Communities

The Great Outdoors

Photography & Video

Scientific Speculation

Electrical Engineering

Languages & Linguistics

Software Development

Community Proposals

tag:snake search within a tag

answers:0 unanswered questions

user:xxxx search by author id

score:0.5 posts with 0.5+ score

"snake oil" exact phrase

votes:4 posts with 4+ votes

created:<1w created < 1 week ago

post_type:xxxx type of post

Notifications

Mark all as read See all your notifications »

Q&A

Posts Tags Edits

Comments on Is it a bad idea to pipe a script from curl to your shell?

Parent

Is it a bad idea to pipe a script from curl to your shell?

+4

−0

Online, I often see someone tell people to run a command like /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" (example from https://brew.sh/).

The general pattern is that you download some shell script from an online location and send it straight to your shell.

Isn't this a bad idea? Why do so many developers put it in their instructions? I thought that perhaps the command is not meant literally, but you're supposed to read the more succinct command and compose your own alternative approach. But this seems more common with projects that try to be "user-friendly", ones where you'd suspect their audience is neither aware of the implications of doing this, nor able to analyze what the command does, nor able to construct an alternative approach.

security shell-scripting best-practices

posted 4 months ago

CC BY-SA 4.0

matthewsnyder‭

1806 reputation 122 75 285 109

Raw

Markdown

is a duplicate

This question has been asked before and has already been answered. It should be marked as a duplicate.

Please enter the URL of the proposed duplicate in the details field below.

not constructive

This question cannot be answered in a way that is helpful to anyone. It's not possible to learn something from possible answers, except for the solution for the specific problem of the asker.

0 comment threads

Post

+6

−0

Yes, it's a sloppy practice often joked upon but the security concerns are overblown: Piping unknown code into bash feels scary (and it should), but running make can be just as dangerous. Some install scripts make unwanted changes to .bashrc or to the filesystem so I still prefer to download the script and inspect it before running it (don't re-download the script as it might have changed).

Also, keep in mind that it's notoriously difficult to write a robust shell script. It could wipe your hard drive, even though it was written with good intentions.

Copy-pasting commands from the README isn't secure either. Try copy-pasting the line below:

echo pwned;echo "triple-click and copy me!";echo pwned

As a developer, you should tell users to prefer packages from their Linux distro, if available. Packages are easier to uninstall, provide integrity via checksums, and are vetted by package maintainers. You should work together with downstream package maintainers and follow common practices to make it easy to package your software.

However, being able to install unpackaged software by running a single command can be convenient if you are inside a throw-away machine like a VM or Docker container.

posted 4 months ago

CC BY-SA 4.0

101 reputation 0 3 10 0

Copy Link

Raw

Markdown

1 comment thread

What's wrong with the example (1 comment)

matthewsnyder‭ wrote 3 months ago · edited 3 months ago

For other readers: The example uses some HTML magic to hide some extra text. It works because technically Markdown can have HTML mixed in and this site supports that. The hidden text contains shell commands, when you triple-click, they get selected too.

I figured I'd leave this here since it's a bit ironic to see "just try it and see ;-)" in an answer complaining about the same attitude. :)