--- a/runtime/doc/starting.txt
+++ b/runtime/doc/starting.txt
@@ -256,6 +256,8 @@ a slash.  Thus "-R" means recovery and "
 		Interfaces, such as Python, Ruby and Lua, are also disabled,
 		since they could be used to execute shell commands.  Perl uses
 		the Safe module.
+		For Unix restricted mode is used when the last part of $SHELL
+		is "nologin" or "false".
 		Note that the user may still find a loophole to execute a
 		shell command, it has only been made difficult.
 

--- a/src/option.c
+++ b/src/option.c
@@ -307,6 +307,17 @@ set_init_1(int clean_arg)
      */
     set_options_default(0);
 
+#ifdef UNIX
+    // Force restricted-mode on for "nologin" or "false" $SHELL
+    p = get_isolated_shell_name();
+    if (p != NULL)
+    {
+	if (fnamecmp(p, "nologin") == 0 || fnamecmp(p, "false") == 0)
+	    restricted = TRUE;
+	vim_free(p);
+    }
+#endif
+
 #ifdef CLEAN_RUNTIMEPATH
     if (clean_arg)
     {

--- a/src/testdir/test_restricted.vim
+++ b/src/testdir/test_restricted.vim
@@ -105,6 +105,14 @@ func Test_restricted_mode()
   if RunVim([], [], '-Z --clean -S Xrestricted')
     call assert_equal([], readfile('Xresult'))
   endif
+  call delete('Xresult')
+  if has('unix') && RunVimPiped([], [], '--clean -S Xrestricted', 'SHELL=/bin/false ')
+    call assert_equal([], readfile('Xresult'))
+  endif
+  call delete('Xresult')
+  if has('unix') && RunVimPiped([], [], '--clean -S Xrestricted', 'SHELL=/sbin/nologin')
+    call assert_equal([], readfile('Xresult'))
+  endif
 
   call delete('Xrestricted')
   call delete('Xresult')

--- a/src/version.c
+++ b/src/version.c
@@ -747,6 +747,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    4282,
+/**/
     4281,
 /**/
     4280,