Shell Scripting – Restricted Shell
Last Updated :
01 Dec, 2022
Shell is one of the most important and powerful tools available in GNU/Linux-based systems. One can control the entire system if used correctly, this exact feature makes the shell a double-edged sword. It can potentially harm the system if one executes a system command without knowing its underlying details and consequences. To prevent this we use Restricted Shell.
Restricted Shell – rbash
A restricted shell provides an extra layer of security and restricts certain features of the shell. The restriction applies to the commands and scripts that are executed using the shell. One can start a restricted shell session using the rbash command or by using the -r flag supplied during the invocation (returns 0 if executed successfully), this can be used to set up a more controlled environment than the standard shell.
$ rbash
or
$ bash -r
Restrictions Imposed
Once a restricted shell session has been activated most of the standard system command support is revoked. The following operations are not allowed or disabled in restricted shell,
- changing directories with cd
- setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
- specifying command names containing /
- specifying a file name containing a / as an argument to the . built-in command
- specifying a filename containing a slash as an argument to the -p option to the hash built-in command
- source the function definitions/alias from the shell environment at startup
- parsing the value of SHELLOPTS from the shell environment at startup
- redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
- using the exec built-in command to replace the shell with another command
- adding or deleting built-in commands with the -f and -d options to the enable built-in command
- using the enable built-in command to enable disabled shell built-in
- specifying the -p option to the command built-in command
- turning off restricted mode with set +r or set +o restricted.
Let us test few restrictions while inside the restricted shell,
$ cd
$ unset PATH
$ /usr/bin/ping
$ source /home/onworks/.bashrc
$ echo "Hello" > /tmp/hello.txt
$ exec tail -f /var/log/messages
$ enable -d wait
1. Restricting a User
We can restrict a user to use only a restricted shell during their sessions, Let us create a new user called ‘lucy’ and set their default shell to rbash. The following commands can be used to create a new user, set their password, and create their home folder.
$ sudo useradd lucy -s /bin/rbash
$ sudo passwd lucy
$ sudo mkdir -p /home/lucy/bin
We can switch user’s using the su command
$ su - lucy
The user can still execute the commands found in the path, this can be prevented by changing the default path of the user’s shell. To do this we have to edit the bash_profile file of the user and secure the restrictions, this is discussed in the following section.
2. Reinforcing The Restrictions
Run the following command to open the ‘bash_profile’ file in edit mode.
$ sudo gedit /home/lucy/.bash_profile
add the following line in the bash_profile file.
PATH=$HOME/bin
Next, we’ll alter the owner and file permissions so that only the root user can edit the file.
$ sudo chown root:root /home/lucy/.bash_profile
$ sudo chmod 755 /home/lucy/.bash_profile
$ ls -l /home/lucy/.bash_profile
During the next user session, most of the commands will be restricted.
We can link user commands from the user’s directory to exclude the restricted commands. Here we’ll link some commands so that the user ‘lucy’ can access these commands from within the rbash environment.
$ sudo ln -s /bin/clear /home/lucy/bin
$ sudo ln -s /bin/neofetch /home/lucy/bin
$ sudo ln -s /bin/ls /home/lucy/bin
Before linking the commands.
After linking the commands.
3. Restricting pre-existing users
A user called ‘debo’ already exists, now we’re going to try and restrict debo’s shell to rbash. The following command can be used to achieve this.
sudo usermod -s /bin/rbash <username>
sudo usermod -s /bin/rbash debo
This command would change the user’s default shell to rbash. Next time this user logs in they use the restricted shell by default.
4. Restricting Scripts
By default, every shell script that is executed is run in unrestricted mode. To run a script in a restricted mode, set-r can force the script to use a restricted shell during execution. Let us create a simple shell script.
#FILENAME: gfg.sh
set -r
echo
echo "## In restricted mode! ##"
echo
echo "Current directory: `pwd`"
echo "Changing directory to /home/"
cd /home
echo "Still in directory: `pwd`"
This will force the script to be executed in a restricted environment. Running the above script will yield the following result.
$ . gfg.sh
Advantages of Restricted Shell
- Can limit access to the system.
- Used to create a constrained environment that is more controlled than the standard shell.
- Provides security.
Disadvantages of Restricted Shell
- Skilled users can easily break out of a restricted shell session.
- It doesn’t work while working with shell scripts.
Similar Reads
Shell Scripting - Subshell
Shell scripting is a powerful tool for automating tasks and simplifying the management of systems and applications. One important concept in shell scripting is the use of subshells, which allow you to execute commands within a separate shell environment. A subshell is a child shell that is spawned b
4 min read
Shell Scripting - Set Command
The `set` command in shell scripting is a powerful tool that used for controlling the behavior of the shell and the environment in which scripts run. It allows the users to modify the shell options and positional parameters which facilitates providing greater control over script execution and debugg
7 min read
Shell Scripting - Shopt Command
Unlike many shell commands, shopt is a bash-only shell command. It is a built-in BASH shell command that controls certain options for the shell session. One can consider this as a boolean ON/OFF switch for certain shell options. The “shopt†command provides control over many settings that are used t
7 min read
Shell Scripting - Interactive and Non-Interactive Shell
A shell gives us an interface to the Unix system. While using an operating system, we indirectly interact with the shell. On Linux distribution systems, each time we use a terminal, we interact with the shell. The job of the shell is to interpret or analyze the Unix commands given by users. A shell
3 min read
Shell Scripting - Select Loop
The select loop is one of the categories of loops in bash programming. A select-loop in the shell can be stopped in two cases only if there is a break statement or a keyboard interrupt. The main objective of using a select loop is that it represents different data elements in the form of a numbered
5 min read
Shell Scripting - True Command
A shell provides an interface with the help of which users can interact with the system easily. To directly interact with a shell, we use an operating system. On a Unix-based operating system, every time we write a command using a terminal, we interact with the system. To interpret or analyze Unix c
3 min read
Shell Scripting - Talk Command
The use of Shell scripting can simplify repetitive tasks and enable more complex operations with minimal code. Shell commands vary in syntax, with "talk" being a command to facilitate communication among users within the same network. Proper knowledge of the shell, OS, and available commands is nece
6 min read
Shell Scripting - Shell Variables
A shell variable is a character string in a shell that stores some value. It could be an integer, filename, string, or some shell command itself. Basically, it is a pointer to the actual data stored in memory. We have a few rules that have to be followed while writing variables in the script (which
6 min read
How to Use Heredoc in Shell Scripting
The Heredoc or Here Document is an input literal used by many programming and scripting languages. The Heredoc was originally used in UNIX Shells and is in fashion till date and, is supported by all popular Linux shells such as zsh, bash, tsh, etc. The symbol for a Heredoc is '<<' two left che
6 min read
Introduction to Linux Shell and Shell Scripting
If we are using any major operating system, we are indirectly interacting with the shell. While running Ubuntu, Linux Mint, or any other Linux distribution, we are interacting with the shell by using the terminal. In this article we will discuss Linux shells and shell scripting so before understandi
7 min read