logoalt Hacker News

8organicbitslast Sunday at 3:10 PM2 repliesview on HN

Does that work? I've never seen it used. It seems easy to escape.

The docs seem to suggest using alternate approaches.

> Modern systems provide more secure ways to implement a restricted environment, such as jails, zones, or containers.

https://www.gnu.org/software/bash/manual/html_node/The-Restr...


Replies

AdieuToLogiclast Monday at 3:05 AM

>> bash actually has a "restricted" mode ...

> Does that work? I've never seen it used. It seems easy to escape.

Yes, it does work for its intended purpose. It has often been used in combination with chroot[0] as well.

> The docs seem to suggest using alternate approaches.

>> Modern systems provide more secure ways to implement a restricted environment, such as jails, zones, or containers.

These approaches are not mutually exclusive with restricted shell use. For example, one could use FreeBSD jails to secure Apache httpd and/or Nginx and still employ a restricted shell to evaluate requests.

0 - https://man.freebsd.org/cgi/man.cgi?query=chroot&apropos=0&s...

show 1 reply
SoftTalkerlast Sunday at 3:19 PM

I don't think I've ever seen it used. I think the idea was back in the day when you wanted to let a user have a shell login (because that's the only way you could use a shared computer) but wanted to confine them to a specific directory and prevent them running anything that wasn't in the pre-defined PATH that you set for them.

show 3 replies