Shellshock does a good job of illustrating a fundamental security flaw in
bash but also in Redhat. Redhat, Fedora and CentOS are the most at risk
OSs because Redhat decided to make bash the default shell. This was a
deeply flawed system design decision driven by NIH (not invented here
syndrome). The problem is that bash was written and is maintained by
Redhat. As a result scripts that should have been written in the Bourne
shell are instead using bash. Even scripts that use Bourne (/bin/sh) are
executing bash on Redhat systems as sh is symlinked from bash. This is
not the case on Debian-based Linux (Ubuntu et al) as they don't symlink
bash to sh or specify bash as the default shell script interpreter.
Neither is it the case on the BSDs which don't even ship with bash.
So why then is bash an inappropriate choice for shell scripting? Bash is
designed to be an interactive shell. As a result it a much larger
program and has a correspondingly larger codebase than Bourne, most of
which is dedicated to auto-completion and other interactive features.
All else being equal (and it is in this case) more code correlates with
less security. Bash is also not POSIX-compliant. As a result it is not
cross-platform compatible nor are its features or design subject to
substantial design review. This and other reasons (like security) are
why all Unix and Linux distributions other than Redhat specify POSIX
Bourne as the default shell scripting language.
Redhat aside many third party shell scripts are written in bash that use
no bash features i.e., they would run with little or no modifications
under sh. So why are these scripts written in bash? The primarily
reasons are A) script authors don't understand or value cross-platform
compatibility and B) don't know the differences between bash and sh
(commonly due to familiarity with bash as an interactive shell). A third
but equally important factor is the lack of formal Linux or Unix
Just as shell scripts should not be written in csh (or tcsh) they should
also not use bash (or ksh). Shell script authors should A) keep it
simple, B) be aware of cross-platform differences, C) value
POSIX-compliance and D) value security. With these best practices bugs
like shellshock won't have such an impact.