1379

Is there any Bash shebang objectively better than the others for most uses?

  • #!/usr/bin/env bash
  • #!/bin/bash
  • #!/bin/sh
  • #!/bin/sh -
  • etc

I vaguely recall a long time ago hearing that adding a dash to the end prevents someone passing a command to your script, but can’t find any details on that.

nbro
  • 13,796
  • 25
  • 99
  • 185
Kurtosis
  • 15,789
  • 8
  • 26
  • 41
  • 10
    And its `/usr/local/bin/bash` on OpenBSD. – jww Mar 05 '16 at 01:47
  • 3
    Adding the dash is meant to prevent a certain kind of setuid root spoofing attacks, see https://security.stackexchange.com/questions/45490/what-is-setuid-based-script-root-spoofing?newreg=e1ab392777f44bd8bf57e33def375cf4 – Vladislav Ivanishin Aug 16 '21 at 16:04
  • 2
    I would upvote this, but it has a score of 1337 and I don't want to disturb it! – Thomas G Henry Feb 03 '22 at 18:24
  • `#!/usr/bin/env bash` poses a privilege escalation security threat when a suid program executes a bash script that has such a shebang. The user can simply manipulate his `PATH` and get an arbitrary bash executable to be run instead, with elevated privileges. – Eric May 21 '22 at 22:38

7 Answers7

1828

You should use #!/usr/bin/env bash for portability: different *nixes put bash in different places, and using /usr/bin/env is a workaround to run the first bash found on the PATH. And sh is not bash.

l0b0
  • 52,149
  • 24
  • 132
  • 195
  • 11
    Thanks. Also looks like adding - to the end of $!/usr/bin/env bash - won't do anything since only one argument is allowed by *nix in the shebang, and that is used by 'bash'. That's apparently only useful for preventing malicious arguments being passed to the script on the commandline if the script's shebang is one of the others with no arguments (`/bin/sh`, etc). – Kurtosis May 03 '12 at 02:23
  • 6
    Why not `#!/bin/bash`? Does this depend on whether the user has correct `path` defined? – Ray Shan Apr 14 '14 at 14:40
  • 14
    @Ray `bash` doesn't live in `/bin` on all systems. – ptierno Jun 01 '14 at 07:33
  • ^^ Windows Git Bash path is */user/bin/bash*, but my Siteground hosting path is */bin/bash* (checked with `echo $SHELL`). – Leo Jun 01 '16 at 20:08
  • 17
    Same for me, I just added it to an alias: `alias shebang='echo "#!/usr/bin/env bash"'`, now I just have to open the terminal and type shebang instead of going here. – Oylex Mar 01 '17 at 16:35
  • 26
    This answer is deceptive. POSIX does not say that `env` is at `/usr/bin/env`. It could be at `/bin/env` or anywhere in fact, as long as it is in the path. It could be at `/dummy/env` if `/dummy` is in `PATH`. Shebang itself is undefined under POSIX, so I could make `#!stop toaster` start the USB coffee machine and be POSIX compliant. So `#!/usr/bin/env bash` isn't particularly better than `#!/bin/bash`, it could be less portable depending. – darkfeline Mar 08 '18 at 08:05
  • 34
    @darkfeline Portability isn't absolute - it is mathematically impossible to make any script that will do the same thing on every platform. As of 2012 through 2018 `/usr/bin/env` exists on more machines than either of `/bin/bash` xor `/usr/bin/bash`, so a script that starts with this line will *do the expected thing on as many machines as possible.* – l0b0 Mar 08 '18 at 20:28
  • @I0b0 It will do the expected thing *if I have the right version in my path*. I can't specify that my script needs `bash` 4.2 or later using a shebang; I can only document that requirement. Really, the script writer shouldn't be the one in control of the shebang; it should be the person *running* the script. Python does this well, IMO: scripts use `#!python`, and the installer replaces it with the correct shebang for the target system. – chepner Mar 12 '18 at 17:48
  • 2
    @l0b0 Actually, portability can be absolute under POSIX. Assuming of course that Bash is in the path, you can use a script like [this](https://gist.github.com/darkfeline/19a91aa9e59259bb61e4614a32091600). An executable file without a shebang and not matching an binary executable format is run with sh. This is fully portable under POSIX, unlike this answer. (Sorry for double comment, stupid StackOverflow comment editing.) – darkfeline Jul 02 '18 at 08:34
  • @chepner The shebang line is IMO the wrong place to ensure that you're running a specific version; that's easily done by checking `BASH_VERSINFO`. – l0b0 Mar 08 '20 at 00:25
  • @Oylex Thanks for the awesome idea :-) I slightly changed it to copy to macos paste-board `alias shebang='echo "#!/usr/bin/env bash" | pbcopy'` – refik Jan 20 '21 at 13:50
  • @darkfeline That’s a cute trick but it *still* doesn’t do “the right thing”. It will execute *a* bash but not necessarily the *desired* bash. Case in point, on macOS `/bin/sh` is bash, but it’s a woefully outdated bash, and power users usually install a modern bash into a different location. But your script will always run `/bin/sh` on macOS, never the user’s preferred bash. By contrast, this answer works just fine on macOS. – Konrad Rudolph Jul 02 '21 at 09:00
  • @KonradRudolph if you're referring to [this](https://gist.github.com/darkfeline/19a91aa9e59259bb61e4614a32091600), then assuming that `bash` in your `PATH` is the right Bash, yes, it will run Bash. If it's not the right Bash, then `#!/usr/bin/env bash` won't work either. It sounds like you didn't see the `exec bash` line, which naturally execs bash, not `/bin/sh`. – darkfeline Jul 04 '21 at 05:05
  • @darkfeline No, it won’t run the right bash because the `if` branch will never be taken, because `BASH_VERSION` is set by `/bin/sh` on macOS (which is what will run this script if you execute it in a shell or via a system call). As a consequence, the script will never `exec bash`. – Konrad Rudolph Jul 04 '21 at 13:13
  • Then you can just check the `BASH_VERSION` to make sure you're not using the super old version? – darkfeline Jul 06 '21 at 21:39
  • How is that the accepted answer, it addresses only one aspect and is just wrong, especially since these days all systems have bash under `/bin`. This answer is the worst advise because of security concerns that `env` introduces when the script is called by a suid program. – Eric May 21 '22 at 22:47
137

I recommend using:

#!/bin/bash

It's not 100% portable (some systems place bash in a location other than /bin), but the fact that a lot of existing scripts use #!/bin/bash pressures various operating systems to make /bin/bash at least a symlink to the main location.

The alternative of:

#!/usr/bin/env bash

has been suggested -- but there's no guarantee that the env command is in /usr/bin (and I've used systems where it isn't). Furthermore, this form will use the first instance of bash in the current users $PATH, which might not be a suitable version of the bash shell.

(But /usr/bin/env should work on any reasonably modern system, either because env is in /usr/bin or because the system does something to make it work. The system I referred to above was SunOS 4, which I probably haven't used in about 25 years.)

If you need a script to run on a system that doesn't have /bin/bash, you can modify the script to point to the correct location (that's admittedly inconvenient).

I've discussed the tradeoffs in greater depth in my answer to this question.

A somewhat obscure update: One system I use, Termux, a desktop-Linux-like layer that runs under Android, doesn't have /bin/bash (bash is /data/data/com.termux/files/usr/bin/bash) -- but it has special handling to support #!/bin/bash.

Keith Thompson
  • 242,098
  • 41
  • 402
  • 602
  • 8
    2-years later and this is still the best advice here. If the simple solution doesn't work then you've got to question your earlier decisions. The accepted and most upvoted answer isn't wrong, it's just not right :) – Software Engineer Oct 03 '19 at 23:14
88

/bin/sh is usually a link to the system's default shell, which is often bash but on, e.g., Debian systems is the lighter weight dash. Either way, the original Bourne shell is sh, so if your script uses some bash (2nd generation, "Bourne Again sh") specific features ([[ ]] tests, arrays, various sugary things, etc.), then you should be more specific and use the later. This way, on systems where bash is not installed, your script won't run. I understand there may be an exciting trilogy of films about this evolution...but that could be hearsay.

Also note that when evoked as sh, bash to some extent behaves as POSIX standard sh (see also the GNU docs about this).

CodeClown42
  • 10,872
  • 1
  • 30
  • 63
  • 3
    The Public Domain Korn Shell (pdksh) is default on OpenBSD. – jww Mar 05 '16 at 01:52
  • 1
    Most systems will *not* link `/bin/sh` to anywhere in `/usr` as that would make it rather hard for the init scripts to run before `/usr` is mounted. – aij Sep 20 '18 at 01:48
  • 1
    @aij I don't know why I put "many or most" there -- I'm a fedora user, where `/bin` and `/sbin` for years have just been symlinks by default, to `/usr/bin` and `/usr/sbin`, so in that context `/bin/sh` is a link to `bash` and the actual directory is `/usr/bin`. But I'll correct the above. – CodeClown42 Sep 20 '18 at 11:03
35

Using a shebang line to invoke the appropriate interpreter is not just for BASH. You can use the shebang for any interpreted language on your system such as Perl, Python, PHP (CLI) and many others. By the way, the shebang 

#!/bin/sh -

(it can also be two dashes, i.e. --) ends bash options everything after will be treated as filenames and arguments.

Using the env command makes your script portable and allows you to setup custom environments for your script hence portable scripts should use 

#!/usr/bin/env bash

Or for whatever the language such as for Perl

#!/usr/bin/env perl

Be sure to look at the man pages for bash:

man bash

and env:

man env

Note: On Debian and Debian-based systems, like Ubuntu, sh is linked to dash not bash. As all system scripts use sh. This allows bash to grow and the system to stay stable, according to Debian.

Also, to keep invocation *nix like I never use file extensions on shebang invoked scripts, as you cannot omit the extension on invocation on executables as you can on Windows. The file command can identify it as a script.

nbro
  • 13,796
  • 25
  • 99
  • 185
Jamie R Robillard Sr.
  • 485
  • 4
  • 3
6

It really depends on how you write your bash scripts. If your /bin/sh is symlinked to bash, when bash is invoked as sh, some features are unavailable.

If you want bash-specific, non-POSIX features, use #!/bin/bash

Nathan Smith
  • 673
  • 1
  • 11
  • 22
glenn jackman
  • 223,850
  • 36
  • 205
  • 328
1

Add one more vote to the #!/usr/bin/env approach. I use virtual environments a lot, in my case I use the python installed in the virtualenv. Using #!/usr/bin/python may not be the python I want. I get the right python using #!/usr/bin/env python.

Tom Ekberg
  • 2,023
  • 1
  • 13
  • 8
  • Please answer to the question: this is about the best way to invoke a bash script, not a pythong script. Both have drastically different requirements as bash location is always under /bin (contraru to python in a virtualenv) and python versions are incompatible whereas a bash script will generally run with any recent bash version. Not the same problem space. This is about bash after all, not python. – Eric May 21 '22 at 22:40
0

#!/bin/sh

as most scripts do not need specific bash feature and should be written for sh.

Also, this makes scripts work on the BSDs, which do not have bash per default.

weberjn
  • 1,688
  • 18
  • 23
  • 2
    But the question is what to use for Bash scripts specifically. This has the distinct and potentially serious drawback that it will not work for Bash scripts (i.e. anything which uses Bash-only features). This is a common pitfall for newbies. See also [Difference between `sh` and `bash`](https://stackoverflow.com/questions/5725296/difference-between-sh-and-bash) – tripleee Aug 31 '21 at 12:06
  • The person asking the question specifically asks whether `/bin/sh` is a good shebang for bash scripts. So I think that weberjn's answer is not out of scope. – Eric May 21 '22 at 22:43