Sign in Subscribe
Concepts

Least Privilege Shell Completion

Andrios Robert

1 min read

The command line waits for no one, and one wrong keystroke can open more doors than you intended. Least privilege shell completion fixes that. It limits shell auto-completion to only the commands and arguments you actually have permission to run. No more glimpses of sensitive paths. No more hints about systems you shouldn’t touch.

Most shells will happily suggest every binary in your $PATH and every file in the working directory. In environments with shared servers, this means a casual hit of the tab key can leak sensitive details. Attackers have used this behavior as reconnaissance for decades. Least privilege shell completion removes that surface area by enforcing access control before the shell offers completions.

The core idea is simple: the completion function runs through a permission filter before generating any suggestions. If the user’s role doesn’t have access, the option is invisible. This method isn’t security theater — it’s practical, enforceable, and prevents information disclosure at the earliest interaction point. Extend this across SSH sessions, containers, and jump hosts, and you gain consistency along with security.

Implementation depends on your stack. For Bash, Zsh, or Fish, you intercept the completion call and tie it to your authorization backend. This can work with LDAP, RBAC APIs, or your own ACL system. Engineers running Kubernetes shells can combine kubectl completion scripts with admission control policies for granular restrictions. The same applies to Terraform, cloud CLIs, or any internal tooling script.

Audit logs improve with least privilege shell completion because every denied completion attempt can be recorded. You see not just what was run, but what was attempted. That adds a layer of context missing in most shell histories.

As deployment hardens, you should test for bypasses. Many shells can be coerced into running custom completion logic or fallback modes. Disable unused shell features and centralize your completion scripts to maintain integrity.

Security is not only about blocking bad actions; it’s also about removing the map that shows where those actions could happen. Least privilege shell completion removes the map.

See this live on your own shells in minutes with hoop.dev.