In the world of Linux and Unix-like systems, security is crucial, especially when multiple users share a system. One way to enhance security is by using restricted shells. One such shell is rbash, or Restricted Bash.
This article will explain what rbash is, how it differs from the regular Bash shell, and provide practical examples of its usage.
What is a Shell?
Before diving into rbash, let’s clarify what a shell is.
A shell is a program that enables users to interact with the Linux system through a command-line interface. It interprets commands entered by the user and communicates with the system to execute those commands.
Bash (Bourne Again SHell) is one of the most widely used shells in Linux environments.
What is rbash?
rbash is a restricted version of the Bash shell, which is designed to limit users’ access to certain commands and features, enhancing system security.
When a user logs into a system using rbash, they cannot perform tasks that could compromise the system or other users.
Key Differences Between Bash and rbash
Following are some key differences between bash and rbash:
- In rbash, users cannot change their directory with the cd command. They can only operate in their home directory.
- Certain commands like exec, set, and unset are restricted, preventing users from altering the shell’s environment.
- Users cannot change environment variables that can affect other users or system settings.
- In rbash, users cannot redirect input or output, making it harder to execute commands that can access or manipulate files outside their designated areas.
These restrictions make rbash suitable for scenarios where you want to provide limited access to users while maintaining a level of security.
When to Use rbash
Here are some situations where using rbash is beneficial:
- Public Terminals: In environments like libraries or schools where users need access to basic commands but should not tamper with system settings.
- Shared Servers: On shared systems, rbash can prevent users from accessing other users’ data or critical system files.
- Testing and Learning Environments: When teaching users basic command-line skills, rbash can help limit their actions to avoid accidental system changes.
How to Set Up rbash in Linux
Setting up rbash on your Linux system is a straightforward process, all you need to do is follow these steps:
1. Install Bash in Linux
Most Linux distributions come with Bash installed by default, you can check if it’s installed by running:
bash --version
2. Create a Restricted Shell User
You can create a user specifically for rbash.
sudo adduser anusha
After creating the user, change their default shell to rbash:
sudo usermod -s /bin/rbash restricteduser
To further restrict this user’s environment, you can create a specific directory and set it as their home directory:
sudo mkdir /home/anusha/bin
Then, you can place any scripts or commands you want the user to access inside this bin directory.
To limit the commands available to the user, set their PATH variable to only include the bin directory:
echo 'export PATH=$HOME/bin' | sudo tee -a /home/anusha/.bashrc
Now, you can log in as a restricted user:
su - anusha
How to Use rbash in Linux
Let’s explore some practical examples to illustrate how rbash works.
Example 1: Attempting to Change Directory
Once logged in as the restricted user, try changing directories:
cd /tmp
You will receive an error message like -rbash: cd: restricted, which confirms that the user cannot navigate outside their home directory.
Example 2: Running Restricted Commands
Try executing commands like exec or set:
exec bash
You will get an error like -rbash: exec: restricted, which shows that the user is restricted from executing new shell instances.
Example 3: File Redirection
Attempt to redirect output to a file:
echo "Test" > test.txt
You will receive an error message that indicates that users cannot redirect output to files.
-rbash: test.txt: restricted: cannot redirect output
Example 4: Allowed Commands
To see what commands the restricted user can execute, you can create a simple script in their bin directory.
For example, create a file named hello.sh:
echo "echo 'Hello, World!'" > /home/restricteduser/bin/hello.sh chmod +x /home/restricteduser/bin/hello.sh
Now, when the restricted user runs:
./hello.sh
They will see Hello, World! printed on the screen, demonstrating that they can execute allowed commands.
Conclusion
In summary, rbash is a powerful tool for enhancing security in multi-user Linux environments. By restricting access to certain commands and features, it helps maintain system integrity while allowing users to perform basic tasks.
You can run anything from a restricted bash shell, providing it’s in your path.
So to run, say, a python program, just put it in your path.
Running something, not in the path with an explicit path, eg, /bin/ls will fail:
So the trick in having your restricted shell do what you want is to set the correct PATH, eg, PATH=/usr/rbash/bin in .bashrc. Remember the startup scripts do not run in restricted mode.
Useful post, if I wanted to run a section of code, say a python file in restricted mode, how would I go about doing that?
I was concerned that defining a symolic link “ln -s bash rbash” would cause rbash to run an unrestricted bash shell. That was not the case on my Fedora system. “rbash” obviously runs the standard bash executable, but the restrictions are enforced.
So the bash executable must examine the command used to invoke it, and if the name is “rbash”, then the restrictions are applied. Neat.
but executing commands over ssh just works , $ ssh some_host any_command
pointless post. tells me nothing other than what rbash is.
@Mark,
I totally agree with your comment, yes we only covered about rbash only, no any usage about rbash, but we will planning to add usage of rbash to this article..
“When users run bash or dash from rbash then they got unrestricted shells” so how do we deal with that important problem??
What can be read on this page is basically what comes out of the ‘man’ page.
After reading this article I’m still trying to get something useful from it, besides the description of rbash.
There are no examples of configuration, also there are no examples of modification of it base configuration.
No real case of use for this shell in a production environment, as CentOS and RHEL are mentioned.
– Can it be used as a default shell for a user? because the user wouldn’t run it if they have the chance.
Thanks for the article, but it just looks incomplete and not entirely true to the title.
Hi Max, yes you can run it on the default shell of the user, you have to edit /etc/passwd file and change on the user /bin/bash for /bin/rbash
nice post
Thanks for the feedback @ ashish