Vineet Kumar wrote:
[...] Well, there's a clue about why it's not working the way you expect: bashenters restricted mode when invoked as 'rbash', but it's being invoked as '-rbash' from login.
I hadn't noticed that the first time around. I'm digging through the bash manpage, and the default for PS1 is "\s-\v\$ " (\s is basename of $0). The restricted option is based on an 'r' in the first character of the shell name, so this is no doubt likely culprit.
I did notice the following in the manpage:
A login shell is one whose first character of argument
zero is a -, or one started with the --login option.
Yet the same info is in a version of the manpage dating to 1995. But it
worked before!
So that's the "why", but unfortunately I don't know the proper way to set it up.
It looks like I can remedy the problem for doing a "set -r" in /etc/profile, but I'm a bit flabbergasted that this feature has gone from defaulting to a somewhat secure setting, to a blatantly insecure one. Surely I'm not the only one to have been burnt by this? I've re-read all the info I found previously on using bash in restricted mode, and setting the user's shell to /bin/rbash is normally adequate (with a restrictive $PATH, etc.)
Thank you for pointing the difference out, as I'd missed that important clue. With "set -r", it's working as expected now.
- Bob