| Chapter 22. Restricted Shells
Disabled commands in restricted shells
The following commands and actions are disabled: Using cd to change the working directory. Changing the values of the $PATH, $SHELL, $BASH_ENV, or $ENV environmental variables. Reading or changing the $SHELLOPTS, shell environmental options. Output redirection. Invoking commands containing one or more /'s. Invoking exec to substitute a different process for the shell. Various other commands that would enable monkeying with or attempting to subvert the script for an unintended purpose. Getting out of restricted mode within the script.
Example 22-1. Running a script in restricted mode #!/bin/bash# Starting the script with "#!/bin/bash -r" #+ runs entire script in restricted mode.echoecho "Changing directory." cd /usr/localecho "Now in `pwd`" echo "Coming back home." cdecho "Now in `pwd`" echo# Everything up to here in normal, unrestricted mode.set -r# set --restricted has same effect.echo "==> Now in restricted mode. <==" echoechoecho "Attempting directory change in restricted mode." cd ..echo "Still in `pwd`" echoechoecho "$SHELL = $SHELL" echo "Attempting to change shell in restricted mode." SHELL="/bin/ash" echoecho "$SHELL= $SHELL" echoechoecho "Attempting to redirect output in restricted mode." ls -l /usr/bin > bin.filesls -l bin.files # Try to list attempted file creation effort.echoexit 0 | |
| |
|