[thirdparty/bash.git] / RBASH

6.10 The Restricted Shell
=========================

If Bash is started with the name 'rbash', or the '--restricted' or '-r'
option is supplied at invocation, the shell becomes restricted.  A
restricted shell is used to set up an environment more controlled than
the standard shell.  A restricted shell behaves identically to 'bash'
with the exception that the following are disallowed or not performed:

   * Changing directories with the 'cd' builtin.
   * Setting or unsetting the values of the 'SHELL', 'PATH', 'HISTFILE',
     'ENV', or 'BASH_ENV' variables.
   * Specifying command names containing slashes.
   * Specifying a filename containing a slash as an argument to the '.'
     builtin command.
   * Specifying a filename containing a slash as an argument to the
     'history' builtin command.
   * Specifying a filename containing a slash as an argument to the '-p'
     option to the 'hash' builtin command.
   * Importing function definitions from the shell environment at
     startup.
   * Parsing the value of 'SHELLOPTS' from the shell environment at
     startup.
   * Redirecting output using the '>', '>|', '<>', '>&', '&>', and '>>'
     redirection operators.
   * Using the 'exec' builtin to replace the shell with another command.
   * Adding or deleting builtin commands with the '-f' and '-d' options
     to the 'enable' builtin.
   * Using the 'enable' builtin command to enable disabled shell
     builtins.
   * Specifying the '-p' option to the 'command' builtin.
   * Turning off restricted mode with 'set +r' or 'shopt -u
     restricted_shell'.

These restrictions are enforced after any startup files are read.

When a command that is found to be a shell script is executed (*note
Shell Scripts::), 'rbash' turns off any restrictions in the shell
spawned to execute the script.

The restricted shell mode is only one component of a useful restricted
environment.  It should be accompanied by setting 'PATH' to a value that
allows execution of only a few verified commands (commands that allow
shell escapes are particularly vulnerable), changing the current
directory to a non-writable directory other than '$HOME' after login,
not allowing the restricted shell to execute shell scripts, and cleaning
the environment of variables that cause some commands to modify their
behavior (e.g., 'VISUAL' or 'PAGER').

Modern systems provide more secure ways to implement a restricted
environment, such as 'jails', 'zones', or 'containers'.
Commit	Line	Data
95732b49 JA	1	6.10 The Restricted Shell
95732b49 JA	2	=========================
7117c2d2	3
a0c0a00f	4	If Bash is started with the name 'rbash', or the '--restricted' or '-r'
7117c2d2 JA	5	option is supplied at invocation, the shell becomes restricted. A
7117c2d2 JA	6	restricted shell is used to set up an environment more controlled than
a0c0a00f	7	the standard shell. A restricted shell behaves identically to 'bash'
7117c2d2 JA	8	with the exception that the following are disallowed or not performed:
7117c2d2 JA	9
a0c0a00f	10	* Changing directories with the 'cd' builtin.
8868edaf CR	11	* Setting or unsetting the values of the 'SHELL', 'PATH', 'HISTFILE',
8868edaf CR	12	'ENV', or 'BASH_ENV' variables.
7117c2d2	13	* Specifying command names containing slashes.
a0c0a00f	14	* Specifying a filename containing a slash as an argument to the '.'
7117c2d2	15	builtin command.
8868edaf CR	16	* Specifying a filename containing a slash as an argument to the
8868edaf CR	17	'history' builtin command.
a0c0a00f CR	18	* Specifying a filename containing a slash as an argument to the '-p'
a0c0a00f CR	19	option to the 'hash' builtin command.
7117c2d2 JA	20	* Importing function definitions from the shell environment at
7117c2d2 JA	21	startup.
a0c0a00f	22	* Parsing the value of 'SHELLOPTS' from the shell environment at
7117c2d2	23	startup.
a0c0a00f	24	* Redirecting output using the '>', '>\|', '<>', '>&', '&>', and '>>'
7117c2d2	25	redirection operators.
a0c0a00f CR	26	* Using the 'exec' builtin to replace the shell with another command.
	27	* Adding or deleting builtin commands with the '-f' and '-d' options
	28	to the 'enable' builtin.
	29	* Using the 'enable' builtin command to enable disabled shell
7117c2d2	30	builtins.
a0c0a00f	31	* Specifying the '-p' option to the 'command' builtin.
74091dd4 CR	32	* Turning off restricted mode with 'set +r' or 'shopt -u
74091dd4 CR	33	restricted_shell'.
7117c2d2 JA	34
	35	These restrictions are enforced after any startup files are read.
	36
	37	When a command that is found to be a shell script is executed (*note
a0c0a00f	38	Shell Scripts::), 'rbash' turns off any restrictions in the shell
7117c2d2 JA	39	spawned to execute the script.
7117c2d2 JA	40
8868edaf CR	41	The restricted shell mode is only one component of a useful restricted
	42	environment. It should be accompanied by setting 'PATH' to a value that
	43	allows execution of only a few verified commands (commands that allow
74091dd4 CR	44	shell escapes are particularly vulnerable), changing the current
	45	directory to a non-writable directory other than '$HOME' after login,
	46	not allowing the restricted shell to execute shell scripts, and cleaning
	47	the environment of variables that cause some commands to modify their
8868edaf CR	48	behavior (e.g., 'VISUAL' or 'PAGER').
	49
	50	Modern systems provide more secure ways to implement a restricted
	51	environment, such as 'jails', 'zones', or 'containers'.
	52