curl https://some-url/ | sh
I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?
I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?
For security reasons, I review every line of code before it’s executed on my machine.
Before I die, I hope to take my ‘93 dell optiplex out of its box and finally see what this whole internet thing is about.
Not good enough. You should really be inspecting your CPU with a microscope.
You could just read the script file first… Or YOLO trust it like you trust any file downloaded from a relatively safe source… At least you can read a script.
What’s stopping the downloaded script from wiping my home directory?
What’s stopping any Makefile, build script, or executable from running
rm -rf ~? The correct answer is “nothing”. PPAs are similarly open, things are a little safer if you only use your distro’s default package sources, but it’s always possible that a program will want to be able to delete something in your home directory, so it always has permission.Containerized apps are the only way around this, where they get their own home directory.
It isn’t more dangerous than running a binary downloaded from them by any other means. It isn’t more dangerous than downloaded installer programs common with Windows.
TBH macOS has had the more secure idea of by default using sandboxes applications downloaded directly without any sort of installer. Linux is starting to head in that direction now with things like Flatpak.
What’s stopping the downloaded script from wiping my home directory?
| shstands for shake head at bad practicesIf you’re worried, download it into a file first and read it.
You have the option of piping it into a file instead, inspecting that file for yourself and then running it, or running it in some sandboxed environment. Ultimately though, if you are downloading software over the internet you have to place a certain amount of trust in the person your downloading the software from. Even if you’re absolutely sure that the download script doesn’t wipe your home directory, you’re going to have to run the program at some point and it could just as easily wipe your home directory at that point instead.
Indeed, looking at the content of the script before running it is what I do if there is no alternative. But some of these scripts are awfully complex, and manually parsing the odd bash stuff is a pain, when all I want to know is : 1) what URL are you downloading stuff from? 2) where are you going to install the stuff?
As for running the program, I would trust it more than a random deployment script. People usually place more emphasis on testing the former, not so much the latter.
You have the option of piping it into a file instead, inspecting that file for yourself and then running it, or running it in some sandboxed environment.
That’s not what projects recommend though. Many recommend piping the output of an HTTP transfer over the public Internet directly into a shell interpreter. Even just
curl https://... > install.sh; sh install.shwould be one step up. The absolute minimum recommendation IMHO should be
curl https://... > install.sh; less install.sh; sh install.shbut this is still problematic.
Ultimately, installing software is a labourious process which requires care, attention and the informed use of GPG. It shouldn’t be simplified for convenience.
Also, FYI, the word “option” implies that I’m somehow restricted to a limited set of options in how I can use my GNU/Linux computer which is not the case.
Showing people that are running curl piped to bash the script they are about to run doesn’t really accomplish anything. If they can read bash and want to review the script then they can by just opening the URL, and the people that aren’t doing that don’t care what’s in the script, so why waste their time with it?
Do you think most users installing software from the AUR are actually reading the pkgbuilds? I’d guess it’s a pretty small percentage that do.
Showing people that are running curl piped to bash the script they are about to run doesn’t really accomplish anything. If they can read bash and want to review the script then they can by just opening the URL
What it accomplishes is providing the instructions (i.e. an easily copy-and-pastable terminal command) for people to do exactly that.
If you can’t review a bash script before running it without having an unnecessarily complex one-liner provided to you to do so, then it doesn’t matter because you aren’t going to be able to adequately review a bash script anyway.
If you can’t review a bash script before running it without having an unnecessarily complex one-liner provided to you
Providing an easily copy-and-pastable one-liner does not imply that the reader could not themselves write such a one-liner.
Having the capacity to write one’s own commands doesn’t imply that there is no value in having a command provided.
unnecessarily complex
LOL
I don’t think you realize that if your goal is to have a simple install method anyone can use, even redirecting the output to install.sh like in your examples is enough added complexity to make it not work in some cases. Again, those are not made for people that know bash.
even redirecting the output to install.sh like in your examples is enough added complexity to make it not work in some cases
You can’t have any install method that works in all cases.
if your goal is to have a simple install method anyone can use
Similarly, you can’t have an install method anyone can use.
I mean if you think that it’s bad for linux culture because you’re teaching newbies the wrong lessons, fair enough.
My point is that most people can parse that they’re essentially asking you to run some commands at a url, and if you have even a fairly basic grasp of linux it’s easy to do that in whatever way you want. I don’t know if I personally would be any happier if people took the time to lecture me on safety habits, because I can interpret the command for myself.
curl https://some-url/ | shis terse and to the point, and I know not to take it completely literally.linux culture
snigger
you’re teaching newbies the wrong lessons
The problem is not that it’s teaching bad lessons, it’s that it’s actually doing bad things.
most people can parse that they’re essentially asking you to run some commands at a url
I know not to take it completely literally
Then it needn’t be written literally.
I think you’re giving the authors of such installation instructions too much credit. I think they intend people to take it literally. I think this because I’ve argued with many of them.
Who the fuck types out “snigger” haha
Teleports behind you
Back up your data folks. You’re probably more likely to accidentally
rm -rfyourself than download a script that will do it.I usually read it first.
Download it and then read it. Curl has a different user agent than web browsers.
Yeah I guess if they were being especially nefarious they could supply two different scripts based on user-agent. But I meant what you said anyways… :) I download and then read through the script. I know this is a common thing and people are wary of doing it, but has anyone ever heard of there being something disreputable in one of this scripts? I personally haven’t yet.
I’ve seen it many times. It usually takes the form of fake websites that are impersonating the real thing. It is easy to manipulate Google results. Also, there have been a few cases where a bad design and a typo result in data loss.
I think safer approach is to:
- Download the script first, review its contents, and then execute.
- Ensure the URL uses HTTPS to reduce the risk of man-in-the-middle attacks
If steam accidentally deleted someone’s home directory in a bash script via a single error, I doubt I would catch that one myself.
If you’ve downloaded and audited the script, there’s no reason to pipe it from curl to sh, just run it. No https necessary.
The https is to cover the factthat you might have missed something.
I guess I download and skim out of principle, but they might have hidden something in there.
Wat. All https does is encrypt the connection when downloading. If you’ve already downloaded the file to audit it, then it’s in your drive, no need to use curl to download it again and then pipe it to sh. Just click the thing.
Yeah, https was for downloading it in the first place. My bad, I didn’t get my thoughts out in the right order.
That makes sense. I probably should have gotten it from context.
Install scripts are bad in general. ideally use officially packaged software.
But then they’d have to lay some guy 15$ to package it and thats like, spending money
Distros do the packaging. Devs can not be trusted
That’s how you end up without software.
That’s how you end up with a secure well tested system. Having the distro do software reviews adds another level of validation. Devs are bad about shipping software with vulnerable dependencies and stuff like that.
And then you install wordpress, lol.
Loads of distros have user packing like arch and nixos… also many distors accept donations to package your software either way so my point stands even then.
Meanwhile nix install instructions start of with a curl
?
the instructions for installing on not nixos https://nixos.org/download/
What part is confusing you?
It’s not much different from downloading and compiling source code, in terms of risk. A typo in the code could easily wipe home or something like that.
Obviously the package manager repo for your distro is the best option because there’s another layer of checking (in theory), but very often things aren’t in the repos.
The solution really is just backups and snapshots, there are a million ways to lose files or corrupt them.
You should use officially packaged software. That’s the safest option.
Yeah when you can, often stuff isn’t in it though.
Debian has 60,425 packages. I would recommend that you create a Debian container with distrobox and install whatever you need. If you need newer versions you can use Debian Sid.
Yeah it’s often missing CLI tools that are from small devs who can’t do packaging.
Unpopular opinion, these are handy for quickly installing in a new vm or container (usually throwaway) where one don’t have to think much unless the script breaks. People don’t install thing on host or production multiple times, so anything installed there is usually vetted and most of the times from trusted sources like distro repos.
For normal threat model, it is not much different from downloading compiled binary from somewhere other than well trusted repos. Windows software ecosystem is famously infamous for exactly the same but it sticks around still.
Those just don’t get installed. I refuse to install stuff that way. It’s to reminiscent of installing stuff on windows. “Pssst, hey bud, want to run this totally safe executable on your PC? It won’t do anything bad. Pinky promise”. Ain’t happening.
The only exception I make is for nix on non-nixos machines because thwt bootstraps everything and I’ve read that script a few times.
curl | sudo bash Gang
