Return to Answer

Do not do this. rbash should only be used within a chroot unless you know what you are doing. There are many ways to break out a restricted bash shell that are not easy to predict in advance.

Functions can easily be overridden simply by doing command bash or command sh.

As for your questions:

• You can't define multiple functions at the same time directly. You'd have to do something like this:

x()  { foo; }
alias f1=x
alias f2=x

• rbash works because bash checks the value of argv[0] on launch. If the basename, with leading dashes stripped, is equal to RESTRICTED_SHELL_NAME (defaulting to rbash, see config.h), it runs in restricted mode. This is the same way that it runs in POSIX-compliance mode if invoked as sh. You can see this in the following code from shell.c in bash 4.2, lines 1132-1147:

/* Return 1 if the shell should be a restricted one based on NAME or the
   value of `restricted'.  Don't actually do anything, just return a
   boolean value. */
int
shell_is_restricted (name)
     char *name;
{
  char *temp;

  if (restricted)
    return 1;
  temp = base_pathname (name);
  if (*temp == '-')
    temp++;
  return (STREQ (temp, RESTRICTED_SHELL_NAME));
}

Do not do this. rbash should only be used within an already secure environment unless you know what you are doing. There are many ways to break out a restricted bash shell that are not easy to predict in advance.

Functions can easily be overridden simply by doing command bash or command sh.

As for your questions:

• You can't define multiple functions at the same time directly. You'd have to do something like this:

x()  { foo; }
alias f1=x
alias f2=x

• rbash works because bash checks the value of argv[0] on launch. If the basename, with leading dashes stripped, is equal to RESTRICTED_SHELL_NAME (defaulting to rbash, see config.h), it runs in restricted mode. This is the same way that it runs in POSIX-compliance mode if invoked as sh. You can see this in the following code from shell.c in bash 4.2, lines 1132-1147:

/* Return 1 if the shell should be a restricted one based on NAME or the
   value of `restricted'.  Don't actually do anything, just return a
   boolean value. */
int
shell_is_restricted (name)
     char *name;
{
  char *temp;

  if (restricted)
    return 1;
  temp = base_pathname (name);
  if (*temp == '-')
    temp++;
  return (STREQ (temp, RESTRICTED_SHELL_NAME));
}

Do not do this. rbash should only be used within a chroot unless you know what you are doing. There are many ways to break out a restricted bash shell that are not easy to predict in advance.

Functions can easily be overridden simply by doing command bash or command sh.

As for your questions:

• You can't define multiple functions at the same time directly. You'd have to do something like this:

x()  { foo; }
f1() { x; }
f2() { x; }

• rbash works because bash checks the value of argv[0] on launch. If the basename, with leading dashes stripped, is equal to RESTRICTED_SHELL_NAME (defaulting to rbash, see config.h), it runs in restricted mode. This is the same way that it runs in POSIX-compliance mode if invoked as sh. You can see this in the following code from shell.c in bash 4.2, lines 1132-1147:

/* Return 1 if the shell should be a restricted one based on NAME or the
   value of `restricted'.  Don't actually do anything, just return a
   boolean value. */
int
shell_is_restricted (name)
     char *name;
{
  char *temp;

  if (restricted)
    return 1;
  temp = base_pathname (name);
  if (*temp == '-')
    temp++;
  return (STREQ (temp, RESTRICTED_SHELL_NAME));
}

Do not do this. rbash should only be used within a chroot unless you know what you are doing. There are many ways to break out a restricted bash shell that are not easy to predict in advance.

Functions can easily be overridden simply by doing command bash or command sh.

As for your questions:

• You can't define multiple functions at the same time directly. You'd have to do something like this:

x()  { foo; }
alias f1=x
alias f2=x

• rbash works because bash checks the value of argv[0] on launch. If the basename, with leading dashes stripped, is equal to RESTRICTED_SHELL_NAME (defaulting to rbash, see config.h), it runs in restricted mode. This is the same way that it runs in POSIX-compliance mode if invoked as sh. You can see this in the following code from shell.c in bash 4.2, lines 1132-1147:

/* Return 1 if the shell should be a restricted one based on NAME or the
   value of `restricted'.  Don't actually do anything, just return a
   boolean value. */
int
shell_is_restricted (name)
     char *name;
{
  char *temp;

  if (restricted)
    return 1;
  temp = base_pathname (name);
  if (*temp == '-')
    temp++;
  return (STREQ (temp, RESTRICTED_SHELL_NAME));
}

Do not do this. rbash should only be used within a chroot unless you know what you are doing.

Functions can easily be overridden simply by doing command bash or command sh.

As for your questions:

• You can't define multiple functions at the same time directly. You'd have to do something like this:

x()  { foo; }
f1() { x; }
f2() { x; }

• rbash works because bash checks the value of argv[0] on launch. If the basename, with leading dashes stripped, is equal to RESTRICTED_SHELL_NAME (defaulting to rbash, see config.h), it runs in restricted mode. This is the same way that it runs in POSIX-compliance mode if invoked as sh. You can see this in the following code from shell.c in bash 4.2, lines 1132-1147:

/* Return 1 if the shell should be a restricted one based on NAME or the
   value of `restricted'.  Don't actually do anything, just return a
   boolean value. */
int
shell_is_restricted (name)
     char *name;
{
  char *temp;

  if (restricted)
    return 1;
  temp = base_pathname (name);
  if (*temp == '-')
    temp++;
  return (STREQ (temp, RESTRICTED_SHELL_NAME));
}

Do not do this. rbash should only be used within a chroot unless you know what you are doing. There are many ways to break out a restricted bash shell that are not easy to predict in advance.

Functions can easily be overridden simply by doing command bash or command sh.

As for your questions:

• You can't define multiple functions at the same time directly. You'd have to do something like this:

x()  { foo; }
f1() { x; }
f2() { x; }

• rbash works because bash checks the value of argv[0] on launch. If the basename, with leading dashes stripped, is equal to RESTRICTED_SHELL_NAME (defaulting to rbash, see config.h), it runs in restricted mode. This is the same way that it runs in POSIX-compliance mode if invoked as sh. You can see this in the following code from shell.c in bash 4.2, lines 1132-1147:

/* Return 1 if the shell should be a restricted one based on NAME or the
   value of `restricted'.  Don't actually do anything, just return a
   boolean value. */
int
shell_is_restricted (name)
     char *name;
{
  char *temp;

  if (restricted)
    return 1;
  temp = base_pathname (name);
  if (*temp == '-')
    temp++;
  return (STREQ (temp, RESTRICTED_SHELL_NAME));
}