Linux Shell is one of the most fascinating and powerful GNU/Linux powered tool. All the application, including X, is built over shell and Linux shell is so powerful that the whole Linux system can be controlled precisely, using it. The other aspect of Linux shell is that, it can be potentially harmful, when you executed a system command, without knowing its consequence or unknowingly.
Being an ignorant user. For this purpose we are introducing restricted shell. We will be discussing restricted shell in details, the restrictions implemented, and a lot more.
What is rbash?
The Restricted Shell is a Linux Shell that restrict some of the features of bash shell, and is very clear from the name. The restriction is well implemented for the command as well as script running in restricted shell. It provides an additional layer for security to bash shell in Linux.
Restrictions Implemented in rbash
- cd command (Change Directory)
- PATH (setting/ unsetting)
- ENV aka BASH_ENV (Environment Setting/ unsetting)
- Importing Function
- Specifying file name containing argument ‘/’
- Specifying file name containing argument ‘-‘
- Redirecting output using ‘>‘, ‘>>‘, ‘>|‘, ‘<>‘, ‘>&‘, ‘&>‘
- turning off restriction using ‘set +r‘ or ‘set +o‘
Note: Restrictions of rbash is enforced after any startup files are read.
Enabling Restricted Shell
In some version of GNU/Linux viz., Red Hat/CentOS, rbash may not be implemented directly and needs symbolic links to be created.
# cd /bin # ln -s bash rbash
In most of the today’s GNU/Linux standard distributions, rbash is available by default. If not, you can download source tarball and install it from source in your system.
Starting rbash
To start rbash restricted shell in Linux, execute the following command.
# bash -r OR # rbash
Note: If rbash is started successfully, it returns 0.
Testing a Few Restrictions
Here, we executing few commands on the rbash shell to check restrictions.
# cd rbash: cd: restricted
# pwd > a.txt bash: a.txt: restricted: cannot redirect output
Pros of Restricted Shell
- Restricted shell is used in conjunction with a chroot jail, in a further attempt to limit access to the system as a whole.
Cons of Restricted Shell
- Insufficient to allow execution of entirely untrusted software.
- When a command that is found to be a shell script is executed, rbash turns off any restrictions in the shell spawned to execute the script.
- When users run bash or dash from rbash then they got unrestricted shells.
- rbash should only be used within a chroot unless you know what you are doing.
- There are many ways to break out a restricted bash shell that are not easy to predict in advance.
Conclusion
rbash is a fantastic tool to work on, within restricted environment and works brilliant. You must give it a try and you wont be disappointed.
That’s all for now. I’ll soon be here again here with another interesting and knowledgeable topic you people would love to read. Don’t forget to provide us with your valuable feedback in our comment section.
You can run anything from a restricted bash shell, providing it’s in your path.
So to run, say, a python program, just put it in your path.
Running something, not in the path with an explicit path, eg, /bin/ls will fail:
So the trick in having your restricted shell do what you want is to set the correct PATH, eg, PATH=/usr/rbash/bin in .bashrc. Remember the startup scripts do not run in restricted mode.
Useful post, if I wanted to run a section of code, say a python file in restricted mode, how would I go about doing that?
I was concerned that defining a symolic link “ln -s bash rbash” would cause rbash to run an unrestricted bash shell. That was not the case on my Fedora system. “rbash” obviously runs the standard bash executable, but the restrictions are enforced.
So the bash executable must examine the command used to invoke it, and if the name is “rbash”, then the restrictions are applied. Neat.
but executing commands over ssh just works , $ ssh some_host any_command
pointless post. tells me nothing other than what rbash is.
@Mark,
I totally agree with your comment, yes we only covered about rbash only, no any usage about rbash, but we will planning to add usage of rbash to this article..
“When users run bash or dash from rbash then they got unrestricted shells” so how do we deal with that important problem??
What can be read on this page is basically what comes out of the ‘man’ page.
After reading this article I’m still trying to get something useful from it, besides the description of rbash.
There are no examples of configuration, also there are no examples of modification of it base configuration.
No real case of use for this shell in a production environment, as CentOS and RHEL are mentioned.
– Can it be used as a default shell for a user? because the user wouldn’t run it if they have the chance.
Thanks for the article, but it just looks incomplete and not entirely true to the title.
Hi Max, yes you can run it on the default shell of the user, you have to edit /etc/passwd file and change on the user /bin/bash for /bin/rbash
nice post
Thanks for the feedback @ ashish