1# Tests for restricted shell 2 3# Restricted shell should always be run in a separate shell. Otherwise it will cause issues while 4# cleaning up test directory (changing directories is not permitted in restricted shells). 5 6# The actions of rksh are identical to those of ksh, except that the following are disallowed: 7 8# ========== 9# Unsetting the restricted option. 10actual=$($SHELL -c "set -r; set +r" 2>&1) 11expect="set: r: restricted" 12[[ "$actual" =~ "$expect" ]] || log_error "set +r should be restricted" "$expect" "$actual" 13 14# ========== 15# Changing directory (see cd(1)), 16actual=$($SHELL -c "set -r; cd .." 2>&1) 17expect="cd: restricted" 18[[ "$actual" =~ "$expect" ]] || log_error "cd should be restricted" "$expect" "$actual" 19 20# ========== 21# Setting or unsetting the value or attributes of SHELL, ENV, FPATH, or PATH, 22actual=$($SHELL -c "set -r; SHELL=foo" 2>&1) 23expect="SHELL: restricted" 24[[ "$actual" =~ "$expect" ]] || log_error "Setting SHELL should be restricted" "$expect" "$actual" 25 26actual=$($SHELL -c "set -r; unset SHELL" 2>&1) 27expect="unset: SHELL: restricted" 28[[ "$actual" =~ "$expect" ]] || log_error "Unsetting SHELL should be restricted" "$expect" "$actual" 29 30actual=$($SHELL -c "set -r; ENV=foo" 2>&1) 31expect="ENV: restricted" 32[[ "$actual" =~ "$expect" ]] || log_error "Setting ENV should be restricted" "$expect" "$actual" 33 34actual=$($SHELL -c "set -r; unset ENV" 2>&1) 35expect="unset: ENV: restricted" 36[[ "$actual" =~ "$expect" ]] || log_error "Unsetting ENV should be restricted" "$expect" "$actual" 37 38actual=$($SHELL -c "set -r; FPATH=foo" 2>&1) 39expect="FPATH: restricted" 40[[ "$actual" =~ "$expect" ]] || log_error "Setting FPATH should be restricted" "$expect" "$actual" 41 42actual=$($SHELL -c "FPATH=.; set -r; unset FPATH" 2>&1) 43expect="unset: FPATH: restricted" 44[[ "$actual" =~ "$expect" ]] || log_error "Unsetting FPATH should be restricted" "$expect" "$actual" 45 46actual=$($SHELL -c "set -r; PATH=foo" 2>&1) 47expect="PATH: restricted" 48[[ "$actual" =~ "$expect" ]] || log_error "Setting PATH should be restricted" "$expect" "$actual" 49 50actual=$($SHELL -c "set -r; unset PATH" 2>&1) 51expect="unset: PATH: restricted" 52[[ "$actual" =~ "$expect" ]] || log_error "Unsetting PATH should be restricted" "$expect" "$actual" 53 54# ========== 55# Specifying path or command names containing /, 56actual=$($SHELL -c "set -r; /bin/cat" 2>&1) 57expect="/bin/cat: restricted" 58[[ "$actual" =~ "$expect" ]] || log_error "Specifying path through / should be restricted" "$expect" "$actual" 59 60# ========== 61# Redirecting output (>, >|, <>, and >>). 62actual=$($SHELL -c "set -r; ls > /dev/null" 2>&1) 63expect="/dev/null: restricted" 64[[ "$actual" =~ "$expect" ]] || log_error "Redirecting output through > should be restricted" "$expect" "$actual" 65 66actual=$($SHELL -c "set -r; ls >| cat" 2>&1) 67expect="cat: restricted" 68[[ "$actual" =~ "$expect" ]] || log_error "Redirecting output through >| should be restricted" "$expect" "$actual" 69 70actual=$($SHELL -c "set -r; ls <> /dev/null" 2>&1) 71expect="/dev/null: restricted" 72[[ "$actual" =~ "$expect" ]] || log_error "Redirecting output through <> should be restricted" "$expect" "$actual" 73 74actual=$($SHELL -c "set -r; ls >> /dev/null" 2>&1) 75expect="/dev/null: restricted" 76[[ "$actual" =~ "$expect" ]] || log_error "Redirecting output through >> should be restricted" "$expect" "$actual" 77 78# ========== 79# Adding or deleting built-in commands. 80actual=$($SHELL -c "set -r; builtin cat" 2>&1) 81expect="builtin: builtin: restricted" 82[[ "$actual" = "$expect" ]] || log_error "Enabling a builtin should be restricted" "$expect" "$actual" 83 84actual=$($SHELL -c "set -r; builtin -d sleep" 2>&1) 85expect="builtin: builtin: restricted" 86[[ "$actual" = "$expect" ]] || log_error "Disabling a builtin should be restricted" "$expect" "$actual" 87 88# ========== 89# Using command -p to invoke a command. 90actual=$($SHELL -c "set -r; command -p ls" 2>&1) 91expect="-p: restricted" 92[[ "$actual" =~ "$expect" ]] || log_error "command -p should be restricted" "$expect" "$actual" 93