Restricted shell

Last updated December 18, 2021

The restricted shell is a Unix shell that restricts some of the capabilities available to an interactive user session, or to a shell script, running within it. It is intended to provide an additional layer of security, but is insufficient to allow execution of entirely untrusted software. A restricted mode operation is found in the original Bourne shell ^[1] and its later counterpart Bash ,^[2] and in the KornShell.^[3] In some cases a restricted shell is used in conjunction with a chroot jail, in a further attempt to limit access to the system as a whole.

Invocation

The restricted mode of the Bourne shell sh, and its POSIX workalikes, is used when the interpreter is invoked in one of the following ways:

sh -r note that this conflicts with the "read" option in some sh variants
rsh note that this may conflict with the remote shell command, which is also called rsh on some systems

The restricted mode of Bash is used when Bash is invoked in one of the following ways:

rbash
bash -r
bash --restricted

Similarly KornShell's restricted mode is produced by invoking it thus:

rksh
ksh -r

Setting up rbash

For some systems (e.g., CentOS), the invocation through rbash is not enabled by default, and the user obtains a command not found error if invoked directly, or a login failure if the /etc/passwd file indicates /bin/rbash as the user's shell.

It suffices to create a link named rbash pointing directly to bash. Though this invokes Bash directly, without the -r or --restricted options, Bash does recognize that it was invoked through rbash and it does come up as a restricted shell.

This can be accomplished with the following simple commands (executed as root, either logged in as user root, or using sudo):

root@host:~# cd /bin root@host:/bin# ln bash rbash

Limited operations

The following operations are not permitted in a restricted shell:

changing directory
specifying absolute pathnames or names containing a slash
setting the PATH or SHELL variable
redirection of output

Bash adds further restrictions, including:^[2]

limitations on function definitions
limitations on the use of slash-ed filenames in Bash builtins

Restrictions in the restricted KornShell are much the same as those in the restricted Bourne shell.^[4]

Weaknesses of a restricted shell

The restricted shell is not secure. A user can break out of the restricted environment by running a program that features a shell function. The following is an example of the shell function in vi being used to escape from the restricted shell:

user@host:~$ vi

:setshell=/bin/sh:shell

Or by simply starting a new unrestricted shell, if it is in the PATH, as demonstrated here:

user@host:~$ rbash user@host:~$ cd / rbash: cd: restricteduser@host:~$ bash user@host:~$ cd / user@host:/$

List of programs

Beyond the restricted modes of usual shells, specialized restricted shell programs include:

rssh – used with OpenSSH, permitting only certain file copying programs, namely scp, sftp, rsync, cvs, and rdist
smrsh, which limits the commands sendmail can invoke^[5]

Related Research Articles

Bash is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. First released in 1989, it has been used as the default login shell for most Linux distributions. A version is also available for Windows 10 via the Windows Subsystem for Linux. It is also the default user shell in Solaris 11. Bash was also the default shell in all versions of Apple macOS prior to the 2019 release of macOS Catalina, which changed the default shell to zsh, although Bash remains available as an alternative shell.

KornShell (ksh) is a Unix shell which was developed by David Korn at Bell Labs in the early 1980s and announced at USENIX on July 14, 1983. The initial development was based on Bourne shell source code. Other early contributors were Bell Labs developers Mike Veach and Pat Sullivan, who wrote the Emacs and vi-style line editing modes' code, respectively. KornShell is backward-compatible with the Bourne shell and includes many features of the C shell, inspired by the requests of Bell Labs users.

A shell script is a computer program designed to be run by the Unix shell, a command-line interpreter. The various dialects of shell scripts are considered to be scripting languages. Typical operations performed by shell scripts include file manipulation, program execution, and printing text. A script which sets up the environment, runs the program, and does any necessary cleanup, logging, etc. is called a wrapper.

A Unix shell is a command-line interpreter or shell that provides a command line user interface for Unix-like operating systems. The shell is both an interactive command language and a scripting language, and is used by the operating system to control the execution of the system using shell scripts.

The Bourne shell (sh) is a shell command-line interpreter for computer operating systems.

The Z shell (Zsh) is a Unix shell that can be used as an interactive login shell and as a command interpreter for shell scripting. Zsh is an extended Bourne shell with many improvements, including some features of Bash, ksh, and tcsh.

The cd command, also known as chdir, is a command-line shell command used to change the current working directory in various operating systems. It can be used in shell scripts and batch files.

Almquist shell is a lightweight Unix shell originally written by Kenneth Almquist in the late 1980s. Initially a clone of the System V.4 variant of the Bourne shell, it replaced the original Bourne shell in the BSD versions of Unix released in the early 1990s.

In computing, a symbolic link is a term for any file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.

In Unix-like and some other operating systems, the pwd command writes the full pathname of the current working directory to the standard output.

In computing, time is a command in Unix and Unix-like operating systems. It is used to determine the duration of execution of a particular command.

A command shell is a command-line interface to interact with and manipulate an computer's operating system.

In computing, alias is a command in various command-line interpreters (shells), which enables a replacement of a word by another string. It is mainly used for abbreviating a system command, or for adding default arguments to a regularly used command. alias is available in Unix shells, AmigaDOS, 4DOS/4NT, KolibriOS, Windows PowerShell, ReactOS, and the EFI shell. Aliasing functionality in the MS-DOS and Microsoft Windows operating systems is provided by the DOSKey command-line utility.

In computing, a shebang is the character sequence consisting of the characters number sign and exclamation mark at the beginning of a script. It is also called sha-bang, hashbang, pound-bang, or hash-pling.

chsh is a command on Unix-like operating systems that is used to change a login shell. Users can either supply the pathname of the shell that they wish to change to on the command line, or supply no arguments, in which case chsh allows the user to change the shell interactively.

getopts is a built-in Unix shell command for parsing command-line arguments. It is designed to process command line arguments that follow the POSIX Utility Syntax Guidelines, based on the C interface of getopt.

In a Unix shell, the full stop called the dot command (.) is a command that evaluates commands in a computer file in the current execution context. In C Shell, a similar functionality is provided as the source command, and this name is seen in "extended" POSIX shells as well.

In computing, command substitution is a facility that allows a command to be run and its output to be pasted back on the command line as arguments to another command. Command substitution first appeared in the Bourne shell, introduced with Version 7 Unix in 1979, and has remained a characteristic of all later Unix shells. The feature has since been adopted in other programming languages as well, including Perl, PHP, Ruby and Microsoft's Powershell under Windows. It also appears in Microsoft's CMD.EXE in the FOR command and the ( ) command.

A command-line interface (CLI) processes commands to a computer program in the form of lines of text. The program which handles the interface is called a command-line interpreter or command-line processor. Operating systems implement a command-line interface in a shell for interactive access to operating system functions or services. Such access was primarily provided to users by computer terminals starting in the mid-1960s, and continued to be used throughout the 1970s and 1980s on VAX/VMS, Unix systems and personal computer systems including DOS, CP/M and Apple DOS.

References

↑ POSIX sh specification
1 2 GNU Bash manual
↑ ksh manual, Solaris (SunOS 5.10) manual page, Oracle Inc.
↑ ksh(1) manual page, IBM AIX documentation set
↑ Costales, Bryan; Assmann, Claus; Jansen, George; Shapiro, Gregory Neil (2007). Sendmail. Oreilly Series (4 ed.). O'Reilly Media, Inc. p. 379. ISBN 9780596510299 . Retrieved 2012-08-02. As an aid in preventing [...] attacks, V8.1 sendmail first offered the smrsh (sendmail restricted shell) program.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[posix_sh-1] POSIX sh specification

[bash_manual-2] 1 2 GNU Bash manual

[ksh_manual-3] sh manual, Solaris (SunOS 5.10) manual page, Oracle Inc.

[aix_ksh_manual-4] sh(1) manual page, IBM AIX documentation set

[5] Costales, Bryan; Assmann, Claus; Jansen, George; Shapiro, Gregory Neil (2007). Sendmail. Oreilly Series (4 ed.). O'Reilly Media, Inc. p. 379. ISBN 9780596510299 . Retrieved 2012-08-02. As an aid in preventing [...] attacks, V8.1 sendmail first offered the smrsh (sendmail restricted shell) program.

[1]

[2]

[3]

[4]

[5]