Bash actually has this feature built in. Restricted shell they call it. Start it... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Too on Sept 19, 2023 \| parent \| context \| favorite \| on: Unix shells are generally not viable access contro... Bash actually has this feature built in. Restricted shell they call it. Start it as rbash or bash -r. It will lock down the shell to not allow cd, setting envvars, launching commands outside working directory and a lot more. If you look at the full list of things they disable you realize how many obscure holes are available you never would have thought about. Not that I would ever trust it enough to expose on a shared box. Likewise with a tailor made shellscript. I’d take a bespoke server in go any day.

jolmg on Sept 19, 2023 [–]

It's not the same thing. You're comparing a white-listing approach with a black-listing approach. The example shell doesn't have any concept of directories or environment variables or anything other than cmd_foo and cmd_bar. The only things that exist are the things written to exist.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact