Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-) Softpanorama Search

Restricted Shell

Restricted shells allow you to control the user's environment. The restricted shell, rsh, allows the user to do everything allowed by sh, except:

• change directory
• set the value of $PATH
• specify the path of command names containing /
• redirect output (> and >>)

The restricted shell is /usr/lib/rsh. This should not be confused with the remote shell, which is /usr/bin/rsh.

Don't rely too heavily on the restricted shell. It's not that restricted. While you can't specify a command name that begins with "/", you can specify arguments that do. So if cat is in your path you could type:

% cat /etc/passwd

and have a look at the password file. Also, some programs, such as editors and telnet, allow you to escape out to a shell and editors can edit/view any file with read access allowed on the system.

If Bash is started with the name rbash, or the `--restricted' option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment more controlled than the standard shell. A restricted shell behaves identically to bash with the exception that the following are disallowed:

• Changing directories with the cd builtin.
• Setting or unsetting the values of the SHELL, PATH, ENV, or BASH_ENV variables.
• Specifying command names containing slashes.
• Specifying a filename containing a slash as an argument to the . builtin command.
• Importing function definitions from the shell environment at startup.
• Parsing the value of SHELLOPTS from the shell environment at startup.
• Redirecting output using the `>', `>|', `<>', `>&', `&>', and `>>' redirection operators.
• Using the exec builtin to replace the shell with another command.
• Adding or deleting builtin commands with the `-f' and `-d' options to the enable builtin.
• Specifying the `-p' option to the command builtin.
• Turning off restricted mode with `set +r' or `set +o restricted'.

How do I break out of a restricted shell?

A restricted shell is a shell that has been modified to allow you to do fewer things than a normal shell would allow you to do. It may allow you to run only certain programs. It may stop you from changing directories. Many sites run their own restricted shells to allow limited use of their systems over the Internet. Restricted shells often make use of the restricted shell (rsh).

On poorly implemented restricted shells you can break out of the restricted environment by running a program that features a shell function. A good example of a shell function is provided by vi. Run vi and use this command:

:set shell=/bin/sh

then shell using this command:

:shell

Many menu based restricted shells will allow you to configure your user environment, or to run programs that allow you to configure your user environment. Look for configuration options that refer to executable programs. If the program lets you define an editor, for example, try to set your editor to "/bin/csh -i -f"

If you are not allowed to read files, try to open them inside the e-mail program.

If you are not allowed to edit files, try to save that to file from the e-mail program.

If your restricted shell prevents you from using the "cd" command, try to FTP into your account and change directories. FTP can aso be used to edit files by getting the file, editing it offline, and putting the net file back online.

Like most hacking, trying different things is often the most successful strategy.