Control via Restricted Shells

Using restricted shells is actually the opposite of granting additional privileges to users. There might be situations in which you want to restrict a user to a specific subset of privileges permitted to other users. If you have a desire to severely restrict what a user can do (for reasons of security, distribution of a turnkey system, or custom system installation), you can provide him with a restricted shell. To run a restricted bash shell, you would use the -r option. It is easy to try yourself; just enter the following at your prompt:

Then try to do something that you could do before as a regular user, such as listing the files in your home directory:

You then see bash: ls: No such file or directory

The cd command, redirection, using / in command names, and several other commands and options are also disabled in the restricted shell. (The man page for bash details specific restrictions; the appropriate information is at the end of the long man page.) Do not rely on a restricted shell as your only means of controlling user activity; although using restricted shells applies some tight restrictions, a determined user might find a way to confound the restrictions. Always use appropriate permission and password controls, too.


Was this article helpful?

0 0

Post a comment