Bourne Shell Deprecated?
Hello List,
Today someone in a meeting claimed the Bourne shell is deprecated, one of the reasons being it supposedly has security issues. Well that’s all news to me, and I cannot find anything online to corroborate the claim.
Is this true, is it a bash vs. Bourne FUD, or something else?
Thanks, Jack
27 thoughts on - Bourne Shell Deprecated?
[Citation Needed]
There was the “Shell Shock” Vulnerability patched on the 24th of September
2014
Maybe this person was Misinformed after this incident. Microsoft and Ubuntu just announced BASH for Windows ( they called it Linux on Windows or something like that ).
there’s no Bourne shell in CentOS anyways, /bin/sh is a symlink to
/bin/bash…
last OS I can think of with an actual Bourne shell was Solaris.
The Bourne shell is not POSIX conforming. It’s not widely available.
It was included in Solaris until 11, when it was replaced with a POSIX
compatible sh.
It was affected by a security issue in 2014:
http://www.cvedetails.com/vulnerability-list/vendor_id-15053/year-2014/Heirloom.html
I think it’s hard to argue that it’s not deprecated.
??
[root@an-striker01 ~]# cat /etc/redhat-release CentOS release 6.7 (Final)
[root@an-striker01 ~]# which bash
/bin/bash
[root@an-striker01 ~]# ls -lah /bin/bash
-rwxr-xr-x. 1 root root 885K Sep 22 2015 /bin/bash
[root@an-striker01 ~]# which sh
/bin/sh
[root@an-striker01 ~]# ls -lah /bin/sh lrwxrwxrwx. 1 root root 4 Mar 27 18:40 /bin/sh -> bash
Same upstream on Fedora 23:
0 root@pulsar:/home/digimer# cat /etc/redhat-release Fedora release 23 (Twenty Three)
0 root@pulsar:/home/digimer# which bash
/bin/bash
0 root@pulsar:/home/digimer# ls -lah /bin/bash
-rwxr-xr-x. 1 root root 1.1M Jan 11 06:02 /bin/bash
0 root@pulsar:/home/digimer# which sh
/bin/sh
0 root@pulsar:/home/digimer# ls -lah /bin/sh lrwxrwxrwx. 1 root root 4 Jan 11 06:02 /bin/sh -> bash
Yes, Red Hat and most (all?) GNU/Linux distributions have used bash as far back as I can remember.
Some of the BSDs use to have a bourne shell and maybe some do, I don’t know.
bash is mostly compatible with bourne (can run most bourne scripts)
which is why /bin/sh is a symlink to /bin/bash on GNU and most other
*nix systems.
Bourne is for all practical purposes dead.
when bash is invoked as /bin/sh, it reverts to more Bourne like behaviors in some circumstances where the default is not compatible.
Most of the script developers at my $job seem to prefer ksh for serious scripting, apparently its more consistent.
Hello all,
There seems to be a big confusion in this thread. The Bourne shell has gone long time ago. The Bourne-Again shell is bash
(which is GNU software). Bash is not the Bourne shell.
FYI: https://en.wikipedia.org/wiki/Bourne_shell
Regards,
Sorry if I wrote too fast: s/has gone/was born/. The Bourne shell seems to be still in use in FreeBSD.
Regards,
Yup.
Bash can run Bourne, but not necessarily vice versa, which can be problematic if, say, moving a Linux script to a BSD or AIX box. I
remember something I’d done which used, IIRC, $UID, without realizing it was a bashism, instead of using id -u.
The various *BSD’s have & use the actual Bourne shell ….
Scott Robbins wrote:
know. which is why /bin/sh is a symlink to /bin/bash on GNU and most other
*nix systems. problematic if, say, moving a Linux script to a BSD or AIX box. I
remember something I’d done which used, IIRC, $UID, without realizing it was a bashism, instead of using id -u.
I’ll also note that all *production* scripts were once required to be bourne, but by the mid-ninties, management was starting to mandate that they be Korn shell, instead, for many reasons – capabilities, etc. Bash –
I don’t think I saw that till I started running RH 5.1, I think it was, about 18 years ago….
mark
There is at least one good reason Bourne shell is still alive and not striving to cover all Bourne-Again shell (bash) features IMHO. Bourne shell is very well debugged, and code is much smaller, hence much less chance to have undiscovered bugs. Therefore, it should be much better security wise. Imagine you never heard about shellshock, and I ask you is it bash or is it Bourne shell, what would you bet be? (90 or 95% it is bash would be mine, – if I recollect correctly my reaction when I first heard about that).
Just my $0.02
Valeri
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Nope. FreeBSD (and its clones like PC-BSD) use Bourne shell for startup scripts. OpenBSD comes with Bourne shell as well (though they use ksh for system scripts if I remember it correctly). Not dead and there is a reason for that.
Valeri
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
That’s good to know. But, since there seem to be several forks of Bourne shell, currently, is there a reference for the differences between them?
I looked for substantiation of the original claim that the bourne shell had security problems. Apparently I should have looked closer. Thanks for catching that.
indeed, the man for sh(1) on freebsd 10.3 says (in part)
HISTORY
A sh command, the Thompson shell, appeared in Version 1 AT&T UNIX. It
was superseded in Version 7 AT&T UNIX by the Bourne shell, which inher-
ited the name sh.
This version of sh was rewritten in 1989 under the BSD license after the
Bourne shell from AT&T System V Release 4 UNIX.
AUTHORS
This version of sh was originally written by Kenneth Almquist.
Interesting. Back in 1980 we called /bin/sh the Mashey shell. It did not have command substitution or other things we now take for granted.
Bourne did that for us. So there’s a version or two missing in history…
Jack
this suggests the PWB/Mashey shell was pretty short lived… https://en.wikipedia.org/wiki/PWB_shell
derivatives of Unix Version 7 were about the first Unix version most people outside of a few universities ever saw, like I believe my first in depth exposure to Unix was 4.1BSD, on Dec VAX 11/780. I remember having to get a Unix/32V license from AT&T, then photocopy the label of the tape and fax it to Berkeley before we could get 4.1BSD from them due to licensing weirdness. I don’t remember ever even mounting that AT&T tape.
NetBSD 6.1.5 uses the Bourne shell by default for root logins & uses it for the rc.d system. FreeBSD 9.3 Release has it installed because it is needed for the rc.d system. All I can vouch for ….
From NetBSD 6.1.5:
4256EE1 # man sh man: Formatting manual page… SH(1) General Commands Manual
SH(1)
NAME
sh — command interpreter (shell)
SYNOPSIS
sh [-aCefnuvxIimqVEb] [+aCefnuvxIimqVEb] [-o option_name]
[+o option_name] [command_file [argument …]]
sh -c [-aCefnuvxIimqVEb] [+aCefnuvxIimqVEb] [-o option_name]
[+o option_name] command_string [command_name [argument …]]
sh -s [-aCefnuvxIimqVEb] [+aCefnuvxIimqVEb] [-o option_name]
[+o option_name] [argument …]
DESCRIPTION
sh is the standard command interpreter for the system. The current
version of sh is in the process of being changed to conform with the
POSIX 1003.2 and 1003.2a specifications for the shell. This version has
many features which make it appear similar in some respects to the Korn
shell, but it is not a Korn shell clone (see ksh(1)). Only features
designated by POSIX, plus a few Berkeley extensions, are being
incorporated into this shell. This man page is not intended to be a
tutorial or a complete specification of the shell.
.
.
.
HISTORY
A sh command appeared in Version 1 AT&T UNIX. It was, however,
unmaintainable so we wrote this one.
BUGS
Setuid shell scripts should be avoided at all costs, as they are a
significant security risk.
PS1, PS2, and PS4 should be subject to parameter expansion before being
displayed.
The characters generated by filename completion should probably be quoted
to ensure that the filename is still valid after the input line has been
processed.
NetBSD 6.1.5 October 4, 2011 NetBSD 6.1.5
4256EE1 #
There was/is nothing at the end w/ any more identifying info.
From FreeBSD 9.3R:
[root@kabini1, /etc, 3:22:38pm] 888 % man sh SH(1) FreeBSD General Commands Manual
SH(1)
NAME
sh — command interpreter (shell)
SYNOPSIS
sh [-/+abCEefhIimnPpTuVvx] [-/+o longname] [script [arg …]]
sh [-/+abCEefhIimnPpTuVvx] [-/+o longname] -c string [name [arg …]]
sh [-/+abCEefhIimnPpTuVvx] [-/+o longname] -s [arg …]
DESCRIPTION
The sh utility is the standard command interpreter for the system. The
current version of sh is close to the IEEE Std 1003.1
(“POSIX.1”) spec-
ification for the shell. It only supports features designated by POSIX,
plus a few Berkeley extensions. This man page is not intended to be a
tutorial nor a complete specification of the shell.
.
.
.
HISTORY
A sh command, the Thompson shell, appeared in Version 1 AT&T UNIX. It
was superseded in Version 7 AT&T UNIX by the Bourne shell, which inher-
ited the name sh.
This version of sh was rewritten in 1989 under the BSD license after the
Bourne shell from AT&T System V Release 4 UNIX.
AUTHORS
This version of sh was originally written by Kenneth Almquist.
BUGS
The sh utility does not recognize multibyte characters other than UTF-8.
Splitting using IFS and the line editing library editline(3) do not rec-
ognize multibyte characters.
FreeBSD 9.3 January 3, 2014 FreeBSD 9.3
[root@kabini1, /etc, 3:31:58pm] 889 %
So FreeBSD does indeed appear to use the Almquist shell.
Yes. Here is excerpt from “man sh” (appears the same on FreeBSD 9.3 and
10.3):
A sh command, the Thompson shell, appeared in Version 1 AT&T UNIX. It
was superseded in Version 7 AT&T UNIX by the Bourne shell, which inher-
ited the name sh.
This version of sh was rewritten in 1989 under the BSD license after the
Bourne shell from AT&T System V Release 4 UNIX.
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Once upon a time, JJB said:
Check the history here:
https://github.com/dspinellis/unix-history-repo
…
…
The V1 shell was of course not Bourne’s.
However Bourne’s code was consider “unmaintainable” as he was an algol coder, not a C coder. He had numerous macros defined to allow him to use his algol coding style with a C compiler.
jl
This history might be that of a particular lineage. CB UNIX and PWB
UNIX existed in the gap between 1975 and 1979.
https://en.wikipedia.org/wiki/CB_UNIX
Jack
So *that’s* what it is! I have a copy of the source (on paper). What a hoot! I thought he was trying to make C look like shell code.
Jack
You would be correct. All of the BSDs and some GNU/Linux distributions use Almquist for sh if not using a symlink to bash or dash.
In fact, the first release of Slackware in 1993 had sh as a symlink to bash.
I’m looking at the source code for the Bourne shell as included with UNIX SVR4 (circa 1988) and it’s obvious that the version which Sun Microsystems/Oracle shipped with Solaris under the CDDL is a direct decedent.
The license on the source code for the Bourne shell shipped with SVR4
clearly states:
“THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF AT&T”
Brandon Vincent
PWB is the one I started with back in ’77ish. Running on Dec 11/70.
When SCO’s Unix, which had an IBM-compatible Cobol compiler available, became available I installed on PC and over time converted our Cobol development folks to compile, debug, test on the PCs and then install on mainframe through the PDP 11/70 emulating 3270 terminal into mainframe, IIRC. Maybe by then it was a VAX 11/780.
When Bourne’s shell came around it was a big boost for me – added a lot.
Bill