/etc/localshell.conf

From Research
Revision as of 04:46, 5 March 2011 by Gordp (talk | contribs) (Created page with " # localshell.conf # $Header: /var/cvsroot/infrastructure/localshellc/doc/localshell.conf.complex,v 1.1 2005/07/18 02:21:26 robbat2 Exp $ # This file describes the behavior of …")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
# localshell.conf
# $Header: /var/cvsroot/infrastructure/localshellc/doc/localshell.conf.complex,v 1.1 2005/07/18 02:21:26 robbat2 Exp $
# This file describes the behavior of localshell as a complete real-world
# example.

# comments start with a '#' in the first line only
# blank lines are ignored.  every other line is parsed exactly as is,
# whitespace IS significent the format of this file resembles shell scripts,
# but NO special interpreation is done
# so the format is: 
# VARNAME="VARCONTENTS"
# and the '"' are stripped.
# each of these variables has a structure as such
# [USER]:[GROUP],VALUE
# where user and group can be either a numeric UID/GID or a name to be resolved
# via NSS. For the purposes of matching, the GID is checked against both the
# primary group of the current user, and the additional groups of the current
# user. 

# every specific entry needs stuff in 3 parts
# so the full format is:
# entry="[USER]:[GROUP],PRIORITY,SHELL,ALLOWED_CMDS"
# priority,shell,allowed_cmds
# - priorities takes a signed 32-bit integer. higher priorities take precedence
# - the shells variable has two special cases: If 'LOCALSHELL' is specified,
# the user's preferred_shell_file is checked to see what shell they would want
# to use for being let in. If 'DEFAULTSHELL' is specified, this shell is
# enforced on the user.
# - allowed_cmds takes a regular expression to see what command arguments are
# allowed.
entry=":infrastructure,10000,LOCALSHELL,"

# SVN and CVS require that the user has a real shell
# but we still want to limit what commands they can run.
# so this is how you go about it.
# note that '^svn' is not safe as they could find some other command starting with 'svn' to abuse.
##entry=":ePortfolio,6000,LOCALSHELL,"
entry=":users,5000,/bin/bash,"

# if you wanted to allow everybody in
# you could use this
#entry=":,-2147483647,LOCALSHELL,"

# this is the default entry
# it should always exist!
# it enforces that for any case that doesn't match above (lowest priority)
# The user gets the default shell, and is allowed to specify arguments.
# force secure alternative
entry=":,-2147483647,/bin/false,^$"

# these are defaults for the system
# they are implicitly included if deleted here.

# default_preferred_shell is what you get if you don't have a
# preferred_shell_file, and your shells line says 'LOCALSHELL'
# where to look for the shell that a user would prefer.
preferred_shell_file=":,~/.localshellrc"
# if the user hasn't specified a prefered shell, 
default_preferred_shell=":,/bin/bash"
# enforce /bin/false as a safe shell to block users.
default_shell=":,/bin/false"

# sure, this is cheating, but it looks good.
# vim: set ft=sh: