Within rbash, attempting to open a socket using /dev/tcp with <> fails as expected due to output redirection being disabled:
rbash-4.4$ exec 3<>/dev/tcp/www.gnu.org/80 rbash: /dev/tcp/www.gnu.org/80: restricted: cannot redirect output However, I noticed that output redirection is not disabled on open file descriptors in rbash: rbash-4.4$ echo foo >&1 foo Additionally, even if a socket is opened only for reading, bash allows writing to it. (This is not true for normal files, attempting to a file opened read only fails with "write error: Bad file descriptor" as expected.) Combining these issues, within rbash we can open a socket for reading, and perform full read write I/O on it: exec 3</dev/tcp/www.gnu.org/80 echo -e "GET /software/bash/ HTTP/1.1\r\nhost: www.gnu.org\r\nConnection: close\r\n\r\n" >&3 cat <&3 This appears to be a bug because normally output redirection is disabled rbash. -- Blake Burkhart
