The Restricted Shell (rsh)

Previous page
Table of content
Next page

Some versions of UNIX include a special shell, the restricted shell, that provides restricted capabilities. Although the restricted shell provides only a limited degree of security, it can prevent users who should only have access to specific programs from damaging the system. For instance, a bank clerk should only have access to programs used for particular banking functions, a text processor should only have access to certain text processing programs, and an order entry clerk should only have access to programs for entering orders.

System administrators can prevent these users from using other programs by assigning the restricted shell, rsh, as their start-up program. This is done by placing /bin/rsh as the entry in the last field of this user’s entry in the system’s /etc/passwd file. The restricted shell can also be invoked by providing the sh command with the -r option. (Note that the restricted shell rsh is different from the command rsh, which is the remote shell command that is included with the Internet Utilities package discussed in Chapter 9.)

The following restrictions are placed on users running the restricted shell rsh:

  • Users cannot move from their home directory, because the cd command is disabled.

  • Users cannot change the value of the PATH variable, so that they can only run commands in the PATH given to them by the system administrator.

  • Users cannot change the value of the SHELL variable.

  • Users cannot run commands in directories other than in their PATH, because they cannot use a command name containing a slash (/).

  • Users cannot redirect output using > or >>.

  • Users cannot use exec commands.

These restrictions are enforced after the user’s .profile has been executed. (Unfortunately, a quick user can interrupt the execution of .profile and get the standard shell.) The system administrator sets up this user’s .profile, changes the owner of this file to root, and changes its permissions so that no one else can write to it. The administrator defines the user’s PATH in this .profile so that the user can only run commands in a specified directory, which is often called /usr/rbin.

The restricted shell uses the same program as the standard shell sh does, but running it restricts the capabilities allowed to the user invoking it.

The restricted shell rsh provides only limited security. Skilled users can easily break out of it and obtain access to an unrestricted shell. However, the restricted shell can prevent naive users from damaging their resources or the system.



Previous page
Table of content
Next page
UNIX. The Complete Reference
UNIX: The Complete Reference, Second Edition (Complete Reference Series)
ISBN: 0072263369
EAN: 2147483647
Year: 2006
Pages: 316
Authors: Kenneth Rosen, Douglas Host, Rachel Klee, Richard Rosinski
BUY ON AMAZON
Qshell for iSeries
Strategies for Information Technology Governance
Java for RPG Programmers, 2nd Edition
Java How to Program (6th Edition) (How to Program (Deitel))
The Oracle Hackers Handbook: Hacking and Defending Oracle
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy