curl https://some-url/ | sh
I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?
I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?
Yeah I hate this stuff too, I usually pipe it into a file figure out what it’s doing and manually install the program from there.
FWIW I’ve never found anything malicious from these scripts but my internal dialogue starts screaming when I see these in the wild, I don’t want to run some script and not know what it’s touching malicious or not it’s a PITA.
As a linux user, I like to know what’s happening under the hood as best I can and these scripts go against that
If you’re worried, download it into a file first and read it.
I don’t cringe. Just instinctively
Ctrl+WJust direct it into a file, read the script, and run it if you’re happy. It’s just a shorthand that doesn’t require saving the script that will only be used once.
Unpopular opinion, these are handy for quickly installing in a new vm or container (usually throwaway) where one don’t have to think much unless the script breaks. People don’t install thing on host or production multiple times, so anything installed there is usually vetted and most of the times from trusted sources like distro repos.
For normal threat model, it is not much different from downloading compiled binary from somewhere other than well trusted repos. Windows software ecosystem is famously infamous for exactly the same but it sticks around still.
Yeah and windows is famous for botnets lol.
Yet most botnets are Linux based.
In not talking about the CAC. I’m talking about the members of the botnet.
Or are you hinting at Linux based IoT devices?
IoT devices, web servers, etc.
Back up your data folks. You’re probably more likely to accidentally
rm -rfyourself than download a script that will do it.To be fair that’s because Linux funnels you to the safeguard-free terminal where it’s much harder to visualize what’s going on and fewer checks to make sure you’re doing what you mean to be doing. I know it’s been a trend for a long time where software devs think they are immune from mistakes but…they aren’t. And nor is anyone else.
You could just read the script file first… Or YOLO trust it like you trust any file downloaded from a relatively safe source… At least you can read a script.
I usually read it first.
Download it and then read it. Curl has a different user agent than web browsers.
Yeah I guess if they were being especially nefarious they could supply two different scripts based on user-agent. But I meant what you said anyways… :) I download and then read through the script. I know this is a common thing and people are wary of doing it, but has anyone ever heard of there being something disreputable in one of this scripts? I personally haven’t yet.
I’ve seen it many times. It usually takes the form of fake websites that are impersonating the real thing. It is easy to manipulate Google results. Also, there have been a few cases where a bad design and a typo result in data loss.
@cschreib
No.| shstands for shake head at bad practicesTo answer the question, no - you’re not the only one. People have written and talked about this extensively.
Personally, I think there’s a lot more nuance to the answer. Also a lot has been written about this.
You mention “communities that are security conscious”. I’m not sure in which ways you feel this practice to be less secure than alternatives. I tend to be pretty security conscious, to the point of sometimes being annoying to my team mates. I still use this installation method a lot where it makes sense, without too much worry. I also skip it other times.
Without knowing a bit more about your specific worries and for what kinds of threat you feel this technique is bad, it’s difficult to respond specifically.
Feel is fine, and if you’re uncomfortable with something, the answer is generally to either avoid it (by reading the script and executing the relevant commands yourself, or by skipping using this software altogether, for instance), or to understand why you’re uncomfortable and rationally assess whether that feeling is based on reality or imagination - or to which degree of each.
As usual, the real answer is - it depends.
Thank you for the nuanced answer!
You ask why I feel this is less secure: it seems the lowest possible bar when it comes to controlling what gets installed on your system. The script may or may not give you a choice as to where things get installed. It could refuse to install or silently overwrite stuff if something already exists. If install fails, it may or may not leave data behind, in directories I may or may not know about. It may or may not run a checksum on the downloaded data before installing. Because it’s a competely free-form script, there is no standard I can expect. For an application, I would read the documentation to learn more, but these scripts are not normally documented (other than “use this to install”). That uncertainty, to me, is insecure/unsafe.
What’s stopping the downloaded script from wiping my home directory?
No
I also feel incredibly uncomfortable with this. Ultimately it comes down to if you trust the application or not. If you do then this isn’t really a problem as regardless they’re getting code execution on your machine. If you don’t, well then don’t install the application. In general I don’t like installing applications that aren’t from my distro’s official repositories but mostly because I like knowing at least they trust it and think it’s safe, as opposed to any software that isn’t which is more of an unknown.
Also it’s unlikely for the script to be malicious if the application is not. Further, I’m not sure a manual install really protects anyone from anything. Inexperienced users will go through great lengths and jump through some impressive hoops to try and make something work, to their own detriment sometimes. My favorite example of this is the LTT Linux challenge. apt did EVERYTHING it could think to do to alert that the steam package was broken and he probably didn’t want to install it, and instead of reading the error he just blindly typed out the confirmation statement. Nothing will save a user from ruining their system if they’re bound and determined to do something.
In this case apt should have failed gracefully. There is no reason for it to continue if a package is broken. If you want to force a broken package, that can be it’s own argument.
I’m not sure that would’ve made a difference. It already makes you go out of your way to force a broken package. This has been discussed in places before but the simple fact of the matter is a user that doesn’t understand what they’re doing will perservere. Putting up barriers is a good thing to do to protect users, spending all your time and effort to cover every edge case is a waste of time because users will find ways to shoot themselves in the foot.
How is that safe?
It’s not, it’s a sign that the authors don’t take security seriously.
If you use this
I never do.
