Restricted shell explained

The restricted shell is a Unix shell that restricts some of the capabilities available to an interactive user session, or to a shell script, running within it. It is intended to provide an additional layer of security, but is insufficient to allow execution of entirely untrusted software. A restricted mode operation is found in the original Bourne shell^[1] and its later counterpart Bash,^[2] and in the KornShell.^[3] In some cases a restricted shell is used in conjunction with a chroot jail, in a further attempt to limit access to the system as a whole.

Invocation

The restricted mode of the Bourne shell, and its POSIX workalikes, is used when the interpreter is invoked in one of the following ways:

•    note that this conflicts with the "read" option in some variants
•    note that this may conflict with the remote shell command, which is also called on some systems

The restricted mode of Bash is used when Bash is invoked in one of the following ways:

Similarly KornShell's restricted mode is produced by invoking it thus:

Setting up rbash

For some systems (e.g., CentOS), the invocation through is not enabled by default, and the user obtains a error if invoked directly, or a login failure if the /etc/passwd file indicates as the user's shell.

It suffices to create a link named pointing directly to . Though this invokes Bash directly, without the or options, Bash does recognize that it was invoked through and it does come up as a restricted shell.

This can be accomplished with the following simple commands (executed as root, either logged in as user root, or using sudo):root@host:~# cd /binroot@host:/bin# ln bash rbash

Limited operations

The following operations are not permitted in a restricted shell:

• changing directory
• specifying absolute pathnames or names containing a slash
• setting the PATH or SHELL variable
• redirection of output

Bash adds further restrictions, including:^[2]

• limitations on function definitions
• limitations on the use of slash-ed filenames in Bash builtins

Restrictions in the restricted KornShell are much the same as those in the restricted Bourne shell.^[4]

Weaknesses of a restricted shell

The restricted shell is not secure. A user can break out of the restricted environment by running a program that features a shell function. The following is an example of the shell function in vi being used to escape from the restricted shell:user@host:~$ vi

set shell=/bin/sh

shellOr by simply starting a new unrestricted shell, if it is in the, as demonstrated here:user@host:~$ rbashuser@host:~$ cd /rbash: cd: restricteduser@host:~$ bashuser@host:~$ cd /user@host:/$

List of programs

Beyond the restricted modes of usual shells, specialized restricted shell programs include:

• [http://www.pizzashack.org/rssh/ rssh] – used with OpenSSH, permitting only certain file copying programs, namely scp, sftp, rsync, cvs, and rdist
• smrsh, which limits the commands sendmail can invoke^[5]

See also

• Remote Shell

Notes and References

1. Web site: POSIX sh specification . 2010-10-04 . 2014-12-21 . https://web.archive.org/web/20141221210713/http://pwet.fr/man/linux/commandes/posix/sh . dead .
2. https://www.gnu.org/software/bash/manual/bashref.html#The-Restricted-Shell GNU Bash manual
3. http://docs.sun.com/app/docs/doc/816-5165/ksh-1?l=en&n=1&a=view ksh manual
4. http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=/com.ibm.aix.baseadmn/doc/baseadmndita/korn_shell_restricted.htm ksh(1) manual page
5. Book: Costales. Bryan. Assmann. Claus. Jansen. George. Shapiro. Gregory Neil. Sendmail. 2012-08-02. 4. Oreilly Series. 2007. O'Reilly Media, Inc.. 9780596510299. 379. As an aid in preventing [...] attacks, V8.1 sendmail first offered the smrsh (sendmail restricted shell) program..