Is it a bad idea to pipe a script from curl to your shell?
Online, I often see someone tell people to run a command like /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
(example from https://brew.sh/).
The general pattern is that you download some shell script from an online location and send it straight to your shell.
Isn't this a bad idea? Why do so many developers put it in their instructions? I thought that perhaps the command is not meant literally, but you're supposed to read the more succinct command and compose your own alternative approach. But this seems more common with projects that try to be "user-friendly", ones where you'd suspect their audience is neither aware of the implications of doing this, nor able to analyze what the command does, nor able to construct an alternative approach.
2 answers
Yes, it's a sloppy practice often joked upon but the security concerns are overblown: Piping unknown code into bash feels scary (and it should), but running make
can be just as dangerous. Some install scripts make unwanted changes to .bashrc
or to the filesystem so I still prefer to download the script and inspect it before running it (don't re-download the script as it might have changed).
Also, keep in mind that it's notoriously difficult to write a robust shell script. It could wipe your hard drive, even though it was written with good intentions.
Copy-pasting commands from the README isn't secure either. Try copy-pasting the line below:
echo pwned;echo "triple-click and copy me!";echo pwned
As a developer, you should tell users to prefer packages from their Linux distro, if available. Packages are easier to uninstall, provide integrity via checksums, and are vetted by package maintainers. You should work together with downstream package maintainers and follow common practices to make it easy to package your software.
However, being able to install unpackaged software by running a single command can be convenient if you are inside a throw-away machine like a VM or Docker container.
I won’t repeat the points mentioned in Ordoviz’s answer, but there’s another important aspect which is often forgotten: when you pipe a script to a shell (or pass it as an argument to -c
), whatever is downloaded will be executed, even if the download is incomplete. This can lead to frustration, hilarity, or disaster (think of an unfortunately truncated rm
…).
Authors of scripts intended for execution in this way can guard against this by making sure that the script only runs if it’s complete. There are a couple of techniques to do this. Asahi Linux’s bootstrap script relies on the fact that an if
block is entirely parsed before being run. Other scripts define their contents as one or more functions first, and have the function call which kicks everything off as the last line of the script. As far as I can tell, the Homebrew installation script doesn’t guard against truncation.
0 comment threads