How to Use a Restricted Shell

Answer

Introduction
What are the restrictions imposed by a restricted shell?
How do I start a restricted shell?
Which restricted shell should I use?
How can I add more restrictions?
Conclusion

Introduction

On AIX, a restricted shell is a regular shell started in such a way as to limit its normal operation, and can be deployed by a system administrator to limit a user's access to the system. A restricted shell is often used to allow a user to run one or more applications, but prevent the user from executing most AIX commands and from changing the current working directory. Both the Bourne shell and Korn shell can be started in restricted shell mode. The characteristics of a restricted shell are similar for these two shells, so this document will focus primarily on the Korn shell since it is the more modern of the two shells.

What are the restrictions imposed by a restricted shell?

A restricted shell imposes the following restrictions:

1. It will not execute the cd command.
   
   
2. It will not allow modification to the following system environment variables; SHELL, ENV, and PATH.
   
   
3. It will not allow a program to be executed by specifying a path to the program that includes a / character. This means only commands in the current path can be executed. For example, you cannot run a command such as /usr/bin/date or ./date. It is possible to run the date command without specifying a path, but only if the PATH environment variable includes a directory that contains the date command.
   
   
4. It will not redirect output with >, >|, <>, or >>
   
   
5. It will not return to a shell prompt if it receives an interrupt such as the one generated by Ctrl-C when processing the shell startup files such as /etc/environment and .profile.
   

It should be noted that the restrictions listed above are not enough by themselves to limit access to commands by a user. For example, if the PATH environment variable includes the /usr/bin directory, as it does by default, a user will be able to run commands located in /usr/bin. One of these commands will be ksh, which means a user running the restricted shell can easily exit out of the restricted shell by simply running ksh to start another shell that will run in normal, full access mode. As described later in this document, additional steps must be taken to further restrict access by a user.

How do I start a restricted shell?

A restricted shell can be started in one of two ways. Note that the operation of the restricted shell is slightly different between these two methods.

• By using the restricted shell option -r when running the shell command. The Bourne shell can be started as a restricted shell with the command bsh -r, and the Korn shell with the command ksh -r. When a shell is started with the -r option, the shell will enforce restrictions when processing /etc/environment and .profile.
  
  
• By running a hard link to the shell that has a file name recognized by the shell as a command to run the shell in restricted shell mode. The hard link file name for the Bourne shell is Rsh and for the Korn shell rksh. When a shell is started with Rsh or rksh, restrictions are not enforced until after /etc/environment and .profile have been processed. This is the method most commonly used to start a restricted shell. On currently supported versions of AIX, these hard links are automatically installed in /usr/bin. If you are on a system that does not have the hard links below, you can easily create them with the ln command.
  
  # pwd
  /usr/bin
  
  # ls -il Rsh
   1124 -r-xr-xr-x    2 bin      bin         1726412 Mar 22 2009  Rsh
  # ls -il bsh
   1124 -r-xr-xr-x    2 bin      bin         1726412 Mar 22 2009  bsh
  
  # ls -il rksh
   1501 -r-xr-xr-x    5 bin      bin          247238 Mar 13 2009  rksh
  # ls -il ksh
   1501 -r-xr-xr-x    5 bin      bin          247238 Mar 13 2009  ksh
  
  Note: The inodes are identical for Rsh and bsh, and for rksh and ksh. When the Bourne shell or Korn shell is starting up it looks at the name of the command used to invoke it, and if the name is the restricted shell name, it will operate in restricted mode.
  

Which restricted shell should I use?

The Korn shell has more features than the older Bourne shell, so the Korn restricted shell is usually a better choice. Regardless of which shell is used, you will need to decide if you want to start the restricted shell with the -r option, or the restricted shell command. As previously mentioned, the -r option causes the shell to begin enforcing restrictions when sourcing shell startup files, whereas the restricted shell commands Rsh and rksh do not enforce restrictions on these startup files. The restricted shell commands are the most commonly used methods for starting a restricted shell because they allow full shell operation during the processing of .profile, and this allows a system administrator to use .profile to further restrict access by the user.

How do I add more restrictions?

Simply setting a user's default shell with the chsh command is usually not enough to provide adequate restrictions for a user. But a restricted shell can be used in combination with other steps to alter the user's environment to further limit the user's access to the system. This can be accomplished by restricting permissions on files and directories and setting environment variables in the user's .profile that the user will not be able to modify. The example that follows provides all of the steps necessary for installing a restricted Korn shell for a user, specifying which commands the user can run, and preventing the user from modifying the environment to bypass the restrictions. Because the user's .profile will be used to set up the restricted environment, we will need full shell access when processing .profile, so we will use the rksh command to start the restricted shell. Run the following commands as root.

1. If a file named rksh does not exist in /usr/bin, create a hard link named rksh linked to ksh.
   # ln /usr/bin/ksh /usr/bin/rksh
   
   
2. If it does not already exist, use a text editor to add rksh to the usw: stanza in /etc/security/login.cfg.
   
   
3. Change the default shell for the user to rksh.
   # chsh <userName> /user/bin/rksh
   
   
4. Create a .profile in the user's home directory and set the PATH environment variable to a directory containing all of the commands you want the user to be able to run.
   export PATH=/usr/bin/restricted
   
   
5. Create the directory that will contain the commands.
   # mkdir /usr/bin/restricted
   
   
6. Put the commands you want the user to be able to run into /usr/bin/restricted. In this example, we will create symbolic links to the date and ps commands and put the links into /usr/bin/restricted. The user will only be able to run these two commands.
   # cd /usr/bin/restricted
   # ln -s /usr/bin/date date
   # ln -s /usr/bin/ps ps
   
   
7. Prevent the user from modifying .profile. Replace <userName> with the name of the home directory for the user.
   # cd /home/<userName>
   # chown bin:bin .profile /home/<userName>
   # chmod -w .profile /home/<userName>
   

Now when the user logs in, the restricted shell will run as the default login shell and read the .profile, which will set PATH to /usr/bin/restricted so that the user will only be able to run the date and ps commands. The restricted shell will not allow the user to change PATH, and the permissions on .profile will not allow the user to alter the environment to bypass the restrictions during the next login session.

Conclusion

A restricted shell can be used to limit a user's access to the system. However the limitations provided by a restricted shell are not enough to prevent a user from running unauthorized commands. To do this, additional steps must be taken to alter the user's environment. The limitations provided by the restricted shell will prevent the user from modifying the environment to bypass the restrictions. The example provided in this document is one way to use the restricted shell to limit access by a user.