1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
.lf 1 ./rbash.1
.TH RBASH 1 "2021 November 22" "Bash-5.2"
.SH NAME
rbash \- restricted bash, see \fBbash\fR(1)
.SH RESTRICTED SHELL
.nr zY 1
.lf 1 ./bash.1
.\"
.\" MAN PAGE COMMENTS to
.\"
.\" Chet Ramey
.\" Case Western Reserve University
.\" chet.ramey@case.edu
.\"
.\" Last Change: Mon Sep 19 11:13:21 EDT 2022
.\"
.\" bash_builtins, strip all but Built-Ins section
.if \n(zZ=1 .ig zZ
.PP
If
.B bash
is started with the name
.BR rbash ,
or the
.B \-r
option is supplied at invocation,
the shell becomes restricted.
A restricted shell is used to
set up an environment more controlled than the standard shell.
It behaves identically to
.B bash
with the exception that the following are disallowed or not performed:
.IP \(bu
changing directories with \fBcd\fP
.IP \(bu
setting or unsetting the values of
.SM
.BR SHELL ,
.SM
.BR PATH ,
.SM
.BR HISTFILE ,
.SM
.BR ENV ,
or
.SM
.B BASH_ENV
.IP \(bu
specifying command names containing
.B /
.IP \(bu
specifying a filename containing a
.B /
as an argument to the
.B .
builtin command
.IP \(bu
specifying a filename containing a slash as an argument to the
.B history
builtin command
.IP \(bu
specifying a filename containing a slash as an argument to the
.B \-p
option to the
.B hash
builtin command
.IP \(bu
importing function definitions from the shell environment at startup
.IP \(bu
parsing the value of
.SM
.B SHELLOPTS
from the shell environment at startup
.IP \(bu
redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
.IP \(bu
using the
.B exec
builtin command to replace the shell with another command
.IP \(bu
adding or deleting builtin commands with the
.B \-f
and
.B \-d
options to the
.B enable
builtin command
.IP \(bu
using the \fBenable\fP builtin command to enable disabled shell builtins
.IP \(bu
specifying the
.B \-p
option to the
.B command
builtin command
.IP \(bu
turning off restricted mode with
\fBset +r\fP or \fBshopt -u restricted_shell\fP.
.PP
These restrictions are enforced after any startup files are read.
.PP
.ie \n(zY=1 When a command that is found to be a shell script is executed,
.el \{ When a command that is found to be a shell script is executed
(see
.SM
.B "COMMAND EXECUTION"
above),
\}
.B rbash
turns off any restrictions in the shell spawned to execute the
script.
.\" end of rbash.1
.lf 7 ./rbash.1
.SH SEE ALSO
bash(1)
|
