Restricted Mode

Sometimes, it is desirable to severly limit the access rights and privileges of a UNIX account. Once such example is when someone wants to set up a 'guest' account on a linux box for their friends to use. The owner, however, wants to prevent users from snooping around the system and to pre-empt any malicious activites. zsh provides this functionality through a restricted mode.

Benefits of Restricted Mode

When zsh is operating in restricted mode, the user can not:

turning off restricted mode with set +r or unsetopt RESTRICTED
specifying command names containing a '/' anywhere in them.
changing directories with the cd builtin
specifying command pathnames using hash
using the exec builtin command to replace the shell with another command
redirecting output to files
specifying modules to be loaded with an explicitly given pathname containing slashes
using jobs -Z to overwrite the shell process' argument and environment space
using the ARGV0 parameter to override argv[0] for external commands
changing or unsetting the following parameters: PATH path MODULE_PATH module_path SHELL HISTFILE HISTSIZE GID EGID UID EUID USERNAME LD_LIBRARY_PATH LD_AOUT_LIBRARY_PATH LD_PRELOAD LD_AOUT_PRELOAD

The above are not enough to simply make an account 'secure'. You should take care to cautiously create startup files for the restricted shell.

You should set PATH in the startup files to point to a directory with 'safe' commands for the user to run.
Various zsh builtin commands can be disabled in the startup process with
disable COMMAND,
where COMMAND is the zsh command to be turned off.

Enabling Restricted Mode

There are three main ways to put zsh in restricted mode. The first two are at startup and the last can be used anytime...

1. Ssupplying the -r command-line option to zsh

2. Invoke zsh with a command that starts with 'r'.

An easy way to do this is to make a soft link called rzsh and point it to the zsh binary.

lyric[251]: ln -s ./zsh rzsh
lyric[252]: ./rzsh
lyric[1]: cd
cd: restricted
zsh: exit 1
lyric[2]:

Note that you can still emulate another shell. After the 'r' is stripped off, the next letter is used to determine emulation. IE, rksh will cause zsh to emulate ksh, and run in restricted mode.

3. Turn on the shell option RESTRICTED at any time.