Tuesday, September 27, 2016

Rbash - way to restrict what users can do on your Linux systems.



Rbash - limited shell


If Bash is started with the name rbash, or the --restricted or -r option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment more controlled than the standard shell. A restricted shell behaves identically to bash with the exception that the following are disallowed or not performed:

  • Changing directories with the cd builtin.
  • Setting or unsetting the values of the SHELLPATHENV, or BASH_ENV variables.
  • Specifying command names containing slashes.
  • Specifying a filename containing a slash as an argument to the . builtin command.
  • Specifying a filename containing a slash as an argument to the -p option to the hash builtin command.
  • Importing function definitions from the shell environment at startup.
  • Parsing the value of SHELLOPTS from the shell environment at startup.
  • Redirecting output using the ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators.
  • Using the exec builtin to replace the shell with another command.
  • Adding or deleting builtin commands with the -f and -d options to the enable builtin.
  • Using the enable builtin command to enable disabled shell builtins.
  • Specifying the -p option to the command builtin.
  • Turning off restricted mode with ‘set +r’ or ‘set +o restricted’.

These restrictions are enforced after any startup files are read.


Examples:

usermod -s /bin/rbash user
grep user /etc/passwd
user:x:1002:1002:,,,:/home/user:/bin/rbash

[user@peg ~]$ cd

bash: cd: restricted

[user@peg ~]$ ls t
t
[user@peg ~]$ cat t > test

bash: test: restricted: cannot redirect output

[user@peg ~]$ file about.sh
about.sh: POSIX shell script text executable
[user@peg ~]$ ./about.sh

bash: ./about.sh: restricted: cannot specify `/' in command names

source










No comments:

Post a Comment