Advanced Bash-Scripting HOWTO: A guide to shell scripting, using Bash | ||
---|---|---|
Prev | Chapter 3. Tutorial / Reference | Next |
Running a script or portion of a script in restricted mode disables certain commands that would otherwise be available. This is a security measure intended to limit the privileges of the script user and to minimize possible damage from running the script.
Disabled commands in restricted shells
Using cd to change the working directory.
Changing the values of the $PATH, $SHELL, $BASH_ENV, or $ENV environmental variables.
Reading or changing the $SHELLOPTS, shell environmental options.
Output redirection.
Invoking commands containing one or more /'s.
Invoking exec to substitute a different process for the shell.
Various other commands that would enable monkeying with or attempting to subvert the script for an unintended purpose.
Getting out of restricted mode within the script.
Example 3-79. Running a script in restricted mode
1 #!/bin/bash 2 # Starting the script with "#!/bin/bash -r" runs entire script in restricted mode. 3 4 echo 5 6 echo "Changing directory." 7 cd /usr/local 8 echo "Now in `pwd`" 9 echo "Coming back home." 10 cd 11 echo "Now in `pwd`" 12 echo 13 14 # Everything up to here in normal, unrestricted mode. 15 16 set -r 17 # set --restricted has same effect. 18 echo "==> Now in restricted mode. <==" 19 20 echo 21 echo 22 23 echo "Attempting directory change in restricted mode." 24 cd .. 25 echo "Still in `pwd`" 26 27 echo 28 echo 29 30 echo "\$SHELL = $SHELL" 31 echo "Attempting to change shell in restricted mode." 32 SHELL="/bin/ash" 33 echo 34 echo "\$SHELL= $SHELL" 35 36 echo 37 echo 38 39 echo "Attempting to redirect output in restricted mode." 40 ls -l /usr/bin > bin.files 41 # Try to list attempted file creation effort. 42 ls -l bin.files 43 44 echo 45 46 exit 0 |