| 1 |
6.10 The Restricted Shell |
| 2 |
========================= |
| 3 |
|
| 4 |
If Bash is started with the name 'rbash', or the '--restricted' or '-r' |
| 5 |
option is supplied at invocation, the shell becomes restricted. A |
| 6 |
restricted shell is used to set up an environment more controlled than |
| 7 |
the standard shell. A restricted shell behaves identically to 'bash' |
| 8 |
with the exception that the following are disallowed or not performed: |
| 9 |
|
| 10 |
* Changing directories with the 'cd' builtin. |
| 11 |
* Setting or unsetting the values of the 'SHELL', 'PATH', 'HISTFILE', |
| 12 |
'ENV', or 'BASH_ENV' variables. |
| 13 |
* Specifying command names containing slashes. |
| 14 |
* Specifying a filename containing a slash as an argument to the '.' |
| 15 |
builtin command. |
| 16 |
* Specifying a filename containing a slash as an argument to the |
| 17 |
'history' builtin command. |
| 18 |
* Specifying a filename containing a slash as an argument to the '-p' |
| 19 |
option to the 'hash' builtin command. |
| 20 |
* Importing function definitions from the shell environment at |
| 21 |
startup. |
| 22 |
* Parsing the value of 'SHELLOPTS' from the shell environment at |
| 23 |
startup. |
| 24 |
* Redirecting output using the '>', '>|', '<>', '>&', '&>', and '>>' |
| 25 |
redirection operators. |
| 26 |
* Using the 'exec' builtin to replace the shell with another command. |
| 27 |
* Adding or deleting builtin commands with the '-f' and '-d' options |
| 28 |
to the 'enable' builtin. |
| 29 |
* Using the 'enable' builtin command to enable disabled shell |
| 30 |
builtins. |
| 31 |
* Specifying the '-p' option to the 'command' builtin. |
| 32 |
* Turning off restricted mode with 'set +r' or 'set +o restricted'. |
| 33 |
|
| 34 |
These restrictions are enforced after any startup files are read. |
| 35 |
|
| 36 |
When a command that is found to be a shell script is executed (*note |
| 37 |
Shell Scripts::), 'rbash' turns off any restrictions in the shell |
| 38 |
spawned to execute the script. |
| 39 |
|
| 40 |
The restricted shell mode is only one component of a useful restricted |
| 41 |
environment. It should be accompanied by setting 'PATH' to a value that |
| 42 |
allows execution of only a few verified commands (commands that allow |
| 43 |
shell escapes are particularly vulnerable), leaving the user in a |
| 44 |
non-writable directory other than his home directory after login, not |
| 45 |
allowing the restricted shell to execute shell scripts, and cleaning the |
| 46 |
environment of variables that cause some commands to modify their |
| 47 |
behavior (e.g., 'VISUAL' or 'PAGER'). |
| 48 |
|
| 49 |
Modern systems provide more secure ways to implement a restricted |
| 50 |
environment, such as 'jails', 'zones', or 'containers'. |
| 51 |
|
