Bash restricted Shell using rbash

Question

I am using /bin/rbash for some users. It's working as expected but there is some hack like when users run bash or dash, then they got unrestricted shells, so to avoid these commands, I have added below functions in their .bashrc files.

bash() {
echo "WARNING: NOT ALLOW!!"
}

sh() {
echo "WARNING: NOT ALLOW!!"
}

So my question is:

1# can we use functions with multiple names as below

func1,func2 () {
 # do stuff
}

2# I also tried:

case $BASH_COMMAND in # check each command`
        bash|dash|sh) 
        echo "WARNING: NOT ALLOW!!" 
        ;;
esac

3# /bin/rbash -> bash it's just a soft link of bash, then how does it work as restricted?

Also there is some command to avoid users to execute that like unset HISTFILE and kill -9 $$ Is there any alternate way to achieve the same?

Answer 1

Do not do this. rbash should only be used within an already secure environment unless you know what you are doing. There are many ways to break out a restricted bash shell that are not easy to predict in advance.

Functions can easily be overridden simply by doing command bash or command sh.

As for your questions:

• You can't define multiple functions at the same time directly. You'd have to do something like this:

x()  { foo; }
alias f1=x
alias f2=x

• rbash works because bash checks the value of argv[0] on launch. If the basename, with leading dashes stripped, is equal to RESTRICTED_SHELL_NAME (defaulting to rbash, see config.h), it runs in restricted mode. This is the same way that it runs in POSIX-compliance mode if invoked as sh. You can see this in the following code from shell.c in bash 4.2, lines 1132-1147:

/* Return 1 if the shell should be a restricted one based on NAME or the
   value of `restricted'.  Don't actually do anything, just return a
   boolean value. */
int
shell_is_restricted (name)
     char *name;
{
  char *temp;

  if (restricted)
    return 1;
  temp = base_pathname (name);
  if (*temp == '-')
    temp++;
  return (STREQ (temp, RESTRICTED_SHELL_NAME));
}