BASH is a UNIX shell written by Brian fox and is actually a command processor. It is the most popular shell used in Unix world and has large number of features. It has got many hidden powers but we normally dont stretch that much to absorb all that is there.
So today I will focus on one of the hidden gems of BASH shell modes known as restricted mode.So when we start BASH shell in restricted mode, we call it as restricted shell.
Bash version in my system is :
GNU bash, version 3.2.25(1)-release (x86_64-redhat-linux-gnu)
Copyright (C) 2005 Free Software Foundation, Inc.
If Bash is started with options such as --restricted or -r option is supplied at invocation, the shell becomes restricted.
[[email protected] ~]# bash –r
Do a CD operation and see what happens,, you will be amazed like below :
[[email protected] ~]# cd /opt/
bash: cd: restricted
Why did you get such behavior and what have you actually expected from restricted shell.
In Built JAIL
Yes, you are right, restricted shells are in built jails and they come a free goodies with every bash compilation or standard bash built. This makes bash very powerful in case of low level security attacks. These can be configured to protect system from privileged escalation attacks, now privileged escalation is itself a very big terminology and will be out of scope of this article, in lay man sense, its a term which signifies that the access levels are protected and further break-ins are stalled in a system and jail can prove beneficial in such cases, especially when you have public ftp user and you want to restrict it to some particular directory.
What all can be restricted
A restricted shell is used to set up an environment more controlled than the standard shell. A restricted shell behaves identically to bash with the exception that the following are disallowed or not performed:
1. Changing directories with the cd builtin.
2. Setting or unsetting the values of the SHELL, PATH, ENV, or BASH_ENV variables.
3. Specifying command names containing slashes.
4. Specifying a filename containing a slash as an argument to the . builtin command.
5. Specifying a filename containing a slash as an argument to the -p option to the hash builtin command.
6. Importing function definitions from the shell environment at startup.
7. Parsing the value of SHELLOPTS from the shell environment at startup.
8. Redirecting output using the ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators.
9. Using the exec builtin to replace the shell with another command.
10. Adding or deleting builtin commands with the -f and -d options to the enable builtin.
11. Using the enable builtin command to enable disabled shell builtins.
12. Specifying the -p option to the command builtin.
13. Turning off restricted mode with ‘set +r’ or ‘set +o restricted’.
Set the environment you want it for a particular user and can put them startup file : $HOME/.bash_profile, $HOME/.bashrc and see the magic.
Live production scenario:
While I was working on deploying a web-application recently, I needed to transfer a 'build artifact' (release engineering nomenclature for rpm packages) from a Continuous Integration server to an RPM repository server.
We already have an existing RPM repository server that uses Apache, and once my rpm was in the correct location, it would be available over HTTP for all to consume.
Cutting to the chase, what is the simplest way by which I could automatically transfer a ~13 MiB file from one Red Hat host to another?
I didn't want to install an FTP server or any extra Apache module on the existing RPM host that would then support multi-part file uploads.
The quickest solution, it seemed was an scp or an rsync.
So, how would this CI host be authorized to open an SSH tunnel to the web-server?
Where would the identity key reside? There is no elaborate keyserver in this ecosystem.
I decided to the transfer the responsibility of protecting the system from the identity key to the remote host's operating system.
A new user called tarballs on the RPM repository host with its HOME set to /var/www/html/software_packages/tarballs, and set its SHELL to (bash –r).
And tadaaa,, here I go with my deployment.
It could also be used for lab testing scenarios where users are not allowed to change to any directory and will have to cook the recipe within what all is available , so we have really very good uses of this restricted mode.
NB : this setup is in a secure corporate datacenter with access to the machines restricted to trusted co-workers. Also, while the RPM repository host is important, all the data it holds can be easily mirrored and reproduced.
Solely relying on an restrcited bash is by no means a solution for any mission-critical host that is directly exposed to the internet or any untrusted zone.