From 754bbf7a25a8dda49b5d08ef0d0443bbf5af0e36 Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Sun, 7 Apr 2024 13:41:34 -0500
Subject: new repository

---
 devdocs/bash/the-restricted-shell.html | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 devdocs/bash/the-restricted-shell.html

(limited to 'devdocs/bash/the-restricted-shell.html')

diff --git a/devdocs/bash/the-restricted-shell.html b/devdocs/bash/the-restricted-shell.html
new file mode 100644
index 00000000..ea831a45
--- /dev/null
+++ b/devdocs/bash/the-restricted-shell.html
@@ -0,0 +1,20 @@
+<h1 class="section">The Restricted Shell</h1>  <p>If Bash is started with the name <code>rbash</code>, or the <samp>--restricted</samp> or <samp>-r</samp> option is supplied at invocation, the shell becomes restricted. A restricted shell is used to set up an environment more controlled than the standard shell. A restricted shell behaves identically to <code>bash</code> with the exception that the following are disallowed or not performed: </p> <ul> <li> Changing directories with the <code>cd</code> builtin. </li>
+<li> Setting or unsetting the values of the <code>SHELL</code>, <code>PATH</code>, <code>HISTFILE</code>, <code>ENV</code>, or <code>BASH_ENV</code> variables. </li>
+<li> Specifying command names containing slashes. </li>
+<li> Specifying a filename containing a slash as an argument to the <code>.</code> builtin command. </li>
+<li> Specifying a filename containing a slash as an argument to the <code>history</code> builtin command. </li>
+<li> Specifying a filename containing a slash as an argument to the <samp>-p</samp> option to the <code>hash</code> builtin command. </li>
+<li> Importing function definitions from the shell environment at startup. </li>
+<li> Parsing the value of <code>SHELLOPTS</code> from the shell environment at startup. </li>
+<li> Redirecting output using the ‘<samp>&gt;</samp>’, ‘<samp>&gt;|</samp>’, ‘<samp>&lt;&gt;</samp>’, ‘<samp>&gt;&amp;</samp>’, ‘<samp>&amp;&gt;</samp>’, and ‘<samp>&gt;&gt;</samp>’ redirection operators. </li>
+<li> Using the <code>exec</code> builtin to replace the shell with another command. </li>
+<li> Adding or deleting builtin commands with the <samp>-f</samp> and <samp>-d</samp> options to the <code>enable</code> builtin. </li>
+<li> Using the <code>enable</code> builtin command to enable disabled shell builtins. </li>
+<li> Specifying the <samp>-p</samp> option to the <code>command</code> builtin. </li>
+<li> Turning off restricted mode with ‘<samp>set +r</samp>’ or ‘<samp>shopt -u restricted_shell</samp>’. </li>
+</ul> <p>These restrictions are enforced after any startup files are read. </p> <p>When a command that is found to be a shell script is executed (see <a href="shell-scripts">Shell Scripts</a>), <code>rbash</code> turns off any restrictions in the shell spawned to execute the script. </p> <p>The restricted shell mode is only one component of a useful restricted environment. It should be accompanied by setting <code>PATH</code> to a value that allows execution of only a few verified commands (commands that allow shell escapes are particularly vulnerable), changing the current directory to a non-writable directory other than <code>$HOME</code> after login, not allowing the restricted shell to execute shell scripts, and cleaning the environment of variables that cause some commands to modify their behavior (e.g., <code>VISUAL</code> or <code>PAGER</code>). </p> <p>Modern systems provide more secure ways to implement a restricted environment, such as <code>jails</code>, <code>zones</code>, or <code>containers</code>. </p><div class="_attribution">
+  <p class="_attribution-p">
+    Copyright &copy; 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc.<br>Licensed under the GNU Free Documentation License.<br>
+    <a href="https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html" class="_attribution-link">https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html</a>
+  </p>
+</div>
-- 
cgit v1.2.3