利用 lshell 来构建一个受限的用户 SHELL 环境

$ yum install lshell #EPEL源

$ apt-get install lshell

$ lshell --help
Usage: lshell [OPTIONS]
  --config <file> : Config file location (default /etc/lshell.conf)  #指定配置文件
  --log    <dir>  : Log files directory                              #指定日志目录
  -h, --help      : Show this help message                           #显示帮助信息
  --version       : Show version                                     #显示版本信息

# lshell.py configuration file
#
# $Id: lshell.conf,v 1.27 2010/10/18 19:05:17 ghantoos Exp $

[global]
##  log directory (default /var/log/lshell/ )
logpath         : /var/log/lshell/
##  set log level to 0, 1, 2, 3 or 4  (0: no logs, 1: least verbose,
##                                                 4: log all commands)
loglevel        : 2
##  configure log file name (default is %u i.e. username.log)
#logfilename     : %y%m%d-%u
#logfilename     : syslog

##  in case you are using syslog, you can choose your logname
#syslogname      : myapp

[default]
##  a list of the allowed commands or 'all' to allow all commands in user's PATH
allowed         : ['ls','echo','cd','ll']

##  a list of forbidden character or commands
forbidden       : [';', '&', '|','`','>','<', '$(', '${']

##  a list of allowed command to use with sudo(8)
#sudo_commands   : ['ls', 'more']

##  number of warnings when user enters a forbidden value before getting 
##  exited from lshell, set to -1 to disable.
warning_counter : 2

##  command aliases list (similar to bash’s alias directive)
aliases         : {'ll':'ls -l', 'vi':'vim'}

##  introduction text to print (when entering lshell)
#intro           : "== My personal intro ==\nWelcome to lshell\nType '?' or 'help' to get the list of allowed commands"

##  configure your promt using %u or %h (default: username)
#prompt          : "%u@%h"

##  a value in seconds for the session timer
#timer           : 5

##  list of path to restrict the user "geographicaly"
#path            : ['/home/bla/','/etc']

##  set the home folder of your user. If not specified the home_path is set to 
##  the $HOME environment variable
#home_path       : '/home/bla/'

##  update the environment variable $PATH of the user
#env_path        : ':/usr/local/bin:/usr/sbin'

##  add environment variables
#env_vars        : {'foo':1, 'bar':'helloworld'}

##  allow or forbid the use of scp (set to 1 or 0)
#scp             : 1

## forbid scp upload
#scp_upload       : 0

## forbid scp download
#scp_download     : 0

##  allow of forbid the use of sftp (set to 1 or 0)
#sftp            : 1

##  list of command allowed to execute over ssh (e.g. rsync, rdiff-backup, etc.)
#overssh         : ['ls', 'rsync']

##  logging strictness. If set to 1, any unknown command is considered as 
##  forbidden, and user's warning counter is decreased. If set to 0, command is
##  considered as unknown, and user is only warned (i.e. *** unknown synthax)
#strict          : 1

##  force files sent through scp to a specific directory
#scpforce        : '/home/bla/uploads/'

##  history file maximum size 
#history_size     : 100

##  set history file name (default is /home/%u/.lhistory)
#history_file     : "/home/%u/.lshell_history"

清屏
clear

打印可用命令
help, ?

打印命令历史
history

列出所有允许和禁止的路径
lpath 

列出所有允许sudo的命令
lsudo

$ groupadd --system lshell
$ mkdir /var/log/lshell
$ chown :lshell /var/log/lshell
$ chmod 770 /var/log/lshell

$ useradd test -d /home/test -s /usr/bin/lshell

$ usermod -aG lshell test

$ chsh -s /usr/bin/lshell test

[test]
allowed         : ['ls','echo','cd','ll']      ##允许使用的命令
home_path       : '/home/test'                 ##设置用户的家目录
path            : ['/home/test','/tmp']             ##限制用户的目录

$ ssh test@127.0.0.1                                                    
test@127.0.0.1's password: 
You are in a limited shell.
Type '?' or 'help' to get the list of allowed commands
test:~$

test:~$ cd /etc
*** forbidden path -> "/etc/"
*** You have 1 warning(s) left, before getting kicked out.
This incident has been reported.

test:~$ touch test.txt
*** unknown command: touch