rbash – A Restricted Bash Shell Explained with Practical Examples

In the world of Linux and Unix-like systems, security is crucial, especially when multiple users share a system. One way to enhance security is by using restricted shells. One such shell is rbash, or Restricted Bash.

This article will explain what rbash is, how it differs from the regular Bash shell, and provide practical examples of its usage.

What is a Shell?

Before diving into rbash, let’s clarify what a shell is.

A shell is a program that enables users to interact with the Linux system through a command-line interface. It interprets commands entered by the user and communicates with the system to execute those commands.

Bash (Bourne Again SHell) is one of the most widely used shells in Linux environments.

What is rbash?

rbash is a restricted version of the Bash shell, which is designed to limit users’ access to certain commands and features, enhancing system security.

When a user logs into a system using rbash, they cannot perform tasks that could compromise the system or other users.

Key Differences Between Bash and rbash

Following are some key differences between bash and rbash:

  • In rbash, users cannot change their directory with the cd command. They can only operate in their home directory.
  • Certain commands like exec, set, and unset are restricted, preventing users from altering the shell’s environment.
  • Users cannot change environment variables that can affect other users or system settings.
  • In rbash, users cannot redirect input or output, making it harder to execute commands that can access or manipulate files outside their designated areas.

These restrictions make rbash suitable for scenarios where you want to provide limited access to users while maintaining a level of security.

When to Use rbash

Here are some situations where using rbash is beneficial:

  • Public Terminals: In environments like libraries or schools where users need access to basic commands but should not tamper with system settings.
  • Shared Servers: On shared systems, rbash can prevent users from accessing other users’ data or critical system files.
  • Testing and Learning Environments: When teaching users basic command-line skills, rbash can help limit their actions to avoid accidental system changes.

How to Set Up rbash in Linux

Setting up rbash on your Linux system is a straightforward process, all you need to do is follow these steps:

1. Install Bash in Linux

Most Linux distributions come with Bash installed by default, you can check if it’s installed by running:

bash --version
Check Bash Version
Check Bash Version

2. Create a Restricted Shell User

You can create a user specifically for rbash.

sudo adduser anusha
Create a Restricted Shell User
Create a Restricted Shell User

After creating the user, change their default shell to rbash:

sudo usermod -s /bin/rbash restricteduser

To further restrict this user’s environment, you can create a specific directory and set it as their home directory:

sudo mkdir /home/anusha/bin

Then, you can place any scripts or commands you want the user to access inside this bin directory.

To limit the commands available to the user, set their PATH variable to only include the bin directory:

echo 'export PATH=$HOME/bin' | sudo tee -a /home/anusha/.bashrc

Now, you can log in as a restricted user:

su - anusha

How to Use rbash in Linux

Let’s explore some practical examples to illustrate how rbash works.

Example 1: Attempting to Change Directory

Once logged in as the restricted user, try changing directories:

cd /tmp

You will receive an error message like -rbash: cd: restricted, which confirms that the user cannot navigate outside their home directory.

Example 2: Running Restricted Commands

Try executing commands like exec or set:

exec bash

You will get an error like -rbash: exec: restricted, which shows that the user is restricted from executing new shell instances.

Example 3: File Redirection

Attempt to redirect output to a file:

echo "Test" > test.txt

You will receive an error message that indicates that users cannot redirect output to files.

-rbash: test.txt: restricted: cannot redirect output

Example 4: Allowed Commands

To see what commands the restricted user can execute, you can create a simple script in their bin directory.

For example, create a file named hello.sh:

echo "echo 'Hello, World!'" > /home/restricteduser/bin/hello.sh
chmod +x /home/restricteduser/bin/hello.sh

Now, when the restricted user runs:

./hello.sh

They will see Hello, World! printed on the screen, demonstrating that they can execute allowed commands.

Conclusion

In summary, rbash is a powerful tool for enhancing security in multi-user Linux environments. By restricting access to certain commands and features, it helps maintain system integrity while allowing users to perform basic tasks.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Ravi Saive
I am an experienced GNU/Linux expert and a full-stack software developer with over a decade in the field of Linux and Open Source technologies

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

11 Comments

Leave a Reply
  1. You can run anything from a restricted bash shell, providing it’s in your path.

    So to run, say, a python program, just put it in your path.

    Running something, not in the path with an explicit path, eg, /bin/ls will fail:

    rbash: /bin/ls: restricted: cannot specify `/' in command names
    

    So the trick in having your restricted shell do what you want is to set the correct PATH, eg, PATH=/usr/rbash/bin in .bashrc. Remember the startup scripts do not run in restricted mode.

    Reply
  2. I was concerned that defining a symolic link “ln -s bash rbash” would cause rbash to run an unrestricted bash shell. That was not the case on my Fedora system. “rbash” obviously runs the standard bash executable, but the restrictions are enforced.

    So the bash executable must examine the command used to invoke it, and if the name is “rbash”, then the restrictions are applied. Neat.

    Reply
    • @Mark,

      I totally agree with your comment, yes we only covered about rbash only, no any usage about rbash, but we will planning to add usage of rbash to this article..

      Reply
  3. “When users run bash or dash from rbash then they got unrestricted shells” so how do we deal with that important problem??

    What can be read on this page is basically what comes out of the ‘man’ page.

    Reply
  4. After reading this article I’m still trying to get something useful from it, besides the description of rbash.
    There are no examples of configuration, also there are no examples of modification of it base configuration.
    No real case of use for this shell in a production environment, as CentOS and RHEL are mentioned.
    – Can it be used as a default shell for a user? because the user wouldn’t run it if they have the chance.

    Thanks for the article, but it just looks incomplete and not entirely true to the title.

    Reply
    • Hi Max, yes you can run it on the default shell of the user, you have to edit /etc/passwd file and change on the user /bin/bash for /bin/rbash

      Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.