
Piping Curl to S(hell) - signa11
https://0x46.net/thoughts/2019/04/27/piping-curl-to-shell/
======
wodenokoto
I generally don't know what my installers do. When I install games from steam,
applications from the App Store or browser from Mozilla, or Python
distributions from continuum I don't know what the installer does. Or really,
the software for that matter.

How would I? And even if I did, how would I know what the software does?

If you don't trust GitHub user robbyrussell to serve you a legitimate
installer, why would you trust that user to serve you a legitimate program?

The part about partially downloaded scripts causing havoc is however quite
relevant.

------
lioeters
The article raises good points, and I agree.

Seeing how piping curl to shell is a common practice to install something, I
wonder what safer (and still simple) alternatives there are? Recently I
encountered this situation and I piped curl to a file, read through the script
to ensure what it does, then chmod +x the file and ran it. Not sure if that
will become a common practice though..

~~~
effie
If you need to run some unvetted software, do so in a locked down virtual
machine, or at least run it only with privileges of a very restricted unix
user.

~~~
dTal
I don't know about you, but I haven't "vetted" _any_ of the software on my
machine, in the sense of proving to myself in any strong sense that it's not
malicious. I just rely on a loose web of trust and a hefty dose of contextual
clues. Piping curl to bash _feels_ dangerous, but it at least equivalent (and
probably actually strictly safer) than running ./configure; make on some weird
tarball.

~~~
effie
We all rely on the clues like is the distributor well known, is the software
very interesting to attackers, etc. Piping curl of random url to shell and
running configure and make of tarball from random url is dangerous, because
you do not know what gets executed. I don't see a difference, it's the same
problem. If you have to run those programs, the safest way is to do so on a
dedicated "untrusted" computer that has as little access to your data as
possible. On your main work machine, rely on vetted software from well known
reliable sources, for example your OS distributor.

