The restricted shell is a Unix shell that restricts some of the capabilities available to an interactive user session, or to a shell script, running within it. It is intended to provide an additional layer of security, but is insufficient to allow execution of entirely untrusted software. A restricted mode operation is found in the original Bourne shell and its later counterpart Bash, and in the KornShell. In some cases a restricted shell is used in conjunction with a chroot jail, in a further attempt to limit access to the system as a whole.
The restricted mode of the Bourne shell , and its POSIX workalikes, is used when the interpreter is invoked in one of the following ways:
The restricted mode of Bash is used when Bash is invoked in one of the following ways:
Similarly KornShell's restricted mode is produced by invoking it thus:
For some systems (e.g., CentOS), the invocation through is not enabled by default, and the user obtains a error if invoked directly, or a login failure if the /etc/passwd file indicates as the user's shell.
It suffices to create a link named pointing directly to . Though this invokes Bash directly, without the or options, Bash does recognize that it was invoked through and it does come up as a restricted shell.
This can be accomplished with the following simple commands (executed as root, either logged in as user root, or using sudo):
The following operations are not permitted in a restricted shell:
Bash adds further restrictions, including:
Restrictions in the restricted KornShell are much the same as those in the restricted Bourne shell.
The restricted shell is not secure. A user can break out of the restricted environment by running a program that features a shell function. The following is an example of the shell function in vi being used to escape from the restricted shell:
Or by simply starting a new unrestricted shell, if it is in the , as demonstrated here:
Beyond the restricted modes of usual shells, specialized restricted shell programs include: