Re: Restricted Bash - Not so restrictive (in 4.2 as well)

[Chet Ramey]

On 1/11/12 6:12 AM, Jonathan Nieder wrote:
> Hi,
> 
> Sarnath K - ERS, HCLTech wrote:
> 
>> I see this problem in the latest Bash 4.2 as well. Say, I invoke
>> "rbash" or "bash -r". This leaves me in a restrictive shell.
>> However, this restrictive shell allows me to run "bash" or any other
>> shell (without execing - just simply run) which leaves me in a
>> normal shell.
> 
> Typically rbash is used with a nonstandard PATH setting to give users
> access to a restricted set of commands.

The restricted shell is only one of several components of a restricted
environment.  Two others are a (readonly) value of $PATH that includes
only the directory Jonathan mentioned (typically /usr/rbin) and not
giving users write access to their home directory.  A readonly .profile
in a readonly home directory sets up the desired $PATH and leaves the
user in some other scratch directory to which he has write access.  When
I set this kind of thing up about 25 years ago, we used ~/work.

It's appropriate for the bash man page to describe the bash behavior
when run in restricted mode.  That's not the place for a tutorial on
how to set up a restricted environment.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/