## 22.Restricted Shells

### Disabled commands in restricted shells
Running a script or portion of a script in restricted mode disables certain commands that would otherwise be available. This is a security measure intended to limit the privileges of the script user and to minimize possible damage from running the script.

The following commands and actions are disabled:  

1.Using cd to change the working directory.  
2.Changing the values of the \$PATH, \$SHELL, \$BASH_ENV, or \$ENV environmental variables.  
3.Reading or changing the $SHELLOPTS, shell environmental options.  
4.Output redirection.  
5.Invoking commands containing one or more /'s.  
6.Invoking exec to substitute a different process for the shell.  
7.Various other commands that would enable monkeying with or attempting to subvert the script for an unintended purpose.  
8.Getting out of restricted mode within the script.  

#### Example 22-1. Running a script in restricted mode

In [1]:
cat restricted.sh

#!/bin/bash

#  Starting the script with "#!/bin/bash -r"
#+ runs entire script in restricted mode.

echo

echo "Changing directory"
cd /usr/local
echo "Now in `pwd`"
echo "Coming back home"
cd
echo "Now in `pwd`"
echo
# Everything up to here in normal, unrestricted mode.

set -r
# set --restricted   has same effect.
echo "==> Now in restricted mode. <=="
echo

echo "Attempting directory change in restricted mode."
cd ..
echo "Still in `pwd`"
echo

echo "\$SHELL = $SHELL"
echo "Attempting to change shell in restricted mode."
SHELL="/bin/ash"
echo "\$SHELL= $SHELL"
echo

echo "Attempting to redirect output in restricted mode."
ls -l /usr/bin > bin.files
ls -l bin.files   # Try to list attempted file creation effort.
echo

exit 0


In [2]:
./restricted.sh


Changing directory
Now in /usr/local
Coming back home
Now in /home/liheyi

==> Now in restricted mode. <==

Attempting directory change in restricted mode.
./restricted.sh: line 23: cd: restricted
Still in /home/liheyi

$SHELL = /bin/bash
Attempting to change shell in restricted mode.
./restricted.sh: line 29: SHELL: readonly variable
$SHELL= /bin/bash

Attempting to redirect output in restricted mode.
./restricted.sh: line 34: bin.files: restricted: cannot redirect output
ls: cannot access bin.files: No such file or directory

