Re: Bash security issue

[Greg Wooledge]

On Fri, Sep 26, 2014 at 10:51:36AM -0400, Steve Simmons wrote:
> The more I see of how many bash-isms work when bash is invoked as /bin/sh, 
> the more convinced I get that we need to either
> 
> 1) make bash when invoked as /bin/sh fail those bash-isms
> 
> 2) build a 'real' /bin/sh without those compiled in. This begs the definition 
> of 'real', but IMHO if it's not in POSIX, it shouldn't be in 'real' /bin/sh

Many operating systems do ship a POSIX /bin/sh which isn't bash.
Ubuntu and Debian come to mind, among the Linux distributions.  There are
also all of the BSDs (I don't think any of them install bash as /bin/sh)
and all of the commercial Unix flavors (same).

The problem is, many *other* Linux distributions (even including older
versions of Debian and Ubuntu) ship bash as /bin/sh, and users who
are not adept at shell programming don't understand the difference.
So there are untold numbers of scripts on Linux systems in the real world
which use #!/bin/sh as their header, but which use some bash syntax.
These will all break if the user installs dash/pdksh as /bin/sh.