Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins

X-seq: zsh-workers 54162
From: Mikael Magnusson <mikachu@xxxxxxxxx>
To: cyber security <cs7778503@xxxxxxxxx>
Cc: zsh-workers@xxxxxxx
Subject: Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
Date: Thu, 29 Jan 2026 12:16:13 +0100
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=tff0AWFaR9KjEVMn9d9bxXMttDgS8SVHUWTnIMjwL4c=; fh=o3KcVA6EPPy/srL4SlkuJTSO8k8d/HLSdxMU/iq81dU=; b=XUiTeu9KjG9gBeeE/eG4w17UOogaTFg8rpzgNganb/yaujJ+K8j+SPBfZaahk7Ka2b 5+edKrWNd/zhHP5Wxbibk9nsk8bSY5hU6zxAcIW2OfFnSHrN4JGUUHg1JVMLwpnE5RUb Ni6QdccFa4YWKaOM5bp+Pth8fRAKiLvTcVqAfZ8Z47Su6/pEq3A1VrvvDghi19V+h/70 AU3hYCkg2En8gWfJTPOqXPsqAglALThCrUe/gRIGw48HH8hE9k5mmFK75NWHY0SeW3/t AVZ6mcDDiV/FSUaRBhtrZ8KCm25xLc7OfXW9iEXIw83MxEAQGZm4MBUZuc0fWkIk+ScY kEhw==; darn=zsh.org
Arc-seal: i=1; a=rsa-sha256; t=1769685387; cv=none; d=google.com; s=arc-20240605; b=ZR80u8nF9zlMkFi4Ic2mAtxOLbpbMH6SQ/sSqHdYa4TY68WU3PSRVgWYsAgWL3FAut qMAWWmkIHoiTH61J3hCKcmD5uuKf5g4fpsqgxqN/q9vniu9G+nQ4JvdBhBgeZ3/IoC18 xmBOFSlqru9EJSugNZZVK19HRv8wqtg5kAW+y1w/eIxjecQNnoxOXTvbHKhqbnzeDk7A AFLAkZXUXEVQk054WVKRnAhDAA5KtguxthWMSRGqO5dzem7Y0smldSICyBVpZ3rh/i/x 9jHDBd+iT5kQOmFYJcs4BvwUeXr64Vmeg/VpLuZtOTclPNzsB1oKSPu2prQK4LpAKIvi uLvw==
Archived-at: <https://zsh.org/workers/54162>
In-reply-to: <CAPmip_z18_wQBZ09GG7TEKZ0GsTqQ34iZRvhsMAExOLSCcdQsg@mail.gmail.com>
List-id: <zsh-workers.zsh.org>
References: <CAPmip_z18_wQBZ09GG7TEKZ0GsTqQ34iZRvhsMAExOLSCcdQsg@mail.gmail.com>

On Thu, Jan 29, 2026 at 9:27 AM cyber security <cs7778503@xxxxxxxxx> wrote:
>
> Hello Zsh Maintainers,
>
> I am reporting a security issue in Zsh restricted mode (`zsh -r`).
>
> Summary:
> Restricted Zsh (`zsh -r`) can be escaped by abusing the `history -w`
> and `history -a` built-ins. These commands allow a confined user to
> overwrite files in $HOME, such as `.zprofile` or `.zshrc`. On the next
> login, these files are sourced, enabling PATH modification and
> arbitrary command execution outside the restricted environment. This
> undermines the confinement model of restricted shells.
>
> Impact:
> A local user placed in restricted mode can break out of confinement
> and escalate privileges. This issue is similar to the restricted Bash
> (`rbash`) escape disclosed on oss-security (Jan 28, 2026).
>
> Affected Versions:
> All current versions of Zsh supporting restricted mode (`zsh -r`).
>
> Mitigation:
> Administrators should disable or restrict the use of `history -w` and
> `history -a` in restricted environments, ensure $HOME is unwritable,
> and harden startup file permissions. Symlinks into writable
> directories should also be removed.
>
> References:
> - rbash disclosure: https://www.openwall.com/lists/oss-security/2026/01/28/1
>
> I am requesting acknowledgment of this issue and guidance on whether a
> patch or configuration hardening will be provided upstream. I am also
> requesting a CVE identifier for tracking.
>
> Thank you,
> RelunSec
>

Hi, the following doesn't constitute an official reply from the project.

It may be easy to fix this, in which case I don't really see a reason
to not do it, or it might make the code much messier in which case it
might not be worth it. Are you sure about your 'Summary'? Those
commands look like bash commands, not zsh commands. To write and/or
append history to a file in zsh you would use fc -W and fc -A,
'history -a' does not write to a file, and 'history -w' is not a valid
option at all. I would recommend you ensure your report is correct
before you go further, but also:

Consider the following patch from 6 years ago,
https://www.zsh.org/mla/workers/2019/msg00424.html which added this
text:
       A  shell  Restricted  Mode is an outdated way to restrict what
users may do:  modern
       systems have better, safer and more reliable ways to confine
user actions,  such  as
       chroot jails, containers and zones.

       A  restricted  shell  is  very  difficult  to  implement
safely.  The feature may be
       removed in a future version of zsh.

which probably implies that we wouldn't consider this a security issue
in the first place.

-- 
Mikael Magnusson

Follow-Ups:
- Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
  - From: Bart Schaefer

References:
- Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
  - From: cyber security

Messages sorted by: Reverse Date, Date, Thread, Author