5

The bash manual says:

A restricted shell behaves identically to bash with the exception that the following are disallowed or not performed:

Changing directories with the cd builtin.

Why is this not allowed? What security holes does this close / What attacks does it help prevent?

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
Michael Thorpe
  • 153
  • 1
  • 5
  • Probably just to help sandbox a user who has gained access to the system. If you can't `cd` then determining the directory structure can be difficult. Assuming tab completion is also removed/restricted for the user. – RoraΖ Jul 27 '16 at 16:23
  • @RoraΖ: Preventing `cd` does not block commands like `ls -R /` for instance. – WhiteWinterWolf Jul 27 '16 at 16:59

1 Answers1

6

By itself, this measure most probably doesn't make a lot of sense, however you have to put it aside the other limitation to understand its role, in particular (quoting the page you linked):

  • Specifying command names containing slashes.
  • Specifying a filename containing a slash as an argument to the . builtin command.
  • Specifying a filename containing a slash as an argument to the -p option to the hash builtin command.

The goal of these limitations is to ensure that you only execute commands whose path belong to the $PATH environment variable, and in case this variable includes the current directory (.) changing the current directory to the one containing the desired binary would allow to circumvent these "slash-based" limitations.

Moreover, preventing the user to change the current directory will also prevent him from mistakenly or maliciously running a command which will have a different behavior depending on the current directory, and in particular depending on the content of the current directory (it is common for some command to seek default configuration or profile files for instance in the current directory). This brings some level of guaranty on the behavior of the command which will be run.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104