logoalt Hacker News

AdieuToLogiclast Monday at 3:05 AM1 replyview on HN

>> bash actually has a "restricted" mode ...

> Does that work? I've never seen it used. It seems easy to escape.

Yes, it does work for its intended purpose. It has often been used in combination with chroot[0] as well.

> The docs seem to suggest using alternate approaches.

>> Modern systems provide more secure ways to implement a restricted environment, such as jails, zones, or containers.

These approaches are not mutually exclusive with restricted shell use. For example, one could use FreeBSD jails to secure Apache httpd and/or Nginx and still employ a restricted shell to evaluate requests.

0 - https://man.freebsd.org/cgi/man.cgi?query=chroot&apropos=0&s...


Replies

8organicbitslast Monday at 12:45 PM

I'm seeing a ton of restricted mode escapes documented online, like https://0xffsec.com/handbook/shells/restricted-shells/ so I'm not so sure. When basic utilities like less, man, and awk can run subshells it's quite a mess.

Bash restricted mode needing a chroot may suggest that Claude also needs a chroot (or restricted file permissions, jail, etc).

show 1 reply