Kalpana Kalpana (Editor)

Restricted shell

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit

The restricted shell is a Unix shell that restricts some of the capabilities available to an interactive user session, or to a shell script, running within it. It is intended to provide an additional layer of security, but is insufficient to allow execution of entirely untrusted software. A restricted mode operation is found in the original Bourne shell and its later counterpart bash, and in the Korn shell. In some cases a restricted shell is used in conjunction with a chroot jail, in a further attempt to limit access to the system as a whole.

Contents

Invocation

The restricted mode of the Bourne shell sh, and its POSIX workalikes, is used when the interpreter is invoked in one of the following ways:

  • sh -r    note that this conflicts with the "read" option in some sh variants
  • rsh    note that this may conflict with the remote shell command, which is also called rsh on some systems

    • The restricted mode of bash is used when bash is invoked in one of the following ways:

  • rbash
  • bash -r
  • bash --restricted

    • Similarly the Korn shell's restricted mode is produced by invoking it thus:

  • rksh
  • ksh -r

    • Setting Up rbash

    For some systems (e.g., CentOS), the invocation through rbash is not enabled by default, and the user obtains a command not found error if invoked directly, or a login failure if the /etc/passwd file indicates /bin/rbash as the user's shell.

    It suffices to create a link named rbash pointing directly to bash. Though this invokes bash directly, without the -r or --restricted options, bash does recognize that it was invoked through rbash and it does come up as a restricted shell.

    This can be accomplished with the following simple commands (executed as root, either logged in as user root, or using sudo):

    Limited operations

    The following operations are not permitted in a restricted shell:

  • changing directory
  • specifying absolute pathnames or names containing a slash
  • setting the PATH or SHELL variable
  • redirection of output

    • bash adds further restrictions, including:

  • limitations on function definitions
  • limitations on the use of slash-ed filenames in bash builtins

    • Restrictions in the restricted Korn shell are much the same as those in the restricted Bourne shell.

    Weaknesses of a restricted shell

    The restricted shell is not secure. A user can break out of the restricted environment by running a program that features a shell function. The following is an example of the shell function in vi being used to escape from the restricted shell:

    Or by simply starting a new unrestricted shell, if it is in the PATH, as demonstrated here:

    List of programs

    Beyond the restricted modes of usual shells, specialized restricted shell programs include:

  • rssh – used with OpenSSH, permitting only certain file copying programs, namely scp, sftp, rsync, cvs, and rdist
  • smrsh, which limits the commands sendmail can invoke

    • References

    Restricted shell Wikipedia
    (Text) CC BY-SA