Restricted shell

Last updated January 04, 2025

The restricted shell is a Unix shell that restricts some of the capabilities available to an interactive user session, or to a shell script, running within it. It is intended to provide an additional layer of security, but is insufficient to allow execution of entirely untrusted software. A restricted mode operation is found in the original Bourne shell ^[1] and its later counterpart Bash,^[2] and in the KornShell.^[3] In some cases a restricted shell is used in conjunction with a chroot jail, in a further attempt to limit access to the system as a whole.

Invocation

The restricted mode of the Bourne shell sh, and its POSIX workalikes, is used when the interpreter is invoked in one of the following ways:

sh -r note that this conflicts with the "read" option in some sh variants
rsh note that this may conflict with the remote shell command, which is also called rsh on some systems

The restricted mode of Bash is used when Bash is invoked in one of the following ways:

rbash
bash -r
bash --restricted

Similarly KornShell's restricted mode is produced by invoking it thus:

rksh
ksh -r

Setting up rbash

For some systems (e.g., CentOS), the invocation through rbash is not enabled by default, and the user obtains a command not found error if invoked directly, or a login failure if the /etc/passwd file indicates /bin/rbash as the user's shell.

It suffices to create a link named rbash pointing directly to bash. Though this invokes Bash directly, without the -r or --restricted options, Bash does recognize that it was invoked through rbash and it does come up as a restricted shell.

This can be accomplished with the following simple commands (executed as root, either logged in as user root, or using sudo):

root@host:~# cd/bin root@host:/bin# lnbashrbash

Limited operations

The following operations are not permitted in a restricted shell:

changing directory
specifying absolute pathnames or names containing a slash
setting the PATH or SHELL variable
redirection of output

Bash adds further restrictions, including:^[2]

limitations on function definitions
limitations on the use of slash-ed filenames in Bash builtins

Restrictions in the restricted KornShell are much the same as those in the restricted Bourne shell.^[4]

Weaknesses of a restricted shell

The restricted shell is not secure. A user can break out of the restricted environment by running a program that features a shell function. The following is an example of the shell function in vi being used to escape from the restricted shell:

user@host:~$ vi

:setshell=/bin/sh:shell

Or by simply starting a new unrestricted shell, if it is in the PATH, as demonstrated here:

user@host:~$ rbash user@host:~$ cd/ rbash: cd: restricteduser@host:~$ bash user@host:~$ cd/ user@host:/$

List of programs

Beyond the restricted modes of usual shells, specialized restricted shell programs include:

rssh – used with OpenSSH, permitting only certain file copying programs, namely scp, sftp, rsync, cvs, and rdist
smrsh, which limits the commands sendmail can invoke^[5]

Related Research Articles

Bash, short for Bourne-Again SHell, is a shell program and command language supported by the Free Software Foundation and first developed for the GNU Project by Brian Fox. Designed as a 100% free software alternative for the Bourne shell, it was initially released in 1989. Its moniker is a play on words, referencing both its predecessor, the Bourne shell, and the concept of rebirth.

KornShell (ksh) is a Unix shell which was developed by David Korn at Bell Labs in the early 1980s and announced at USENIX on July 14, 1983. The initial development was based on Bourne shell source code. Other early contributors were Bell Labs developers Mike Veach and Pat Sullivan, who wrote the Emacs and vi-style line editing modes' code, respectively. KornShell is backward-compatible with the Bourne shell and includes many features of the C shell, inspired by the requests of Bell Labs users.

A shell script is a computer program designed to be run by a Unix shell, a command-line interpreter. The various dialects of shell scripts are considered to be command languages. Typical operations performed by shell scripts include file manipulation, program execution, and printing text. A script which sets up the environment, runs the program, and does any necessary cleanup or logging, is called a wrapper.

A Unix shell is a command-line interpreter or shell that provides a command line user interface for Unix-like operating systems. The shell is both an interactive command language and a scripting language, and is used by the operating system to control the execution of the system using shell scripts.

The Bourne shell (sh) is a shell command-line interpreter for computer operating systems. It first appeared on Version 7 Unix, as its default shell. Unix-like systems continue to have /bin/sh—which will be the Bourne shell, or a symbolic link or hard link to a compatible shell—even when other shells are used by most users.

The Z shell (Zsh) is a Unix shell that can be used as an interactive login shell and as a command interpreter for shell scripting. Zsh is an extended Bourne shell with many improvements, including some features of Bash, ksh, and tcsh.

tcsh is a Unix shell based on and backward compatible with the C shell (csh).

The cd command, also known as chdir, is a command-line shell command used to change the current working directory in various operating systems. It can be used in shell scripts and batch files.

Almquist shell is a lightweight Unix shell originally written by Kenneth Almquist in the late 1980s. Initially a clone of the System V.4 variant of the Bourne shell, it replaced the original Bourne shell in the BSD versions of Unix released in the early 1990s.

In computing, a symbolic link is a file whose purpose is to point to a file or directory by specifying a path thereto.

pwd Directory information command on various operating systems

In Unix-like and some other operating systems, the pwd command writes the full pathname of the current working directory to the standard output.

time (Unix) Command in Unix and Unix-like operating systems

In computing, time is a command in Unix and Unix-like operating systems. It is used to determine the duration of execution of a particular command.

A command shell is a command-line interface to interact with and manipulate a computer's operating system.

In computing, a shebang is the character sequence #!, consisting of the characters number sign and exclamation mark, at the beginning of a script. It is also called sharp-exclamation, sha-bang, hashbang, pound-bang, or hash-pling.

getopts is a built-in Unix shell command for parsing command-line arguments. It is designed to process command line arguments that follow the POSIX Utility Syntax Guidelines, based on the C interface of getopt.

The script command is a Unix utility that records a terminal session. It dates back to the 1979 3.0 Berkeley Software Distribution (BSD).

In a Unix shell, the full stop called the dot command (.) is a command that evaluates commands in a computer file in the current execution context. In the C shell, a similar functionality is provided as the source command, and this name is seen in "extended" POSIX shells as well.

In computing, command substitution is a facility that allows a command to be run and its output to be pasted back on the command line as arguments to another command. Command substitution first appeared in the Bourne shell, introduced with Version 7 Unix in 1979, and has remained a characteristic of all later Unix shells. The feature has since been adopted in other programming languages as well, including Perl, PHP, Ruby and Microsoft's Powershell under Windows. It also appears in Microsoft's CMD.EXE in the FOR command and the ( ) command.

A command-line interface (CLI) is a means of interacting with a computer program by inputting lines of text called command lines. Command-line interfaces emerged in the mid-1960s, on computer terminals, as an interactive and more user-friendly alternative to the non-interactive interface available with punched cards.

References

↑ "POSIX sh specification". Archived from the original on 2014-12-21. Retrieved 2010-10-04.
1 2 GNU Bash manual
↑ ksh manual, Solaris (SunOS 5.10) manual page, Oracle Inc.
↑ ksh(1) manual page, IBM AIX documentation set
↑ Costales, Bryan; Assmann, Claus; Jansen, George; Shapiro, Gregory Neil (2007). Sendmail. Oreilly Series (4 ed.). O'Reilly Media, Inc. p. 379. ISBN 9780596510299 . Retrieved 2012-08-02. As an aid in preventing [...] attacks, V8.1 sendmail first offered the smrsh (sendmail restricted shell) program.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[posix_sh-1] "POSIX sh specification". Archived from the original on 2014-12-21. Retrieved 2010-10-04.

[bash_manual-2] 1 2 GNU Bash manual

[ksh_manual-3] sh manual, Solaris (SunOS 5.10) manual page, Oracle Inc.

[aix_ksh_manual-4] sh(1) manual page, IBM AIX documentation set

[5] Costales, Bryan; Assmann, Claus; Jansen, George; Shapiro, Gregory Neil (2007). Sendmail. Oreilly Series (4 ed.). O'Reilly Media, Inc. p. 379. ISBN 9780596510299 . Retrieved 2012-08-02. As an aid in preventing [...] attacks, V8.1 sendmail first offered the smrsh (sendmail restricted shell) program.

[1]

[2]

[3]

[4]

[5]