Comparison of command shells

For more details on this topic, see Shell (computing).

A command shell is a command line interface computer program to an operating system.

General characteristics

	Usual environment	Usually invoked	Introduced	Platform-independent	Default login shell in	Default script shell in	License	Unicode	Stream redirection	Native CIM/WBEM support	available as statically linked, independent single file executable
Bourne shell	7th Ed. UNIX	sh	1977	Yes[1][2]	7th Ed. UNIX	7th Ed. UNIX,	Proprietary, CDDL[3][4]	Yes	Yes (arbitrary fds)	No	Yes
POSIX shell[5]	POSIX	sh	1992[6]	Yes	N/A	POSIX	N/A	Yes, if used by configured locale	Yes (arbitrary fds)	No	N/A
bash (v4.0)	POSIX	bash, sh	1989[7]	Yes	GNU, Linux, Mac OS X 10.3+	GNU, Linux, Haiku, Mac OS X	GPL	Yes	Yes (arbitrary fds)	No	Yes
csh	POSIX	csh	1978	Yes	SunOS	?	BSD	No	Yes (stdin, out, out+err)	No	Yes
tcsh	POSIX	tcsh, csh	1983[8]	Yes	FreeBSD, formerly Mac OS X	?	BSD	Yes	Yes (stdin, out, out+err)	No	Yes
Scsh	POSIX	scsh	1994	Yes	?	?	BSD-style	?	Yes	No	Yes
ksh (ksh93t+)	POSIX	ksh	1983[9][10]	Yes	AIX, HP-UX	OpenSolaris	Common Public License	Yes	Yes (arbitrary fds)	No	Yes
pdksh	POSIX	ksh, sh	1989 ?	Yes	OpenBSD[11]	OpenBSD[11]	Public Domain	No	Yes (arbitrary fds)	No	Yes
zsh	POSIX	zsh	1990	Yes	Grml, Gobolinux	Grml	MIT-style	Yes	Yes (arbitrary fds)	No	Yes
ash	POSIX	sh	1989	Yes	Minix, BusyBox based systems	FreeBSD, NetBSD, Minix, BusyBox based systems	BSD-style	Yes	Yes (arbitrary fds)	No	Yes
Windows cmd.exe[12]	Win32	cmd	1993	No	Windows NT, 2000, XP, Server 2003, Vista	Windows NT, 2000, XP, Server 2003, Vista	MS-EULA[13]	Yes	Yes	No	Yes
TCC (formerly 4NT)	Win32	?	1993	No	?	?	Shareware	Yes	Yes (stdin, out, err)	No	No
Windows PowerShell	.NET	powershell	2006	No	Windows Server 2008, 7, Vista, XP[14]	Windows Server 2008, 7	MS-EULA[13]	Yes	Yes	Yes	No
COMMAND.COM	DOS	command	1980	No (3rd party available[15])	DOS, Windows 95, 98, ME	DOS, Windows 95, 98, ME	MS-EULA[16] or BSD/GPL (free clones)	No	Yes (stdin, out, COMn/LPT only)	No	Yes
4DOS	DOS	?	1989	No	?	?	MIT License, with restrictions	No	Yes (stdin, out, err)	No	No
OS/2 cmd.exe	OS/2	cmd	1987	No	OS/2	OS/2	IBM-EULA[17]	No	Yes (stdin, out, err)	No	?
rc	Plan 9, POSIX	rc	1989	Yes	Plan 9, Version 10 Unix	Plan 9, Version 10 Unix	Lucent Public License	Yes	Yes	No	Yes
BeanShell	Java	?	2005	Yes	?	?	LGPL	Yes	Yes	?	Yes (bsh.jar)
Python shell	Python	python, ipython	1991	Yes	?	?	Python	Yes	Yes	?	Yes py2exe (Windows), pypy (Linux), jython (Java)
Ruby shell	Ruby	irb	1995	Yes	?	?	Ruby, BSD	1.9: Yes 1.8: limited	Yes	?	Yes with rubyscript2exe.rb
VMS DCL[18]	OpenVMS	?	1977 ?	No	VMS	VMS	?	No	Yes (sys$input, sys$output assignment)	No	No
fish	POSIX	fish	2005[19]	Yes	?	?	GPL	Yes	Yes (arbitrary fds)	No	?

Notes

1. A platform independent version based on the historical UNIX V7 original source code is available from Geoff Collyer
2. A platform independent version based on the SVr4/Solaris source code is available from Jörg Schilling
3. The historic UNIX V7 version is available under a BSD-style license through the Unix Heritage Society and others.
4. The SVr4 (OpenSolaris) version http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/cmd/sh/ is available under CDDL, older versions (except UNIX V7) are available under a AT&T proprietray license. However, most extent versions (AIX, IRIX64, HPUX, Tru64) remain under AT&T licence.
5. IEEE (6 December 2001). 1003.1 Standard for Information Technology – Portable Operating System Interface (POSIX): Shell and Utilities, Issue 6. 
6. As part of IEEE Std.1003.2-1992 (POSIX.2); integrated into IEEE Std.1003.1 with the 2001 revision.
7. Brian Fox (forwarded by Leonard H. Tower Jr.) (7 June 1989). "Bash is in beta release!". gnu.announce. Web link. Retrieved 28 October 2010.
8. Ken Greer (3 October 1983). "C shell with command and filename recognition/completion". net.sources. Web link. Retrieved 29 December 2010.
9. Ron Gomes (9 June 1983). "Toronto USENIX Conference Schedule (tentative)". net.usenix. Web link. Retrieved 29 December 2010.
10. Guy Harris (10 October 1983). "csh question". net.flame. Web link. Retrieved 29 December 2010.
11. Default shell in OpenBSD is ksh (pdksh).
12. Command extensions enabled, or "cmd /x".
13. Windows component – covered by a valid license for Microsoft Windows
14. Windows PowerShell is installed with Windows 7, however, it is an optional download for users of Windows Vista or Windows XP.
15. Third-party re-implementations, such as DosBox, Wine, and FreeDOS are available.
16. MS-DOS and Windows component – covered by a valid license for MS-DOS or Microsoft Windows
17. OS/2 component – covered by a valid license for OS/2
18. "HP OpenVMS DCL Dictionary". Retrieved 23 March 2009. 
19. Axel Liljencrantz (17 May 2005). "Fish - The friendly interactive shell". Retrieved 8 April 2013. 

Interactive features

	Command name completion	Path/file argument completion	Non-Path/file argument completion	Wildcard completion	Command history	Mandatory argument prompt	Automatic suggestions	Syntax highlighting	Directory history	Implicit directory change	Spell checking	Integrated environment	Snippets	Value prompt	Menu/options prompt	Progress indicator	Interactive table	Context sensitive help	Command builder
Bourne shell	No	No	No	No	No	No	No	No	No	No	No	No	No	Yes	No	No	No	No	No
POSIX shell	No	No	No	No	Yes	No	No	No	No	No	No	No	No	Yes	No	No	No	No	No
bash (v4.0)	Yes	Yes	when defined	Yes[1]	Yes	No	No	No	No	optional	No	No	No	Yes	Yes	No	No	No	No
csh	Yes	Yes	No	No	Yes	No	No	No	No	optional	No	No	No	Yes	No	No	No	No	No
tcsh	Yes	Yes	No	No	Yes	No	No	No	No	optional	experimental	No	No	Yes	No	No	No	No	No
Scsh	No	No	No	No	No	No	No	No	No	No	No	No	No	Yes	No	No	No	No	No
ksh (ksh93t+)	Yes (extendable)	Yes (extendable)	No	No	Yes	No	No	No	No	No	No	No	No	Yes	Yes	No	No	No	No
pdksh	Yes	Yes	No	No	Yes	No	No	No	No	No	No	No	No	Yes	Yes	No	No	No	No
zsh	Yes	Yes	when defined	Yes[2]	Yes	No	No	No[3]	No	optional	Yes	No	No	Yes	Yes	No	No	No	No
ash	No	No	No	No	Yes	No	No	No	No	No	No	No	No	Yes	Yes	No	No	No	No
Windows cmd.exe	partial	partial	No	No	Yes (F8)	No	No	No	No	No	No	No	No	No	No	No	No	No	No
TCC (formerly 4NT)	partial	partial	No	No	Yes	No	No	Yes	popup	Yes	No	Yes	No	Yes	Some[4]	No	No	Yes	No
Windows PowerShell	Yes	Yes	Yes	Yes	Yes (F8)	Yes	Yes[5]	Yes[5]	No	No	No	Yes[5]	Yes[5]	Yes	Yes[6]	Yes[7]	popup window[8]	Yes[5]	popup window[9]
COMMAND.COM	No	No	No	No	No[10][11]	No	No	No	No	No	No	No	No	No	No	No	No	No	No
4DOS	Yes	Yes	No	No	Yes	No	No	No	popup	Yes	No	No	No	Yes	No	No	No	No	No
OS/2 cmd.exe	Yes	Yes	No	No	Yes	No	No	No	No	No	No	No	No	No	No	No	No	No	No
rc	Yes[12]	Yes[12]	No	No	Yes[12]	No	No	No	No	No	No	No	No	?	No	No	No	No	No
BeanShell	Yes	Yes	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No	No
Python shell	Yes[13]	Yes[13]	No	No	with IPython[14]	No	No	No	No	No	No	?	?	Yes	No	No	No	No	No
Ruby shell	Yes	Yes	No	No	with UtilityBelt[15]	No	No	No	No	No	No	No	No	Yes	No	No	No	No	No
VMS DCL	Minimum uniqueness scheme	No	No	No	Yes	Yes	No	No	No	No	No	No	No	Yes	No	No	No	No	No
fish	Yes	Yes	when defined[16]	Yes[17]	Yes	No	Yes	Yes	Yes	No	No	Yes[18]	No	Yes	No	No	Yes	No	No

Completions

Main article: Command-line completion

Completion features assist the user in typing commands at the command line. The simplest form of completion is command name completion where the shell looks for and suggests matching internal and/or external commands when the user enters a partial command and presses the completion key (often the Tab ↹ key).

For each command there is usually also a set of parameters/arguments/options. parameters/arguments/options are often identified by a name or letter preceding a value. Some shells allow completion on parameter/option names and -values.

Bash and zsh offer parameter name completion through a definition external to the command, distributed in a separate completion definition file. For command parameter name/value completions, the shell assumes path/filename completion if no completion is defined for the command. Completion can be set up to suggest completions by calling a shell function.^[19]

As opposed to traditional shells where parameters are parsed internally by each command, all types of PowerShell commands (cmdlets, functions, script files) expose data about their parameters, names, types, value ranges and more. This discoverable data is used by the shell to automatically support argument name and value completion for built-in commands/functions, user-defined commands/functions as well as for script files. Cmdlets can also define dynamic completion of argument values where the completion values are computed dynamically on the running system.

Command history

Main article: Command history

A user of a shell may find that he/she is typing something similar to what the user typed before. If the shell supports command history the user can call the previous command into the line editor and edit it before issuing it again.

Shells that support completion may also be able to directly complete the command from the command history given a partial/initial part of the previous command.

Most modern shells support command history. Shells which support command history in general also supports completion from history rather than just recalling commands from the history. In addition to the plain command text, PowerShell also records execution start- and end time and execution status in the command history.

Mandatory argument prompt

Further information: Named parameter#Optional_parameters

Mandatory arguments/parameters are arguments/parameters which must be assigned a value upon invocation the command, function or script file. A shell that can determine ahead of invocation that there are missing mandatory values, can assist the interactive user by prompting for those values instead of letting the command fail. Having the shell prompt for missing values will allow the author of a script, command or function to mark a parameter as mandatory instead of creating script code to either prompt for the missing values (after determining that it is being run interactively) or fail with a message.

PowerShell allows commands, functions and scripts to define arguments/parameters as mandatory. The shell determines prior to invocation if there is any mandatory arguments/parameters which have not been bound, and will then prompt the user for the value(s) before actual invocation. ^[20]

Automatic suggestions

Main article: Autocomplete

With automatic suggestions the shell monitors while the interactive user is typing and displays context-relevant suggestions without interrupting the typing instead of the user explicitly requesting completion.

Directory history

See also: Directory stack

A shell may record the locations the user has used as current locations and allow fast switching to any location/directory in the history.

4DOS and Take Command Console record history of current directories and allows the user to switch to a directory in the history using a popup a window.

Implicit directory change

A directory name can be used directly as a command which implicitly changes the current location to the directory.

Spell checking

Main article: Spell checker

When a command line does not match a command or arguments directly, spell checking can look for common typing mistakes and match possible alternatives with known valid alternatives. The shell can then suggest probable corrections to the interactive user.

The tsch and zsh shells feature optional spell checking/correction.

Integrated environment

Main article: Integrated environment

An integrated environment is the integration of the command line interface with editors (typically multiple documents), help system and possibly debugging and other tools.

Take Command Console (TCC) comes with an integrated environment with command line pane, file explorer, editor, batch debugger and more.^[21]

PowerShell ISE includes a command line pane with support for integrated command line, copy-paste, multiple document editors, source level debugging, help pane, command explorer pane and scripting interface allowing scripts/modules to manipulate menus, add-ons etc. The ISE (menus, windows, shortcuts, addons) are customizable through scripts.^[22]

Snippets

Main article: Snippet (programming)

Snippets are small regions of re-usable of script code. Snippets are often used to save keystrokes, or to assist the user with common scripting patterns.

PowerShell supports snippets in the Integrated Scripting Environment (ISE) using Ctrl J.^[23]

Value prompt

A shell script can prompt the interactive user for a value.

Menu/options selector

A shell script can present the interactive user with a list of choices.

Progress indicator

A shell script (or job) can report progress of long running tasks to the interactive user.

Unix/Linux systems may offer other tools support using progress indicators from scripts. These are not integrated features of the shells, however.

PowerShell has a built-in command and API functions (to be used when authoring commands) for writing/updating a progress bar. Progress bar messages are sent separates from regular command output and the progress bar is always displayed at the ultimate interactive users console regardless of whether the progress messages originates from an interactive script, from a background job or from a remote session.

Interactive table

Output from a command execution can be displayed in a table/grid which can be interactively sorted and filtered and/or otherwise manipulated after command execution ends.

PowerShell Out-GridView cmdlet displays data in an interactive window with interactive sorting and filtering.

Syntax highlighting

Main article: Syntax highlighting

An independent project offers syntax highlighting as an add-on to the Z Shell (zsh).^[24] This is not part of the shell, however. PowerShell ISE has syntax highlighting on the current command line as well as in the script pane.^[22] Take Command Console (TCC) offers syntax highlighting in the integrated environment.

Context sensitive help

Main article: Context-sensitive help

Take Command Console and PowerShell (in PowerShell ISE) looks up context-sensitive help information when F1 is pressed.

Command builder

A command builder is a guided dialog which assists the user in filling in a command. PowerShell has a command builder which is available in PowerShell ISE or which can be displayed separately through the Show-Command cmdlet.^[25]

Notes

1. Alt-Shift-8 or Alt-* will expand to the full matching list of filenames
2. "[Z Shell] Completion System". 
3. zsh does not feature syntax highlighting, but a 3rd party projekt exists which offer this capability as an add-on
4. TCC has special prompt function for yes, no, cancel, close, retry.
5. Available in PowerShell Integrated Scripting Environment (ISE) which offers integrated command line pane, script editor, intellisense, help, scriting snippets, source-level debugging, syntax highlighting, automatic suggestions (IntelliSense) and more.
6. The $host.ui.PromptForChoice function allows for a menu-style prompt for choices. The prompt works from background jobs as well as from remote sessions, displaying the menu prompt on the console of the controlling session.
7. The Write-Progress cmdlet writes a progress bar which can indicate percentage, remaining seconds etc. The progress bar messages work from background jobs or remote sessions in addition to interactive scripts, i.e. the progress bar is displayed on the console of the controlling session, not as part of the regular output.
8. The Out-GridView (with a the alias ogv) opens an interactive "grid view" (table) where the user can sort, filter and select/choose rows, rearrange columns etc.
9. The Show-Command cmdlet inspects the command definition and opens an interactive windows with a named input field for each parameter/switch
10. Available through the DOSKEY add-on
11. Available in DR-DOS
12. Handled by rio, GNU readline, editline or vrl
13. provided by the rlcompleter module or IPython
14. When used with IPython)
15. When used with UtilityBelt gem
16. "Fish user documentation". 
17. "Fish user documentation". "Completion of filenames, even on strings with wildcards such as '*', '**' and '?'." 
18. The fish shell is an interactive character based input/output surface
19. http://zsh.sourceforge.net/Doc/Release/Completion-System.html
20. "Use PowerShell to Make Mandatory Parameters". 
21. http://jpsoft.com/take-command-windows-scripting.html
22. http://technet.microsoft.com/en-us/library/hh849182.aspx
23. http://www.powershellmagazine.com/2011/09/28/powershell-v3-ise-and-ise-scripting-model-changes-improvements/
24. [1]
25. http://technet.microsoft.com/en-us/library/hh849915.aspx

Programming features

	Functions	Exception handling	Search and replace on variables	Parallel assignment	Variadic functions	Default arguments	Named parameters	Lambda functions	eval function	Pseudorandom number generation	Bytecode
Bourne shell	Yes since SVr2	Yes (via trap)	No	No	Since SVr2	No	No	No	Yes	No	No
POSIX shell	Yes	Yes (via trap)	No	No	Yes	No	No	No	Yes	No	No
bash (v4.0)	Yes	Yes (via trap)	Yes (via ${//} syntax)	No	Yes	Yes	No	No	Yes	Yes ($RANDOM)	No
csh	No	No	No	No	No	No	No	No	Yes	No	No
tcsh	No	No	Yes (via ${:s//} syntax	No	No	No	No	No	Yes	No	No
Scsh	Yes	?	Yes (via string functions and regular expressions)	No	Yes	No	No	Yes	Yes	Yes (random-integer, random-real)	Yes (compiler is Scheme48 virtual machine, "scshvm")
ksh (ksh93t+)	Yes	Yes (via trap)	Yes (via ${//} syntax and builtin commands)	?	Yes	Yes	Yes (for user-defined "types")	No	Yes	Yes ($RANDOM)	Yes (compiler is called "shcomp")
pdksh	Yes	Yes (via trap)	No	?	Yes	Yes	No	No	Yes	Yes ($RANDOM)	No
zsh	Yes	Yes	Yes (via ${:s//} and ${//} syntax)	?	Yes	Yes	No	No	Yes	Yes ($RANDOM)	Yes (built-in command "zcompile")
ash	Yes	Yes (via trap)	No	No	Yes	Yes	No	No	Yes	No	No
Windows cmd.exe	Yes (via "call :label")	No	Yes (via set %varname:expression syntax)	No	No	No	No	No	No	Yes (%random%)	No
TCC (formerly 4NT)	Yes	No	Yes (via %@replace[ ] function)	No	No	No	No	No	Yes	Yes (%@random[ ] function)	No
Windows PowerShell	Yes	Yes	Yes (-replace operator)	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes, automatic
COMMAND.COM	No	No	No	No	No	No	No	No	No	No	No
4DOS	Yes	No	Yes (via %@replace[ ] function)	No	?	No	?	No	Yes	Yes (%@random[ ] function)	No
OS/2 cmd.exe	No	No	No	No	No	No	No	No	No	No	No
rc	Yes	Yes	No	?	Yes	Yes	?	No	Yes	No	No
BeanShell	Yes	Yes	?	?	No	No	No	No	Yes	Yes	Yes
Python shell	Yes	Yes	Yes (via string methods and regular expressions)	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes (standard CPython, IronPython or Jython)
Ruby shell	Yes	Yes	Yes (via string functions and regular expressions)	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes (NetRuby, JRuby, version 1.9/YARV)
VMS DCL	Yes	Yes	No	No	No	No	No	No	No	No	No

Notes

String and filename matching

	Pattern Matching (regular expressions built-in)	Pattern Matching (globbing)	Globbing qualifiers (filename generation based on file attributes)	Recursive globbing (generating files from any level of subdirectories)
Bourne shell	No	Yes (*, ?, [...])	No	No
POSIX shell	No	Yes (*, ?, [...])	No	No
bash (v4.0)	Yes	Yes (*, ?, [...], {...})	No	Yes (**/...)
csh	No	Yes	No	No
tcsh	Yes	Yes	No	No
Scsh	Yes	Yes	No	No
ksh (ksh93t+)	Yes	Yes (*, ?, [...])	No	Yes (with set -G, no following of symlinks)
pdksh	No	Yes	No	No
zsh	Yes	Yes (*, ?, [...], ext'd globbing[1])	Yes	Yes (**/... or ***/... to follow symlinks)
ash	No	Yes	No	No
Windows cmd.exe	Yes (via the findstr /r command)	Yes (*, ?)	?	No
TCC (formerly 4NT)	Limited support	Yes (*, ?, [...])	?	Yes (via FOR /R)
Windows PowerShell	Yes (full regex support)[2]	Yes (*, ?, [...])	?	?
COMMAND.COM	No	Yes (*, ?)	?	No
4DOS	No	Yes (*, ?, [...])	?	Yes (via FOR /R)
OS/2 cmd.exe	No	Yes (*, ?)	?	?
rc	No	Yes	No	No
BeanShell	Yes	?	?	?
Python shell	Yes	Yes	Yes (via glob module)	Yes (via glob module)
Ruby shell	Yes	Yes (via Dir.glob method)	?	Yes (via Dir.glob method)
VMS DCL	No	Yes	No	Yes (via [SUBDIR...] )

Notes

1. Zsh offers a variety of globbing options.
2. PowerShell leverages the full .NET regular expression engine which features named captures, zero-width lookahead/-behind, greedy/non-greedy, character classes, level counting etc.

Inter-process communication

	Pipes	Command substitution	Process substitution	Subshells	TCP/UDP connections as streams
Bourne shell	bytes concurrent	Yes	No	Yes	No
POSIX shell	bytes concurrent	Yes	No	Yes	No
bash (v4.0)	bytes concurrent	Yes	Yes (if system supports /dev/fd/<n> or named pipes	Yes	Yes (client only)
csh	bytes concurrent	Yes	No	Yes	No
tcsh	bytes concurrent	Yes	No	Yes	No
Scsh	text	?	?	?	Yes
ksh (ksh93t+)	bytes (may contain serialized objects if print -C is used) concurrent	Yes ($(...) and ${<space>...;})	Yes (if system supports /dev/fd/<n>	Yes	Yes (and SCTP support, client only)
pdksh	bytes concurrent	Yes	No	Yes	No
zsh	bytes concurrent	Yes	Yes	Yes	Yes (client and server but only TCP)
ash	bytes concurrent	Yes	No	Yes	No
Windows cmd.exe	text concurrent	Yes (via FOR /F command)	No	Yes (Backtick: ` in for /f usebackq)	No
TCC (formerly 4NT)	text	Yes (via FOR /F command)	?	Limited, via %@execstr[ ] and %@exec[ ]	No
Windows PowerShell	objects concurrent	Yes	No	Yes	Yes
COMMAND.COM	text sequential temporary files	No	No	No	No
4DOS	text sequential temporary files	Yes (via FOR /F command)	?	Limited, via %@execstr[ ] and %@exec[ ]	No
OS/2 cmd.exe	text concurrent	No	No	?	No
rc	text concurrent	Yes	Yes (via: <{cmd} if system supports /dev/fd/<n>)	Yes	No
BeanShell	not supported	?	?	?	Yes
Python shell	objects (when using IPython+IPipe)	Yes	Yes (via subprocess module)	Yes	Yes
Ruby shell	not supported	Yes	Yes	Yes (Backtick: `)	Yes
VMS DCL	text (via PIPE command)	No	No	Yes (spawn)	Yes (server TCP only)

Notes

Security features

	Secure (password) prompt	Secure credentials prompt	Encrypted variables/ parameters	General execution restriction	Script origin execution restriction	Signed script restriction	Multilevel execution policies	Restricted shell subset	Safe data subset
Bourne shell	via stty[1]	No	No	Yes[2]	No	No	No	Yes	No
POSIX shell	via stty[1]	No	No	Yes[2]	No	No	No	No	No
bash (v4.0)	read -s	No	No	Yes[2]	No	No	No	Yes	No
csh	via stty[1]	No	No	Yes[2]	No	No	No	Yes	No
tcsh	via stty[1]	No	No	Yes[2]	No	No	No	Yes	No
Scsh	via stty[1]	No	No	Yes[2]	No	No	No	No	No
ksh (ksh93t+)	via stty[1]	No	No	Yes[2]	No	No	No	Yes	No
pdksh	via stty[1]	No	No	Yes[2]	No	No	No	Yes	No
zsh	read -s	No	No	Yes[2]	No	No	No	Yes	No
ash	via stty[1]	No	No	Yes[2]	No	No	No	Yes	No
Windows cmd.exe	No	No	No	No	No	No	No	No	No
TCC (formerly 4NT)	Yes[3]	No	No	No	No	No	No	No	No
Windows PowerShell	Yes[4]	Yes	Yes	No[5]	Yes[6]	Yes[7]	Yes[8]	Yes[9]	Yes[10]
COMMAND.COM	No	No	No	No	No	No	No	No	No
4DOS	Yes[3]	No	No	No	No	No	No	No	No
OS/2 cmd.exe	No	No	No	No	No	No	No	No	No
rc	via stty[1]	No	No	Yes[2]	No	No	No	Yes[11]	No
Python shell	?	No	No	No	No	No	No	No	No
Ruby shell	?	No	No	No	No	No	No	No	No
VMS DCL	?	No	No	No	No	No	No	No	No

Secure prompt

Some shell scripts need to query the user for sensitive information such as passwords, private digital keys, PIN codes or other confidential information. Sensitive input should not be echoed back to the screen/input device where it could be gleaned by unauthorized persons. Plaintext memory representation of sensitive information should also be avoided as it could allow the information to be compromised e.g. through swap files, core dumps etc.^[12]

The shells bash, zsh and Windows PowerShell offer this as a specific feature.^[13][14] Shells which do not offer this as a specific feature may still be able to turn off echoing through some other means. Shells executing on a Unix/Linux operating system can use the stty external command to switch off/on echoing of input characters.^[15] In addition to not echoing back the characters, PowerShell's -AsSecureString option also encrypts the input character-by-character during the input process, ensuring that the string is never represented unencrypted in memory where it could be compromised through memory dumps, scanning, transcription etc.

Secure credentials prompt

Scripts that connect to resources on behalf of the user will usually (security best practice) query the user for his/her credentials at run time. Depending on the security policies in place, the credentials may be in the form of username+password, smart card with PIN code, biometrics, tokens etc. The script should be able to handle (relay) credentials without restricting the credential type to username+password, i.e. it should be able to handle "abstract" credentials without concerns about specific type of the credentials.

PowerShell comes with the Get-Credential cmdlet which prompts for credentials and which can accept other types of credentials, e.g. a smart card with a PIN code depending on the security providers available at run time. Scripts that need to obtain credentials to access resources on behalf of the user can use this cmdlet to obtain credentials without specifying which form they must take. The Get-Credential cmdlet returns credentials in Common Criteria compliant encrypted form.^[16]

Encrypted variables/parameters

If a script reads a password into an environment variable it is in memory in plain text, and thus may be accessed via a core dump. It is also in the process environment, which may be accessible by other processes started by the script.^[17]

PowerShell can work with encrypted string variables/parameters.^[18] Encrypted variables ensure that values are not inadvertently disclosed through e.g. transcripts, echo'ing, logfiles, memory or crash dumps or even malicious memory scanning. PowerShell also supports saving of such encrypted strings in text files, protected by a key owned by the current user.

General execution restriction

Some operating systems define an execute permission which can be granted to users/groups for a script file. The Linux/Unix shells in general require that this bit be set if a file is invoked as a script file to be executed by the shell. Although Windows also specifies an execute permission, none of the Windows specific shells block script execution if the permission has not been granted. PowerShell protects against inadvertently executing scripts obtained from untrusted sources through other means (described in the following sections).

Script origin execution restriction

PowerShell can be set to block execution of scripts which has been marked as obtained from an unknown/untrusted origin (e.g. the Internet).^[19] Internet facing applications such as web browsers, IM clients, mail readers etc. mark files downloaded from the internet with the origin zone in an alternate data stream which is understood by PowerShell. The Unix/Linux shell in general block on the specific execute permission (see General execution restriction above), not based on origin zone.

Signed script restriction

Script/code signing policies can be used to ensure that an operations department only run approved scripts/code which have been reviewed and signed by a trusted reviewer/approver. Signing regimes also protects against tampering. If a script is sent from vendor to a client, the client can use signing to ensure that the script has not been tampered with during transit and that the script indeed originates from the vendor and not an attacker trying to social engineer an operator into running an attack script.

PowerShell can be set to allow execution of otherwise blocked scripts (e.g. originating from an untrusted zone) if the script has been digitally signed using a trusted digital certificate.^[20][21][22]

Multilevel execution policies

A company may want to enforce execution restriction globally within the company and/or certain parts of the company. It may want to set a policy for running signed scripts but allow certain parts of the company to set their own policies for zoned restrictions.

PowerShell allows script blocking policies to be enforced at multiple levels: Local machine, current user etc. A higher level policy overrides a lower level policy, e.g. if a policy is defined for the local machine it is in place for all users of the local machine, only if it is left undefined at the higher level can it be defined for the lower levels.

Restricted shell subset

Several shells can be started or be configured to start in a mode where only a limited set of commands and actions is available to the user. While not a security boundary (the command accessing a resource is blocked rather than the resource) this is nevertheless typically used to restrict users' actions before logging in.

A restricted mode is part of the POSIX specification for shells, and most of the Linux/Unix shells support such a mode where several of the built-in commands are disabled and only external commands from a certain directory can be invoked.^[23][24]

PowerShell supports restricted modes through session configuration files or session configurations. A session configuration file can define visible (available) cmdlets, aliases, functions, path providers and more.^[25]

Safe data subset

Scripts that invoke other scripts can be a security risk as they can potentially execute foreign code in the context of the user who launched the initial script. Scripts will usually be designed to exclusively include scripts from known safe locations; but in some instances, e.g. when offering the user a way to configure the environment or loading localized messages, the script may need to include other scripts/files.^[26] One way to address this risk is for the shell to offer a safe subset of commands which can be executed by an included script.

PowerShell data sections can contain constants and expressions using a restricted subset of operators and commands.^[27] PowerShell data sections are used when e.g. localized strings needs to be read from an external source while protecting against unwanted side effects.

Notes

1. The shell can use the stty utility to supress echoing of typed characters to the screen. This requires multiple steps: 1. reading the current echo state, 2. switching echo off, 3. read the input 4. switch echo state back to the original state.
2. Scripts can only be invoked directly if user has execute permission on the file. Scripts can still be piped as input to the shell processor without execute permission.
3. INPUT /P echoes back asterisks for each typed character
4. Read-Host -AsSecureString reads a string of characters from the input device into an encrypted string, one character at a time thus ensuring that there is no memory image of the clear text which could be gleaned from scanning memory, or from crash dumps, memory dumps, paging files, log files or similar
5. PowerShell script files (.ps1 files) are by default associated with the Notepad editor, not with the PowerShell execution engine. Invoking a .ps1 file will launch Notepad rather than executing the script. Even though the underlying operating system (Windows) supports an
6. PowerShell allows an execution policy to specify if scripts with zone identifiers indicating that they were obtained from an untrusted zone should be allowed to execute.[2]
7. PowerShell scripts can be signed with a digital certificate, and PowerShell can be set to block execution of unsigned scripts.[3]
8. PowerShell defines 5 levels (scopes) where execution policies can be defined, where a higher level overrides a lower level. [4]
9. Startup scripts per computer/user can import modules and expose a subset the commands/functions available in the modules.
10. PowerShell Data sections define sections of scripts which can be evaluated using a restricted subset of commands.[5]
11. -l makes rc behave as a restricted login shell.[6]
12. Provos, Niels. "Encrypting Virtual Memory". Center for Information Technology Integration, University of Michigan. Retrieved 20 December 2012. 
13. "bash - GNU Bourne-Again SHell". "read -s Silent mode. If input is coming from a terminal, characters are not echoed." 
14. "Using the Read-Host Cmdlet". "By adding the -assecurestring parameter you can mask the data entered at the prompt" 
15. "Linux / Unix Command: stty". 
16. http://blogs.msdn.com/b/powershell/archive/2008/06/20/getting-credentials-from-the-command-line.aspx
17. Albing, Carl; Vossen, J.P.; Newham, Cameron (2007). "3.8. Prompting for a Password". Bash cookbook (1. ed. ed.). Sebastopol, Calif.: O'Reilly. p. 65. ISBN 978-0-596-52678-8. "Be aware that if you read a password into an environment variable it is in memory in plain text, and thus may be accessed via a core dump or /proc/core. It is also in the process environment, which may be accessible by other processes."  |accessdate= requires |url= (help)
18. Holmes, Lee. "SecureStrings in PowerShell". Retrieved 18 December 2012. 
19. http://www.windowsecurity.com/articles/PowerShell-Security.html
20. http://www.hanselman.com/blog/SigningPowerShellScripts.aspx
21. http://blogs.technet.com/b/heyscriptingguy/archive/2010/06/17/hey-scripting-guy-how-can-i-sign-windows-powershell-scripts-with-an-enterprise-windows-pki-part-2-of-2.aspx
22. http://technet.microsoft.com/en-us/library/ee176949.aspx
23. http://pwet.fr/man/linux/commandes/posix/sh
24. http://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html
25. http://technet.microsoft.com/en-us/library/hh849712.aspx
26. Albing, Carl; Vossen, J.P.; Newham, Cameron (2007). Bash cookbook (1. ed. ed.). Sebastopol, Calif.: O'Reilly. ISBN 978-0-596-52678-8. "[...] is hardly what one thinks of as a passive list of configured variables. It can run other commands (e.g.,cat) and use if statements to vary its choices. It even ends by echoing a message. Be careful when you source something, as it’s a wide open door into your script." 
27. "about_Data_Sections". Microsoft. Retrieved 18 December 2012. 

External links

• Linux Magazine: Bash vs. Vista PowerShell
• IEEE. 1003.1 Standard for Information Technology – Portable Operating System Interface (POSIX): Shell and Utilities, Issue 7