Adding basicConstraints without openssl.cnf
I couldn’t see how to avoid using it entirely but using the default config and commenting out anything you set by commandline seems efficient enough.
Utilize -addext which can be used multiple times
Given an already-existing privkey.pem and with the caveat that e.g. /etc/ssl/openssl.cnf does not have conflicting instructions, the following seems to do it without the bashism.
DAYS='240'
SUBJECT='/CN=example.com/O=Example Co./OU=Engineering/L=Boston/ST=MA/C=US'
SERIAL='0x1001'
openssl req \
-addext basicConstraints=critical,CA:TRUE,pathlen:1 \
-outform pem -out cacert.pem \
-key privkey.pem -new -x509 \
-days "${DAYS}" \
-subj "${SUBJECT}" \
-set_serial "${SERIAL}"