curl https://some-url | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

  • thomask@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    14
    arrow-down
    2
    ·
    edit-2
    20 hours ago

    The security concerns are often overblown. The bigger problem for me is I don’t know what kind of mess it’s going to make or whether I can undo it. If it’s a .deb or even a tarball to extract in /usr/local then I know how to uninstall.

    I will still use them sometimes but for things I know and understand - e.g. rustup will put things in ~/.rustup and update the PATH in my shell profile and because I know that’s what it does I’m happy to use the automation on a new system.

      • thomask@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        10
        ·
        edit-2
        15 hours ago

        So tell me: if I download and run a bash script over https, or a .deb file over https and then install it, why is the former a “security nightmare” and the latter not?

        • jagged_circle@feddit.nl
          link
          fedilink
          English
          arrow-up
          2
          ·
          4 hours ago

          Both are a security nightmare, if you’re not verifying the signature.

          You should verify the signature of all things you download before running it. Be it a bash script or a .deb file or a .AppImage or to-be-compiled sourcecode.

          Best thing is to just use your Repo’s package manager. Apt will not run anything that isn’t properly signed by a package team members release PGP key.