rbash – A Restricted Bash Shell Explained with Practical Examples

Linux Shell is one of the most fascinating and powerful GNU/Linux powered tool. All the application, including X, is built over shell and Linux shell is so powerful that the whole Linux system can be controlled precisely, using it. The other aspect of Linux shell is that, it can be potentially harmful, when you executed a system command, without knowing its consequence or unknowingly.

Restrict Linux Commands

Restricted Bash Shell

Being an ignorant user. For this purpose we are introducing restricted shell. We will be discussing restricted shell in details, the restrictions implemented, and a lot more.

What is rbash?

The Restricted Shell is a Linux Shell that restrict some of the features of bash shell, and is very clear from the name. The restriction is well implemented for the command as well as script running in restricted shell. It provides an additional layer for security to bash shell in Linux.

Restrictions Implemented in rbash

  1. cd command (Change Directory)
  2. PATH (setting/ unsetting)
  3. ENV aka BASH_ENV (Environment Setting/ unsetting)
  4. Importing Function
  5. Specifying file name containing argument ‘/’
  6. Specifying file name containing argument ‘-‘
  7. Redirecting output using ‘>‘, ‘>>‘, ‘>|‘, ‘<>‘, ‘>&‘, ‘&>
  8. turning off restriction using ‘set +r‘ or ‘set +o

Note: Restrictions of rbash is enforced after any startup files are read.

Enabling Restricted Shell

In some version of GNU/Linux viz., Red Hat/CentOS, rbash may not be implemented directly and needs symbolic links to be created.

# cd /bin

# ln -s bash rbash

In most of the today’s GNU/Linux standard distributions, rbash is available by default. If not, you can download source tarball and install it from source in your system.

Starting rbash

To start rbash restricted shell in Linux, execute the following command.

# bash -r

OR

# rbash

Note: If rbash is started successfully, it returns 0.

Testing a Few Restrictions

Here, we executing few commands on the rbash shell to check restrictions.

# cd

rbash: cd: restricted
# pwd > a.txt

bash: a.txt: restricted: cannot redirect output
Pros of Restricted Shell
  1. Restricted shell is used in conjunction with a chroot jail, in a further attempt to limit access to the system as a whole.
Cons of Restricted Shell
  1. Insufficient to allow execution of entirely untrusted software.
  2. When a command that is found to be a shell script is executed, rbash turns off any restrictions in the shell spawned to execute the script.
  3. When users run bash or dash from rbash then they got unrestricted shells.
  4. rbash should only be used within a chroot unless you know what you are doing.
  5. There are many ways to break out a restricted bash shell that are not easy to predict in advance.

Conclusion

rbash is a fantastic tool to work on, within restricted environment and works brilliant. You must give it a try and you wont be disappointed.

That’s all for now. I’ll soon be here again here with another interesting and knowledgeable topic you people would love to read. Don’t forget to provide us with your valuable feedback in our comment section.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

10 Responses

  1. Ronan says:

    Useful post, if I wanted to run a section of code, say a python file in restricted mode, how would I go about doing that?

  2. tomj says:

    I was concerned that defining a symolic link “ln -s bash rbash” would cause rbash to run an unrestricted bash shell. That was not the case on my Fedora system. “rbash” obviously runs the standard bash executable, but the restrictions are enforced.

    So the bash executable must examine the command used to invoke it, and if the name is “rbash”, then the restrictions are applied. Neat.

  3. Arun says:

    but executing commands over ssh just works , $ ssh some_host any_command

  4. mark says:

    pointless post. tells me nothing other than what rbash is.

    • Ravi Saive says:

      @Mark,

      I totally agree with your comment, yes we only covered about rbash only, no any usage about rbash, but we will planning to add usage of rbash to this article..

  5. Biroute says:

    “When users run bash or dash from rbash then they got unrestricted shells” so how do we deal with that important problem??

    What can be read on this page is basically what comes out of the ‘man’ page.

  6. Max says:

    After reading this article I’m still trying to get something useful from it, besides the description of rbash.
    There are no examples of configuration, also there are no examples of modification of it base configuration.
    No real case of use for this shell in a production environment, as CentOS and RHEL are mentioned.
    – Can it be used as a default shell for a user? because the user wouldn’t run it if they have the chance.

    Thanks for the article, but it just looks incomplete and not entirely true to the title.

    • Javier says:

      Hi Max, yes you can run it on the default shell of the user, you have to edit /etc/passwd file and change on the user /bin/bash for /bin/rbash

  7. ashish says:

    nice post

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.