zsh/Doc/Zsh/restricted.yo

texinode(Restricted Shell)()(Compatibility)(Invocation)
sect(Restricted Shell)
cindex(restricted shell)
pindex(RESTRICTED)
When the basename of the command used to invoke zsh starts with the letter
`tt(r)' or the `tt(-r)' command line option is supplied at invocation, the
shell becomes restricted.  Emulation mode is determined after stripping the
letter `tt(r)' from the invocation name.  The following are disabled in
restricted mode:

startitemize()
itemiz(changing directories with the tt(cd) builtin)
itemiz(changing or unsetting the tt(EGID), tt(EUID), tt(GID),
tt(HISTFILE), tt(HISTSIZE), tt(IFS), tt(LD_AOUT_LIBRARY_PATH),
tt(LD_AOUT_PRELOAD), tt(LD_LIBRARY_PATH), tt(LD_PRELOAD),
tt(MODULE_PATH), tt(module_path), tt(PATH), tt(path), tt(SHELL),
tt(UID) and tt(USERNAME) parameters)
itemiz(specifying command names containing tt(/))
itemiz(specifying command pathnames using tt(hash))
itemiz(redirecting output to files)
itemiz(using the tt(exec) builtin command to replace the shell with another
command)
itemiz(using tt(jobs -Z) to overwrite the shell process' argument and
environment space)
itemiz(using the tt(ARGV0) parameter to override tt(argv[0]) for external
commands)
itemiz(turning off restricted mode with tt(set +r) or tt(unsetopt
RESTRICTED))
enditemize()

These restrictions are enforced after processing the startup files.  The
startup files should set up tt(PATH) to point to a directory of commands
which can be safely invoked in the restricted environment.  They may also
add further restrictions by disabling selected builtins.

Restricted mode can also be activated any time by setting the
tt(RESTRICTED) option.  This immediately enables all the restrictions
described above even if the shell still has not processed all startup
files.