Question & Answer
Question
How do I use a restricted shell?
Answer
What are the restrictions imposed by a restricted shell?
How do I start a restricted shell?
Which restricted shell should I use?
How can I add more restrictions?
Conclusion
Introduction
On AIX, a restricted shell is a regular shell started in such a way as to limit its normal operation, and can be deployed by a system administrator to limit a user's access to the system. A restricted shell is often used to allow a user to run one or more applications, but prevent the user from executing most AIX commands and from changing the current working directory. Both the Bourne shell and Korn shell can be started in restricted shell mode. The characteristics of a restricted shell are similar for these two shells, so this document will focus primarily on the Korn shell since it is the more modern of the two shells.
What are the restrictions imposed by a restricted shell?
A restricted shell imposes the following restrictions:
- It will not execute the cd
command.
- It will not allow modification to the following system
environment variables;
SHELL, ENV, and PATH.
- It will not allow a program to be executed by specifying a path
to the program that includes a / character. This means only
commands
in
the
current path can be executed. For example, you cannot
run a command such as /usr/bin/date
or ./date.
It
is
possible
to run the date
command without specifying a path, but only if the PATH environment
variable includes a directory that
contains the date command.
- It will not redirect output
with >, >|, <>,
or >>
- It will not return to a shell
prompt if it receives an interrupt such as the one generated by Ctrl-C
when processing the shell startup files such as /etc/environment and .profile.
How do I start a restricted shell?
A restricted shell can be started in one of two ways. Note that the operation of the restricted shell is slightly different between these two methods.
- By using the restricted shell option -r when running the shell
command. The Bourne shell can be started as a restricted shell with the
command bsh -r, and the
Korn shell with the command ksh
-r. When a shell is started
with the -r option, the shell will enforce
restrictions when processing /etc/environment and .profile.
- By running a hard link to the shell that has a file name
recognized by the shell as a command to run the shell in restricted
shell mode.
The hard link file name for the Bourne shell is Rsh and for the Korn shell rksh. When a shell is started with Rsh or rksh, restrictions are not enforced until
after /etc/environment and .profile have been processed. This is the
method most commonly used to start a restricted shell. On currently
supported versions of AIX, these hard links are automatically installed
in /usr/bin. If you are
on a system that does not have the hard links below, you can easily
create them with the ln
command.
# pwd
/usr/bin
# ls -il Rsh
1124 -r-xr-xr-x 2 bin bin 1726412 Mar 22 2009 Rsh
# ls -il bsh
1124 -r-xr-xr-x 2 bin bin 1726412 Mar 22 2009 bsh
# ls -il rksh
1501 -r-xr-xr-x 5 bin bin 247238 Mar 13 2009 rksh
# ls -il ksh
1501 -r-xr-xr-x 5 bin bin 247238 Mar 13 2009 ksh
Note: The inodes are identical for Rsh and bsh, and for rksh and ksh. When the Bourne shell or Korn shell is starting up it looks at the name of the command used to invoke it, and if the name is the restricted shell name, it will operate in restricted mode.
The Korn shell has more features than the older Bourne shell, so the Korn restricted shell is usually a better choice. Regardless of which shell is used, you will need to decide if you want to start the restricted shell with the -r option, or the restricted shell command. As previously mentioned, the -r option causes the shell to begin enforcing restrictions when sourcing shell startup files, whereas the restricted shell commands Rsh and rksh do not enforce restrictions on these startup files. The restricted shell commands are the most commonly used methods for starting a restricted shell because they allow full shell operation during the processing of .profile, and this allows a system administrator to use .profile to further restrict access by the user.
How do I add more restrictions?
Simply setting a user's default shell with the chsh command is usually not enough to provide adequate restrictions for a user. But a restricted shell can be used in combination with other steps to alter the user's environment to further limit the user's access to the system. This can be accomplished by restricting permissions on files and directories and setting environment variables in the user's .profile that the user will not be able to modify. The example that follows provides all of the steps necessary for installing a restricted Korn shell for a user, specifying which commands the user can run, and preventing the user from modifying the environment to bypass the restrictions. Because the user's .profile will be used to set up the restricted environment, we will need full shell access when processing .profile, so we will use the rksh command to start the restricted shell. Run the following commands as root.
- If a file named rksh
does not exist in /usr/bin,
create
a
hard link
named rksh linked to ksh.
# ln /usr/bin/ksh /usr/bin/rksh
- If it does not already exist, use a text editor to add rksh to the usw: stanza in /etc/security/login.cfg.
- Change the default shell for the user to rksh.
# chsh <userName> /user/bin/rksh
- Create a .profile
in the user's home directory and set the PATH
environment variable to
a directory containing all of the commands you want the
user to be able to run.
export PATH=/usr/bin/restricted
- Create the directory that will contain the commands.
# mkdir /usr/bin/restricted
- Put the commands you want the user to be able to run into /usr/bin/restricted. In this
example, we will create symbolic links to the date and ps commands and put the links
into /usr/bin/restricted.
The user will only be able to
run these two commands.
# cd /usr/bin/restricted
# ln -s /usr/bin/date date
# ln -s /usr/bin/ps ps
- Prevent the user from modifying .profile. Replace <userName> with the name of
the home directory for the user.
# cd /home/<userName>
# chown bin:bin .profile /home/<userName>
# chmod -w .profile /home/<userName>
Conclusion
A restricted shell can be used to limit a user's access to the system. However the limitations provided by a restricted shell are not enough to prevent a user from running unauthorized commands. To do this, additional steps must be taken to alter the user's environment. The limitations provided by the restricted shell will prevent the user from modifying the environment to bypass the restrictions. The example provided in this document is one way to use the restricted shell to limit access by a user.
[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Support information","Platform":[{"code":"PF002","label":"AIX"}],"Version":"5.3;6.1;7.1","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
isg3T1011970