Shell Scripting - Restricted Shell
Last Updated :
01 Dec, 2022
Shell is one of the most important and powerful tools available in GNU/Linux-based systems. One can control the entire system if used correctly, this exact feature makes the shell a double-edged sword. It can potentially harm the system if one executes a system command without knowing its underlying details and consequences. To prevent this we use Restricted Shell.
Restricted Shell - rbash
A restricted shell provides an extra layer of security and restricts certain features of the shell. The restriction applies to the commands and scripts that are executed using the shell. One can start a restricted shell session using the rbash command or by using the -r flag supplied during the invocation (returns 0 if executed successfully), this can be used to set up a more controlled environment than the standard shell.
$ rbash
or
$ bash -r
Restrictions Imposed
Once a restricted shell session has been activated most of the standard system command support is revoked. The following operations are not allowed or disabled in restricted shell,
- changing directories with cd
- setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
- specifying command names containing /
- specifying a file name containing a / as an argument to the . built-in command
- specifying a filename containing a slash as an argument to the -p option to the hash built-in command
- source the function definitions/alias from the shell environment at startup
- parsing the value of SHELLOPTS from the shell environment at startup
- redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
- using the exec built-in command to replace the shell with another command
- adding or deleting built-in commands with the -f and -d options to the enable built-in command
- using the enable built-in command to enable disabled shell built-in
- specifying the -p option to the command built-in command
- turning off restricted mode with set +r or set +o restricted.
Let us test few restrictions while inside the restricted shell,
$ cd
$ unset PATH
$ /usr/bin/ping
$ source /home/onworks/.bashrc
$ echo "Hello" > /tmp/hello.txt
$ exec tail -f /var/log/messages
$ enable -d wait
1. Restricting a User
We can restrict a user to use only a restricted shell during their sessions, Let us create a new user called 'lucy' and set their default shell to rbash. The following commands can be used to create a new user, set their password, and create their home folder.
$ sudo useradd lucy -s /bin/rbash
$ sudo passwd lucy
$ sudo mkdir -p /home/lucy/bin
We can switch user's using the su command
$ su - lucy
The user can still execute the commands found in the path, this can be prevented by changing the default path of the user's shell. To do this we have to edit the bash_profile file of the user and secure the restrictions, this is discussed in the following section.
2. Reinforcing The Restrictions
Run the following command to open the 'bash_profile' file in edit mode.
$ sudo gedit /home/lucy/.bash_profile
add the following line in the bash_profile file.
PATH=$HOME/bin
Next, we'll alter the owner and file permissions so that only the root user can edit the file.
$ sudo chown root:root /home/lucy/.bash_profile
$ sudo chmod 755 /home/lucy/.bash_profile
$ ls -l /home/lucy/.bash_profile
During the next user session, most of the commands will be restricted.
We can link user commands from the user's directory to exclude the restricted commands. Here we'll link some commands so that the user 'lucy' can access these commands from within the rbash environment.
$ sudo ln -s /bin/clear /home/lucy/bin
$ sudo ln -s /bin/neofetch /home/lucy/bin
$ sudo ln -s /bin/ls /home/lucy/bin
Before linking the commands.
After linking the commands.
3. Restricting pre-existing users
A user called 'debo' already exists, now we're going to try and restrict debo's shell to rbash. The following command can be used to achieve this.
sudo usermod -s /bin/rbash <username>
sudo usermod -s /bin/rbash debo
This command would change the user's default shell to rbash. Next time this user logs in they use the restricted shell by default.
4. Restricting Scripts
By default, every shell script that is executed is run in unrestricted mode. To run a script in a restricted mode, set-r can force the script to use a restricted shell during execution. Let us create a simple shell script.
#FILENAME: gfg.sh
set -r
echo
echo "## In restricted mode! ##"
echo
echo "Current directory: `pwd`"
echo "Changing directory to /home/"
cd /home
echo "Still in directory: `pwd`"
This will force the script to be executed in a restricted environment. Running the above script will yield the following result.
$ . gfg.sh
Advantages of Restricted Shell
- Can limit access to the system.
- Used to create a constrained environment that is more controlled than the standard shell.
- Provides security.
Disadvantages of Restricted Shell
- Skilled users can easily break out of a restricted shell session.
- It doesn't work while working with shell scripts.
Similar Reads
Non-linear Components In electrical circuits, Non-linear Components are electronic devices that need an external power source to operate actively. Non-Linear Components are those that are changed with respect to the voltage and current. Elements that do not follow ohm's law are called Non-linear Components. Non-linear Co
11 min read
Spring Boot Tutorial Spring Boot is a Java framework that makes it easier to create and run Java applications. It simplifies the configuration and setup process, allowing developers to focus more on writing code for their applications. This Spring Boot Tutorial is a comprehensive guide that covers both basic and advance
10 min read
Class Diagram | Unified Modeling Language (UML) A UML class diagram is a visual tool that represents the structure of a system by showing its classes, attributes, methods, and the relationships between them. It helps everyone involved in a projectâlike developers and designersâunderstand how the system is organized and how its components interact
12 min read
3-Phase Inverter An inverter is a fundamental electrical device designed primarily for the conversion of direct current into alternating current . This versatile device , also known as a variable frequency drive , plays a vital role in a wide range of applications , including variable frequency drives and high power
13 min read
Backpropagation in Neural Network Back Propagation is also known as "Backward Propagation of Errors" is a method used to train neural network . Its goal is to reduce the difference between the modelâs predicted output and the actual output by adjusting the weights and biases in the network.It works iteratively to adjust weights and
9 min read
Decorators in Python In Python, decorators are a powerful and flexible way to modify or extend the behavior of functions or methods, without changing their actual code. A decorator is essentially a function that takes another function as an argument and returns a new function with enhanced functionality. Decorators are
10 min read
What is Vacuum Circuit Breaker? A vacuum circuit breaker is a type of breaker that utilizes a vacuum as the medium to extinguish electrical arcs. Within this circuit breaker, there is a vacuum interrupter that houses the stationary and mobile contacts in a permanently sealed enclosure. When the contacts are separated in a high vac
13 min read
Linux Commands Cheat Sheet Linux, often associated with being a complex operating system primarily used by developers, may not necessarily fit that description entirely. While it can initially appear challenging for beginners, once you immerse yourself in the Linux world, you may find it difficult to return to your previous W
13 min read
Polymorphism in Java Polymorphism in Java is one of the core concepts in object-oriented programming (OOP) that allows objects to behave differently based on their specific class type. The word polymorphism means having many forms, and it comes from the Greek words poly (many) and morph (forms), this means one entity ca
7 min read
Linux/Unix Tutorial Linux is one of the most widely used open-source operating systems. It's fast, secure, stable, and powers everything from smartphones and servers to cloud platforms and IoT devices. Linux is especially popular among developers, system administrators, and DevOps professionals.Linux is:A Unix-like OS
10 min read