Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Is it a bad idea to pipe a script from curl to your shell?

+4
−0

Online, I often see someone tell people to run a command like /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" (example from https://brew.sh/).

The general pattern is that you download some shell script from an online location and send it straight to your shell.

Isn't this a bad idea? Why do so many developers put it in their instructions? I thought that perhaps the command is not meant literally, but you're supposed to read the more succinct command and compose your own alternative approach. But this seems more common with projects that try to be "user-friendly", ones where you'd suspect their audience is neither aware of the implications of doing this, nor able to analyze what the command does, nor able to construct an alternative approach.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

0 comment threads

2 answers

You are accessing this answer with a direct link, so it's being shown above all other answers regardless of its score. You can return to the normal view.

+6
−0

Yes, it's a sloppy practice often joked upon but the security concerns are overblown: Piping unknown code into bash feels scary (and it should), but running make can be just as dangerous. Some install scripts make unwanted changes to .bashrc or to the filesystem so I still prefer to download the script and inspect it before running it (don't re-download the script as it might have changed).

Also, keep in mind that it's notoriously difficult to write a robust shell script. It could wipe your hard drive, even though it was written with good intentions.

Copy-pasting commands from the README isn't secure either. Try copy-pasting the line below:

echo pwned;echo "triple-click and copy me!";echo pwned

As a developer, you should tell users to prefer packages from their Linux distro, if available. Packages are easier to uninstall, provide integrity via checksums, and are vetted by package maintainers. You should work together with downstream package maintainers and follow common practices to make it easy to package your software.

However, being able to install unpackaged software by running a single command can be convenient if you are inside a throw-away machine like a VM or Docker container.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.

1 comment thread

What's wrong with the example (1 comment)
+3
−0

I won’t repeat the points mentioned in Ordoviz’s answer, but there’s another important aspect which is often forgotten: when you pipe a script to a shell (or pass it as an argument to -c), whatever is downloaded will be executed, even if the download is incomplete. This can lead to frustration, hilarity, or disaster (think of an unfortunately truncated rm…).

Authors of scripts intended for execution in this way can guard against this by making sure that the script only runs if it’s complete. There are a couple of techniques to do this. Asahi Linux’s bootstrap script relies on the fact that an if block is entirely parsed before being run. Other scripts define their contents as one or more functions first, and have the function call which kicks everything off as the last line of the script. As far as I can tell, the Homebrew installation script doesn’t guard against truncation.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.

0 comment threads

Sign up to answer this question »