Shell is one of the most important and powerful tools available in GNU/Linux-based systems. One can control the entire system if used correctly, this exact feature makes the shell a double-edged sword. It can potentially harm the system if one executes a system command without knowing its underlying details and consequences. To prevent this we use Restricted Shell.
Restricted Shell – rbash
A restricted shell provides an extra layer of security and restricts certain features of the shell. The restriction applies to the commands and scripts that are executed using the shell. One can start a restricted shell session using the rbash command or by using the -r flag supplied during the invocation (returns 0 if executed successfully), this can be used to set up a more controlled environment than the standard shell.
$ rbash
or
$ bash -r
Restrictions Imposed
Once a restricted shell session has been activated most of the standard system command support is revoked. The following operations are not allowed or disabled in restricted shell,
- changing directories with cd
- setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
- specifying command names containing /
- specifying a file name containing a / as an argument to the . built-in command
- specifying a filename containing a slash as an argument to the -p option to the hash built-in command
- source the function definitions/alias from the shell environment at startup
- parsing the value of SHELLOPTS from the shell environment at startup
- redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
- using the exec built-in command to replace the shell with another command
- adding or deleting built-in commands with the -f and -d options to the enable built-in command
- using the enable built-in command to enable disabled shell built-in
- specifying the -p option to the command built-in command
- turning off restricted mode with set +r or set +o restricted.
Let us test few restrictions while inside the restricted shell,
$ cd
$ unset PATH
$ /usr/bin/ping
$ source /home/onworks/.bashrc
$ echo "Hello" > /tmp/hello.txt
$ exec tail -f /var/log/messages
$ enable -d wait
1. Restricting a User
We can restrict a user to use only a restricted shell during their sessions, Let us create a new user called ‘lucy’ and set their default shell to rbash. The following commands can be used to create a new user, set their password, and create their home folder.
$ sudo useradd lucy -s /bin/rbash $ sudo passwd lucy $ sudo mkdir -p /home/lucy/bin
We can switch user’s using the su command
$ su - lucy
The user can still execute the commands found in the path, this can be prevented by changing the default path of the user’s shell. To do this we have to edit the bash_profile file of the user and secure the restrictions, this is discussed in the following section.
2. Reinforcing The Restrictions
Run the following command to open the ‘bash_profile’ file in edit mode.
$ sudo gedit /home/lucy/.bash_profile
add the following line in the bash_profile file.
PATH=$HOME/bin
Next, we’ll alter the owner and file permissions so that only the root user can edit the file.
$ sudo chown root:root /home/lucy/.bash_profile
$ sudo chmod 755 /home/lucy/.bash_profile
$ ls -l /home/lucy/.bash_profile
During the next user session, most of the commands will be restricted.
We can link user commands from the user’s directory to exclude the restricted commands. Here we’ll link some commands so that the user ‘lucy’ can access these commands from within the rbash environment.
$ sudo ln -s /bin/clear /home/lucy/bin $ sudo ln -s /bin/neofetch /home/lucy/bin $ sudo ln -s /bin/ls /home/lucy/bin
Before linking the commands.
After linking the commands.
3. Restricting pre-existing users
A user called ‘debo’ already exists, now we’re going to try and restrict debo’s shell to rbash. The following command can be used to achieve this.
sudo usermod -s /bin/rbash <username>
sudo usermod -s /bin/rbash debo
This command would change the user’s default shell to rbash. Next time this user logs in they use the restricted shell by default.
4. Restricting Scripts
By default, every shell script that is executed is run in unrestricted mode. To run a script in a restricted mode, set-r can force the script to use a restricted shell during execution. Let us create a simple shell script.
#FILENAME: gfg.sh set -r echo echo "## In restricted mode! ##" echo echo "Current directory: `pwd`" echo "Changing directory to /home/" cd /home echo "Still in directory: `pwd`"
This will force the script to be executed in a restricted environment. Running the above script will yield the following result.
$ . gfg.sh
Advantages of Restricted Shell
- Can limit access to the system.
- Used to create a constrained environment that is more controlled than the standard shell.
- Provides security.
Disadvantages of Restricted Shell
- Skilled users can easily break out of a restricted shell session.
- It doesn’t work while working with shell scripts.