Bug 78455 - rbash doesn't restrict cd or commands with /
rbash doesn't restrict cd or commands with /
Product: Red Hat Linux
Classification: Retired
Component: bash (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
: Security
Depends On:
  Show dependency treegraph
Reported: 2002-11-22 23:50 EST by hatlas
Modified: 2008-05-01 11:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-11-27 11:27:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description hatlas 2002-11-22 23:51:00 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Description of problem:
by design, rbash is supposed to restrict use of cd and execution of commands 
with "/".  This works on my RH7.2 box, but not on RH8.0

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.ln -s /bin/bash2 /bin/rbash; echo "/bin/rbash" >> /etc/shells
2.useradd unknown -s /bin/rbash
3.login as unknown, echo $0 shows -rbash, but can use cd and /

Actual Results:  From within a /bin/bash shell, executing /bin/rbash does 
yield the correct results with cd and "/", but using /etc/passwd and using 
login, sshd, or su bash is not restricted.

Expected Results:  Having /bin/rbash as the shell in /etc/passwd should put 
the user into a restricted shell that does not allow cd or commands to be 
executed with /

Additional info:

Display version of bash:
      piggy$ /bin/bash --version
      GNU bash, version 2.05b.0(1)-release (i686-pc-linux-gnu)
      Copyright (C) 2002 Free Software Foundation, Inc.
Show what shell we are using:
      piggy$ echo $0
Run a command using "/" in it?? not allowed in rbash??
      piggy$ /usr/bin/whoami
Show what our path is:
      piggy$ echo $PATH
Comment 1 hatlas 2002-11-26 15:15:01 EST
This is confirmed as a bug.  It appears as if the Red Hat rpm needs to be
patched and distributed.

Subject: Re: rbash 2.05b security hole (fwd)  View Full Header
View Printable Version
From: Chet Ramey <chet@nike.ins.cwru.edu> 
Date: Mon, November 25, 2002 9:04 am 
Cc: chet@po.cwru.edu 
> ---------- Forwarded message ----------
> Date: Thu, 14 Nov 2002 17:14:19 -0600 (CST)
> From: Howard Atlas
> To: bug-bash@gnu.org
> Subject: rbash 2.05b security hole
> rbash is not supposed to allow any commands that include a "/".  See below:
> Display version of bash:
>       piggy$ /bin/bash --version
>       GNU bash, version 2.05b.0(1)-release (i686-pc-linux-gnu)
>       Copyright (C) 2002 Free Software Foundation, Inc.
> Show what shell we are using:
>       piggy$ echo $0
>       -rbash
> Run a command using "/" in it?? not allowed in rbash??
>       piggy$ /usr/bin/whoami

It's a bug.  Bash mishandles `-rbash' and does not enable restricted mode.
It's been fixed for a while.  Try this patch and see if you like it.

*** ../bash-2.05b-patched/shell.c        Mon Jul  1 11:27:11 2002
--- shell.c        Sat Oct 12 14:41:10 2002
*** 1083,1086 ****
--- 1083,1088 ----
    temp = base_pathname (name);
+   if (*temp == '-')
+     temp++;
    if (restricted || (STREQ (temp, RESTRICTED_SHELL_NAME)))

Chet Ramey, ITS, CWRU    chet@po.CWRU.Edu    http://cnswww.cns.cwru.edu/~chet/

Comment 2 Tim Waugh 2002-11-29 09:51:20 EST
Fixed package is bash-2.05b-11, which will shortly appear in rawhide.
Comment 3 hatlas 2002-12-05 11:13:40 EST
This is my first time reporting a bug; when will the updated package be listed 
as an offical update to RH 8.0 (i.e. available via up2date)?

Comment 4 Tim Waugh 2002-12-05 11:20:31 EST
I'm not sure that this problem is serious enough to warrant an advisory at the
Comment 5 hatlas 2002-12-05 11:37:12 EST
Shouldn't someone who buys RH 8.0 and then performs an update using RHN expect
the product to be updated to the best of the vendor's capabilities?

How does a user know when to download a package from rawhide, and when to
download a package from updates?
Comment 6 Hannu Kivimäki 2003-03-20 08:21:04 EST
I updated bash to Raw Hide version 2.05b-20, but the bug
still seems to be there. As reported by hatlas, everything's
fine if rbash is executed from another shell, but
no restrictions are applied if rbash is used as login shell.
Anyone have this working properly on Red Hat 8.0?
Comment 7 Hannu Kivimäki 2003-03-26 05:32:07 EST
Latest Raw Hide RPM (2.05b-21) doesn't work either.
This bug has been discussed on Bash mailing list, see

This is the patch suggested:

--- bash-2.05b/shell.c.ORI	2003-01-16 12:23:56.000000000 +0100
+++ bash-2.05b/shell.c	2003-01-16 12:25:52.000000000 +0100
@@ -1065,7 +1065,7 @@
   if (restricted)
     return 1;
   temp = base_pathname (name);
-  return (STREQ (temp, RESTRICTED_SHELL_NAME));
+  return ( (STREQ (temp, RESTRICTED_SHELL_NAME)) || (STREQ (temp,
 /* Perhaps make this shell a `restricted' one, based on NAME.  If the
@@ -1082,7 +1082,7 @@
   char *temp;
   temp = base_pathname (name);
-  if (restricted || (STREQ (temp, RESTRICTED_SHELL_NAME)))
+  if (restricted || (STREQ (temp, RESTRICTED_SHELL_NAME)) || (STREQ (temp,
       set_var_read_only ("PATH");
       set_var_read_only ("SHELL");

Comment 8 Tim Waugh 2003-03-26 05:45:43 EST
Thanks, but please try bash-2.05b-22 when it appears in rawhide.  It contains a
patch which I think is equivalent (and slightly better IMHO).

I seem to have forgotten to add a comment to that effect when closing this bug
yesterday; sorry.
Comment 9 Tim Waugh 2003-06-23 10:52:21 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.