下,每个用户登入的时候都交脚在这里的环境变量。
脚本中判断当前用户,root 用户不受权限。 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
vim /etc/profile.d/login.sh

#!/bin/bash
m=`whoami`

if [[ "${m}" != "root" ]];then
    echo -e "\e[01;33m* ** 你目前登录的账户是: \e[01;31m$LOGNAME\e[00m  ** \e[00m"
    echo -e "\e[01;33m* ** 可以登入你申请的主机\e[00m"
    mkdir -p $HOME/bin
    rm -f $HOME/bin/*
    ln -s /bin/ls $HOME/bin
    ln -s /bin/ping $HOME/bin
    ln -s /usr/bin/ssh $HOME/bin/
#    ln -s /usr/bin/ssh-copy-id $HOME/bin/
    ln -s /usr/bin/ssh-keygen $HOME/bin/
    ln -s /usr/bin/expect $HOME/bin/
    ln -s /bin/grep $HOME/bin/
    cat << EOF > $HOME/.newbash_profile
HISTFILESIZE=500000000
HISTSIZE=99999999
HISTTIMEFORMAT="%Y/%m/%d_%H:%M:%S :"
PATH=$HOME/bin
#export TMOUT=600
export PATH
EOF
    chown ${m}:${m} $HOME/.newbash_profile
    exec bash --restricted --noprofile --rcfile $HOME/.newbash_profile
fi

将允许用户执行的命令软连到用户家目录的bin下,这样用户只能执行特定的命令。 

1
2
3
4
5
6
exec bash --restricted --noprofile --rcfile $HOME/.newbash_profile 

这句话的意思是使用restricted模式,并且不加载系统默认的profile文件,而加载我们定义的profile文件$HOME/.newbash_profile

这句话也可以添加到 $HOME/.ssh/authorized_keys,在前面加上语句:
command="bash --restricted --noprofile --rcfile $HOME/.newbash_profile" ssh-rsa ......

lshell 工具

也可以安装 lshell 工具来实现对用户命令的限制, lshell不仅可以限制用户执行的命令,还可以限制用户对目录的限制等。

lshell 的github地址:https://github.com/ghantoos/lshell

安装 

1
yum install lshell  # 需要 epel 源

lshell 使用

1
2
3
4
5
6
$ lshell --help
Usage: lshell [OPTIONS]
 --config <file> : Config file location (default /etc/lshell.conf) #指定配置文件
 --log <dir> : Log files directory #指定日志目录 
 -h, --help : Show this help message #显示帮助信息
 --version : Show version #显示版本信息

配置文件
配置文件分:

  • User configuration
  • Group configuration
  • Default configuration

看一个官网的例子,很简单

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# CONFIGURATION START
[global]
logpath         : /var/log/lshell/
loglevel        : 2

[default]
allowed         : ['ls','pwd']
forbidden       : [';', '&', '|'] 
warning_counter : 2
timer           : 0
path            : ['/etc', '/usr']
env_path        : ':/sbin:/usr/foo'
scp             : 1 # or 0
sftp            : 1 # or 0
overssh         : ['rsync','ls']
aliases         : {'ls':'ls --color=auto','ll':'ls -l'}

[grp:users]
warning_counter : 5
overssh         : - ['ls']

[foo]
allowed         : 'all' - ['su']
path            : ['/var', '/usr'] - ['/usr/local']
home_path       : '/home/users'

[bar]
allowed         : + ['ping'] - ['ls'] 
path            : - ['/usr/local']
strict          : 1
scpforce        : '/home/bar/uploads/'
# CONFIGURATION END

我简单使用的一个案例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
[root@test00 ~]# cat /etc/lshell.conf 
# lshell.py configuration file
#
# $Id: lshell.conf,v 1.27 2010/10/18 19:05:17 ghantoos Exp $

[global]
##  log directory (default /var/log/lshell/ )
logpath         : /var/log/lshell/
##  set log level to 0, 1, 2, 3 or 4  (0: no logs, 1: least verbose,
##                                                 4: log all commands)
loglevel        : 2
##  configure log file name (default is %u i.e. username.log)
#logfilename     : %y%m%d-%u
#logfilename     : syslog

##  in case you are using syslog, you can choose your logname
#syslogname      : myapp

[default]
##  a list of the allowed commands or 'all' to allow all commands in user's PATH
allowed         : ['ls','echo','cd','ll']

##  a list of forbidden character or commands
#forbidden       : [';', '&', '|','`','>','<', '$(', '${']
forbidden       : ['>','<', '$(', '${']

##  a list of allowed command to use with sudo(8)
#sudo_commands   : ['ls', 'more']

##  number of warnings when user enters a forbidden value before getting 
##  exited from lshell, set to -1 to disable.
warning_counter : 2

##  command aliases list (similar to bash’s alias directive)
aliases         : {'ll':'ls -l', 'vi':'vim'}

##  introduction text to print (when entering lshell)
intro           : "线上环境请谨慎执行命令\n执行help或者?\n列出可执行的命令\n执行lpath\n查看允许访问的路径"

##  configure your promt using %u or %h (default: username)
prompt          : "%u@%h"

##  a value in seconds for the session timer
timer           : 0

##  list of path to restrict the user "geographicaly"
#path            : ['/home/bla/','/etc']

##  set the home folder of your user. If not specified the home_path is set to 
##  the $HOME environment variable
#home_path       : '/home/bla/'

##  update the environment variable $PATH of the user
env_path        : ':/usr/local/bin:/usr/sbin:/bin'

##  add environment variables
#env_vars        : {'foo':1, 'bar':'helloworld'}

##  allow or forbid the use of scp (set to 1 or 0)
#scp             : 1

## forbid scp upload
#scp_upload       : 0

## forbid scp download
#scp_download     : 0

##  allow of forbid the use of sftp (set to 1 or 0)
#sftp            : 1

##  list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.)
overssh         : ['ls','sed','cp','mkdir','date','>',';','&&' ]

##  logging strictness. If set to 1, any unknown command is considered as 
##  forbidden, and user's warning counter is decreased. If set to 0, command is
##  considered as unknown, and user is only warned (i.e. *** unknown synthax)
#strict          : 1

##  force files sent through scp to a specific directory
#scpforce        : '/home/bla/uploads/'

##  history file maximum size 
history_size     : 9999

##  set history file name (default is /home/%u/.lhistory)
#history_file     : "/home/%u/.lshell_history"

[rd]
allowed : [ 'ls','cd','ll','ifconfig','less','echo','ip','>','date','grep','cat','awk','|','telnet','ps','ping','netstat','more','jps','free','du','df','top','tail','sed','curl','date','iostat','iotop','pwd','diff','uptime','hostname','nslookup' ]
home_path : '/home/rd'    # 用户的家目录
env_path : ':/usr/local/bin:/usr/sbin:/sbin:/bin:/usr/local/sbin:/ust/bin'
path : [ '/home/testdir','/home/rd' ]  # 允许用户访问的目录

#forbidden : [';', '&', '|','`','>','<', '$(', '${']

修改用户shell为lshell

1
2
3
4
5
6
usermod rd -s /usr/bin/lshell

chsh -s /usr/bin/lshell rd

新用户
useradd rd -d /home/rd -s /usr/bin/lshell

添加组 (方便记录日志)

1
usermod -aG lshell rd

记录日志: (我没有使用)

1
2
3
4
groupadd --system lshell
mkdir /var/log/lshell
chown :lshell /var/log/lshell
chmod 770 /var/log/lshell

注释: lshell 没有重启, 随时修改配置文件,用户重新登入即可生效。

感觉文章还可以的话,帮忙点点下面的广告哦! 谢谢支持!

感谢您的支持!