rbash – A Restricted Bash Shell Explained with Practical Examples
Linux Shell is one of the most fascinating and powerful GNU/Linux powered tool. All the application, including X, is built over shell and Linux shell is so powerful that the whole Linux system can be controlled precisely, using it. The other aspect of Linux shell is that, it can be potentially harmful, when you executed a system command, without knowing its consequence or unknowingly.
Being an ignorant user. For this purpose we are introducing restricted shell. We will be discussing restricted shell in details, the restrictions implemented, and a lot more.
What is rbash?
The Restricted Shell is a Linux Shell that restrict some of the features of bash shell, and is very clear from the name. The restriction is well implemented for the command as well as script running in restricted shell. It provides an additional layer for security to bash shell in Linux.
Restrictions Implemented in rbash
- cd command (Change Directory)
- PATH (setting/ unsetting)
- ENV aka BASH_ENV (Environment Setting/ unsetting)
- Importing Function
- Specifying file name containing argument ‘/’
- Specifying file name containing argument ‘-‘
- Redirecting output using ‘>‘, ‘>>‘, ‘>|‘, ‘<>‘, ‘>&‘, ‘&>‘
- turning off restriction using ‘set +r‘ or ‘set +o‘
Note: Restrictions of rbash is enforced after any startup files are read.
Enabling Restricted Shell
In some version of GNU/Linux viz., Red Hat/CentOS, rbash may not be implemented directly and needs symbolic links to be created.
# cd /bin # ln -s bash rbash
In most of the today’s GNU/Linux standard distributions, rbash is available by default. If not, you can download source tarball and install it from source in your system.
To start rbash restricted shell in Linux, execute the following command.
# bash -r OR # rbash
Note: If rbash is started successfully, it returns 0.
Testing a Few Restrictions
Here, we executing few commands on the rbash shell to check restrictions.
# cd rbash: cd: restricted
# pwd > a.txt bash: a.txt: restricted: cannot redirect output
Pros of Restricted Shell
- Restricted shell is used in conjunction with a chroot jail, in a further attempt to limit access to the system as a whole.
Cons of Restricted Shell
- Insufficient to allow execution of entirely untrusted software.
- When a command that is found to be a shell script is executed, rbash turns off any restrictions in the shell spawned to execute the script.
- When users run bash or dash from rbash then they got unrestricted shells.
- rbash should only be used within a chroot unless you know what you are doing.
- There are many ways to break out a restricted bash shell that are not easy to predict in advance.
rbash is a fantastic tool to work on, within restricted environment and works brilliant. You must give it a try and you wont be disappointed.
That’s all for now. I’ll soon be here again here with another interesting and knowledgeable topic you people would love to read. Don’t forget to provide us with your valuable feedback in our comment section.