Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 78455 - rbash doesn't restrict cd or commands with /
Summary: rbash doesn't restrict cd or commands with /
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: bash
Version: 8.0
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2002-11-23 04:50 UTC by hatlas
Modified: 2008-05-01 15:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2002-11-27 16:27:23 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2003:140 0 normal SHIPPED_LIVE Updated bash packages fix several bugs 2003-06-23 04:00:00 UTC

Description hatlas 2002-11-23 04:51:00 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Description of problem:
by design, rbash is supposed to restrict use of cd and execution of commands 
with "/".  This works on my RH7.2 box, but not on RH8.0

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.ln -s /bin/bash2 /bin/rbash; echo "/bin/rbash" >> /etc/shells
2.useradd unknown -s /bin/rbash
3.login as unknown, echo $0 shows -rbash, but can use cd and /

Actual Results:  From within a /bin/bash shell, executing /bin/rbash does 
yield the correct results with cd and "/", but using /etc/passwd and using 
login, sshd, or su bash is not restricted.

Expected Results:  Having /bin/rbash as the shell in /etc/passwd should put 
the user into a restricted shell that does not allow cd or commands to be 
executed with /

Additional info:

Display version of bash:
      piggy$ /bin/bash --version
      GNU bash, version 2.05b.0(1)-release (i686-pc-linux-gnu)
      Copyright (C) 2002 Free Software Foundation, Inc.
Show what shell we are using:
      piggy$ echo $0
Run a command using "/" in it?? not allowed in rbash??
      piggy$ /usr/bin/whoami
Show what our path is:
      piggy$ echo $PATH

Comment 1 hatlas 2002-11-26 20:15:01 UTC
This is confirmed as a bug.  It appears as if the Red Hat rpm needs to be
patched and distributed.

Subject: Re: rbash 2.05b security hole (fwd)  View Full Header
View Printable Version
From: Chet Ramey <chet@nike.ins.cwru.edu> 
Date: Mon, November 25, 2002 9:04 am 
Cc: chet@po.cwru.edu 
> ---------- Forwarded message ----------
> Date: Thu, 14 Nov 2002 17:14:19 -0600 (CST)
> From: Howard Atlas
> To: bug-bash@gnu.org
> Subject: rbash 2.05b security hole
> rbash is not supposed to allow any commands that include a "/".  See below:
> Display version of bash:
>       piggy$ /bin/bash --version
>       GNU bash, version 2.05b.0(1)-release (i686-pc-linux-gnu)
>       Copyright (C) 2002 Free Software Foundation, Inc.
> Show what shell we are using:
>       piggy$ echo $0
>       -rbash
> Run a command using "/" in it?? not allowed in rbash??
>       piggy$ /usr/bin/whoami

It's a bug.  Bash mishandles `-rbash' and does not enable restricted mode.
It's been fixed for a while.  Try this patch and see if you like it.

*** ../bash-2.05b-patched/shell.c        Mon Jul  1 11:27:11 2002
--- shell.c        Sat Oct 12 14:41:10 2002
*** 1083,1086 ****
--- 1083,1088 ----
    temp = base_pathname (name);
+   if (*temp == '-')
+     temp++;
    if (restricted || (STREQ (temp, RESTRICTED_SHELL_NAME)))

Chet Ramey, ITS, CWRU    chet@po.CWRU.Edu    http://cnswww.cns.cwru.edu/~chet/

Comment 2 Tim Waugh 2002-11-29 14:51:20 UTC
Fixed package is bash-2.05b-11, which will shortly appear in rawhide.

Comment 3 hatlas 2002-12-05 16:13:40 UTC
This is my first time reporting a bug; when will the updated package be listed 
as an offical update to RH 8.0 (i.e. available via up2date)?


Comment 4 Tim Waugh 2002-12-05 16:20:31 UTC
I'm not sure that this problem is serious enough to warrant an advisory at the

Comment 5 hatlas 2002-12-05 16:37:12 UTC
Shouldn't someone who buys RH 8.0 and then performs an update using RHN expect
the product to be updated to the best of the vendor's capabilities?

How does a user know when to download a package from rawhide, and when to
download a package from updates?

Comment 6 Hannu Kivimäki 2003-03-20 13:21:04 UTC
I updated bash to Raw Hide version 2.05b-20, but the bug
still seems to be there. As reported by hatlas, everything's
fine if rbash is executed from another shell, but
no restrictions are applied if rbash is used as login shell.
Anyone have this working properly on Red Hat 8.0?

Comment 7 Hannu Kivimäki 2003-03-26 10:32:07 UTC
Latest Raw Hide RPM (2.05b-21) doesn't work either.
This bug has been discussed on Bash mailing list, see

This is the patch suggested:

--- bash-2.05b/shell.c.ORI	2003-01-16 12:23:56.000000000 +0100
+++ bash-2.05b/shell.c	2003-01-16 12:25:52.000000000 +0100
@@ -1065,7 +1065,7 @@
   if (restricted)
     return 1;
   temp = base_pathname (name);
-  return (STREQ (temp, RESTRICTED_SHELL_NAME));
+  return ( (STREQ (temp, RESTRICTED_SHELL_NAME)) || (STREQ (temp,
 /* Perhaps make this shell a `restricted' one, based on NAME.  If the
@@ -1082,7 +1082,7 @@
   char *temp;
   temp = base_pathname (name);
-  if (restricted || (STREQ (temp, RESTRICTED_SHELL_NAME)))
+  if (restricted || (STREQ (temp, RESTRICTED_SHELL_NAME)) || (STREQ (temp,
       set_var_read_only ("PATH");
       set_var_read_only ("SHELL");

Comment 8 Tim Waugh 2003-03-26 10:45:43 UTC
Thanks, but please try bash-2.05b-22 when it appears in rawhide.  It contains a
patch which I think is equivalent (and slightly better IMHO).

I seem to have forgotten to add a comment to that effect when closing this bug
yesterday; sorry.

Comment 9 Tim Waugh 2003-06-23 14:52:21 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.