rbash – A Restricted Bash Shell Explained with Practical Examples

Linux Shell is one of the most fascinating and powerful GNU/Linux powered tool. All the application, including X, is built over shell and Linux shell is so powerful that the whole Linux system can be controlled precisely, using it. The other aspect of Linux shell is that, it can be potentially harmful, when you executed a system command, without knowing its consequence or unknowingly.

Restrict Linux Commands
Restricted Bash Shell

Being an ignorant user. For this purpose we are introducing restricted shell. We will be discussing restricted shell in details, the restrictions implemented, and a lot more.

What is rbash?

The Restricted Shell is a Linux Shell that restrict some of the features of bash shell, and is very clear from the name. The restriction is well implemented for the command as well as script running in restricted shell. It provides an additional layer for security to bash shell in Linux.

Restrictions Implemented in rbash

  1. cd command (Change Directory)
  2. PATH (setting/ unsetting)
  3. ENV aka BASH_ENV (Environment Setting/ unsetting)
  4. Importing Function
  5. Specifying file name containing argument ‘/’
  6. Specifying file name containing argument ‘-‘
  7. Redirecting output using ‘>‘, ‘>>‘, ‘>|‘, ‘<>‘, ‘>&‘, ‘&>
  8. turning off restriction using ‘set +r‘ or ‘set +o

Note: Restrictions of rbash is enforced after any startup files are read.

Enabling Restricted Shell

In some version of GNU/Linux viz., Red Hat/CentOS, rbash may not be implemented directly and needs symbolic links to be created.

# cd /bin

# ln -s bash rbash

In most of the today’s GNU/Linux standard distributions, rbash is available by default. If not, you can download source tarball and install it from source in your system.

Starting rbash

To start rbash restricted shell in Linux, execute the following command.

# bash -r

OR

# rbash

Note: If rbash is started successfully, it returns 0.

Testing a Few Restrictions

Here, we executing few commands on the rbash shell to check restrictions.

# cd

rbash: cd: restricted
# pwd > a.txt

bash: a.txt: restricted: cannot redirect output
Pros of Restricted Shell
  1. Restricted shell is used in conjunction with a chroot jail, in a further attempt to limit access to the system as a whole.
Cons of Restricted Shell
  1. Insufficient to allow execution of entirely untrusted software.
  2. When a command that is found to be a shell script is executed, rbash turns off any restrictions in the shell spawned to execute the script.
  3. When users run bash or dash from rbash then they got unrestricted shells.
  4. rbash should only be used within a chroot unless you know what you are doing.
  5. There are many ways to break out a restricted bash shell that are not easy to predict in advance.

Conclusion

rbash is a fantastic tool to work on, within restricted environment and works brilliant. You must give it a try and you wont be disappointed.

That’s all for now. I’ll soon be here again here with another interesting and knowledgeable topic you people would love to read. Don’t forget to provide us with your valuable feedback in our comment section.

Avishek
A Passionate GNU/Linux Enthusiast and Software Developer with over a decade in the field of Linux and Open Source technologies.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

11 thoughts on “rbash – A Restricted Bash Shell Explained with Practical Examples”

  1. You can run anything from a restricted bash shell, providing it’s in your path.

    So to run, say, a python program, just put it in your path.

    Running something, not in the path with an explicit path, eg, /bin/ls will fail:

    rbash: /bin/ls: restricted: cannot specify `/' in command names
    

    So the trick in having your restricted shell do what you want is to set the correct PATH, eg, PATH=/usr/rbash/bin in .bashrc. Remember the startup scripts do not run in restricted mode.

    Reply
  2. I was concerned that defining a symolic link “ln -s bash rbash” would cause rbash to run an unrestricted bash shell. That was not the case on my Fedora system. “rbash” obviously runs the standard bash executable, but the restrictions are enforced.

    So the bash executable must examine the command used to invoke it, and if the name is “rbash”, then the restrictions are applied. Neat.

    Reply
    • @Mark,

      I totally agree with your comment, yes we only covered about rbash only, no any usage about rbash, but we will planning to add usage of rbash to this article..

      Reply
  3. “When users run bash or dash from rbash then they got unrestricted shells” so how do we deal with that important problem??

    What can be read on this page is basically what comes out of the ‘man’ page.

    Reply
  4. After reading this article I’m still trying to get something useful from it, besides the description of rbash.
    There are no examples of configuration, also there are no examples of modification of it base configuration.
    No real case of use for this shell in a production environment, as CentOS and RHEL are mentioned.
    – Can it be used as a default shell for a user? because the user wouldn’t run it if they have the chance.

    Thanks for the article, but it just looks incomplete and not entirely true to the title.

    Reply
    • Hi Max, yes you can run it on the default shell of the user, you have to edit /etc/passwd file and change on the user /bin/bash for /bin/rbash

      Reply

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.