Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins

X-seq: zsh-workers 54167
From: cyber security <cs7778503@xxxxxxxxx>
To: Oliver Kiddle <opk@xxxxxxx>
Cc: Mikael Magnusson <mikachu@xxxxxxxxx>, zsh-workers@xxxxxxx
Subject: Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
Date: Sun, 1 Feb 2026 05:25:32 -0800
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=f6jw8KsIi83hMg4p1xcgTPqJVi4mFe7OIAOSSTjn2Nk=; fh=touio+IMLgwG1Ei8idK4ytZPmjHLt2Rb+/yDXKUXNa8=; b=SyV0Mj/vBMbDbUhqNze7vJyE5ikDcoFLhu7gHuVuYRvgbjaZnHegsWN5qxE7sEkrlw VqA3toAD9ofGkG1+bN7H/vaW5toB0XBeLl3CAxXYkGPFeEBpaUw4ZxFrU7DPKINZS1AL lbpnH0yft/a6QOp3U9mD6GL/r046MhLOYsEz+GnZftbgQw7vyeZBw8c5RvOCkeN9dr4o xJfh04bruAvC69stKNrE6lmw9+exKoJlwgLTxPS0BN5e6K123ZTz3qnS/pfEIWzRx4DF YBg0gw+WC1kfUmYLWo3y/r8gTyN3lRd1hPD1/YkvzsAXbN8LlK50zA4hTxkYLG3AB+eQ sU1A==; darn=zsh.org
Arc-seal: i=1; a=rsa-sha256; t=1769952342; cv=none; d=google.com; s=arc-20240605; b=Xg760rnfHvWLsyWbXe/fmI/uu/wb1ZEwYMZDrIX4RdkwqfnSKvJJ5/nxUxl5mI9p7k 3HNtNxwoJJooMu/Fm/MT4aoaropvWSujTAqypkFddaO4DwNdJFiDIWsAzZPuPdIg14oX fnNd4Xbp+3lXDZm5ZIO2rTsZrusVmDPRLuof3A2ik8h92b4+IMAJJ23ZX/l4TpSGd458 IifEC74c4SDAkxUgA7ki2qOUITH/8aS+MbIJlyGzOPeiO1u8sBfN4cIhYfYQdTo2jP3F B5mJKxXC6RbCd3T4bYjsg4/dBXlOBOxK9T77Vm34tqGSJjuQkYconN00hVJ8ccLcbGEI 6eyw==
Archived-at: <https://zsh.org/workers/54167>
In-reply-to: <62255-1769947817.277408@Fj-1.JoGb.8iVT>
List-id: <zsh-workers.zsh.org>
References: <CAPmip_z18_wQBZ09GG7TEKZ0GsTqQ34iZRvhsMAExOLSCcdQsg@mail.gmail.com> <72787-1769800688.979791@U6Lk.sn9M.AyYc> <CAHYJk3T4W+U3mCzqGB7LUkJp-JuUSiEBNe4hx0e-=zMyZQuPGQ@mail.gmail.com> <62255-1769947817.277408@Fj-1.JoGb.8iVT>

Yes, I agree.

On Sun, Feb 1, 2026 at 4:10 AM Oliver Kiddle <opk@xxxxxxx> wrote:
>
> On further deliberation, I think we should just drop the whole
> restricted mode feature. The documentation has carried a warning that
> "the feature may be removed in future" for the past six years.
>
> Please say if you disagree.
>
> Mikael Magnusson wrote:
> > Is this bit supposed to also have an isset(RESTRICTED)?
>
> Yes, sorry. Though I notice that the documentation specifically mentions
> that the system module should be disabled for restricted mode so if
> we do want to "fix" restricted mode, this part is not necessary. We
> could perhaps just recommend disabling zcompile in the documentation.
> Variables like TMPPREFIX are problematic, though. Many of the variables
> used by the runtime loader are also a major flaw with the concept behind
> a restricted shell. If writing to files is to be blocked then Linux's
> LD_DEBUG_OUTPUT gets around that. LD_PRELOAD or LD_LIBRARY_PATH may make
> for an easier escape route. It's not the shell's job to block these off
> and they vary considerably across operating systems.
>
> In zsh, the feature apparently dates to Jan 1997 and was first released
> with 3.1.2. Just about too old for there to be a mailing list post so
> I'll just have to assume it was added because ksh has the feature.
>
> Oliver

References:
- Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
  - From: cyber security
- Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
  - From: Oliver Kiddle
- Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
  - From: Mikael Magnusson
- Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
  - From: Oliver Kiddle

Messages sorted by: Reverse Date, Date, Thread, Author