A related issue is with adding the nameref attribute to a readonly variable. Not sure if that should be allowed, as it can be used to change the meaning of the variable, even for variables that bash is using internally:
$ TIMEFORMAT='%R' $ time bash -c 'readonly TMOUT=5; read'5.007 $ time bash -c 'readonly TMOUT=5; ref=$TMOUT; declare -n ref; ref=10; declare -n TMOUT; read'10.004 The same technique works for circumventing PATH in a restricted shell: $ PATH='/restricted/bin' $BASH -r -c 'type sed; ref=$PATH; declare -n ref; ref=/usr/bin; declare -n PATH; type sed' bash bash: line 0: type: sed: not found sed is /usr/bin/sed