Sometimes, it is desirable to severly limit the access rights and
privileges of a UNIX account. Once such example is when someone wants
to set up a 'guest' account on a linux box for their friends to use.
The owner, however, wants to prevent users from snooping around the
system and to pre-empt any malicious activites. zsh provides this
functionality through a restricted mode.
Benefits of Restricted Mode
When zsh is operating in restricted mode, the user can not:
The above are not enough to simply make an account 'secure'. You
should take care to cautiously create startup files for the restricted
- turning off restricted mode with
set +r or
- specifying command names containing a '/' anywhere in
- changing directories with the cd builtin
- specifying command pathnames using
- using the exec builtin command to replace the shell with another command
- redirecting output to files
- specifying modules to be loaded with an explicitly given pathname
jobs -Z to overwrite the shell process' argument and
- using the
ARGV0 parameter to override
for external commands
- changing or unsetting the following parameters:
MODULE_PATH module_path SHELL HISTFILE HISTSIZE GID EGID UID
EUID USERNAME LD_LIBRARY_PATH LD_AOUT_LIBRARY_PATH
Enabling Restricted Mode
There are three main ways to put zsh in restricted mode. The first two are
at startup and the last can be used anytime...
1. Ssupplying the
-r command-line option to zsh
2. Invoke zsh with a command that starts with 'r'.
An easy way to do this is to make a soft link called
and point it to the
lyric: ln -s ./zsh rzsh
zsh: exit 1
Note that you can still emulate another shell. After the 'r' is stripped
off, the next letter is used to determine emulation. IE,
will cause zsh to emulate ksh, and run in restricted
3. Turn on the shell option
RESTRICTED at any time.