]>
Commit | Line | Data |
---|---|---|
95732b49 JA |
1 | 6.10 The Restricted Shell |
2 | ========================= | |
7117c2d2 | 3 | |
a0c0a00f | 4 | If Bash is started with the name 'rbash', or the '--restricted' or '-r' |
7117c2d2 JA |
5 | option is supplied at invocation, the shell becomes restricted. A |
6 | restricted shell is used to set up an environment more controlled than | |
a0c0a00f | 7 | the standard shell. A restricted shell behaves identically to 'bash' |
7117c2d2 JA |
8 | with the exception that the following are disallowed or not performed: |
9 | ||
a0c0a00f | 10 | * Changing directories with the 'cd' builtin. |
8868edaf CR |
11 | * Setting or unsetting the values of the 'SHELL', 'PATH', 'HISTFILE', |
12 | 'ENV', or 'BASH_ENV' variables. | |
7117c2d2 | 13 | * Specifying command names containing slashes. |
a0c0a00f | 14 | * Specifying a filename containing a slash as an argument to the '.' |
7117c2d2 | 15 | builtin command. |
8868edaf CR |
16 | * Specifying a filename containing a slash as an argument to the |
17 | 'history' builtin command. | |
a0c0a00f CR |
18 | * Specifying a filename containing a slash as an argument to the '-p' |
19 | option to the 'hash' builtin command. | |
7117c2d2 JA |
20 | * Importing function definitions from the shell environment at |
21 | startup. | |
a0c0a00f | 22 | * Parsing the value of 'SHELLOPTS' from the shell environment at |
7117c2d2 | 23 | startup. |
a0c0a00f | 24 | * Redirecting output using the '>', '>|', '<>', '>&', '&>', and '>>' |
7117c2d2 | 25 | redirection operators. |
a0c0a00f CR |
26 | * Using the 'exec' builtin to replace the shell with another command. |
27 | * Adding or deleting builtin commands with the '-f' and '-d' options | |
28 | to the 'enable' builtin. | |
29 | * Using the 'enable' builtin command to enable disabled shell | |
7117c2d2 | 30 | builtins. |
a0c0a00f | 31 | * Specifying the '-p' option to the 'command' builtin. |
74091dd4 CR |
32 | * Turning off restricted mode with 'set +r' or 'shopt -u |
33 | restricted_shell'. | |
7117c2d2 JA |
34 | |
35 | These restrictions are enforced after any startup files are read. | |
36 | ||
37 | When a command that is found to be a shell script is executed (*note | |
a0c0a00f | 38 | Shell Scripts::), 'rbash' turns off any restrictions in the shell |
7117c2d2 JA |
39 | spawned to execute the script. |
40 | ||
8868edaf CR |
41 | The restricted shell mode is only one component of a useful restricted |
42 | environment. It should be accompanied by setting 'PATH' to a value that | |
43 | allows execution of only a few verified commands (commands that allow | |
74091dd4 CR |
44 | shell escapes are particularly vulnerable), changing the current |
45 | directory to a non-writable directory other than '$HOME' after login, | |
46 | not allowing the restricted shell to execute shell scripts, and cleaning | |
47 | the environment of variables that cause some commands to modify their | |
8868edaf CR |
48 | behavior (e.g., 'VISUAL' or 'PAGER'). |
49 | ||
50 | Modern systems provide more secure ways to implement a restricted | |
51 | environment, such as 'jails', 'zones', or 'containers'. | |
52 |