Rbash - limited shell
If Bash is started with the name
rbash, or the --restricted or -r option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment more controlled than the standard shell. A restricted shell behaves identically to
bashwith the exception that the following are disallowed or not performed:
- Changing directories with the
- Setting or unsetting the values of the
- Specifying command names containing slashes.
- Specifying a filename containing a slash as an argument to the
- Specifying a filename containing a slash as an argument to the -p option to the
- Importing function definitions from the shell environment at startup.
- Parsing the value of
SHELLOPTSfrom the shell environment at startup.
- Redirecting output using the ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators.
- Using the
execbuiltin to replace the shell with another command.
- Adding or deleting builtin commands with the -f and -d options to the
- Using the
enablebuiltin command to enable disabled shell builtins.
- Specifying the -p option to the
- Turning off restricted mode with ‘set +r’ or ‘set +o restricted’.
These restrictions are enforced after any startup files are read.
usermod -s /bin/rbash user
grep user /etc/passwd
[user@peg ~]$ cd
bash: cd: restricted
[user@peg ~]$ ls t
[user@peg ~]$ cat t > test
bash: test: restricted: cannot redirect output
[user@peg ~]$ file about.sh
about.sh: POSIX shell script text executable
[user@peg ~]$ ./about.sh
bash: ./about.sh: restricted: cannot specify `/' in command names