

Show HN: "curl … | sh" is bad. - sandofsky
http://poww.cx/

======
rhymeswithcycle
How is this the slightest bit different than faking a site and altering the
binary/source package on the other end of a regular old Download link?

(edit: Oh. You're doing user-agent sniffing for curl. Fair enough, but this
still isn't any less secure than downloading and executing a binary.)

~~~
jcapote
This is why most packages are distributed with checksums, so you can be sure
that what you're running is what the author intended.

~~~
rhymeswithcycle
... if you're getting the checksum from a trusted source that is separate from
the package distribution server, or if the checksum is cryptographically
signed.

But I've never seen people get up in arms about someone publishing, say, a
github link to some code that isn't accompanied by a checksum signed with a
published PGP key you deem trustworthy.

~~~
jcapote
Right, because a single git clone can't rm -rf your drive. A single "| sh",
can, which is the point.

~~~
tlrobinson
And what's the first thing people do after cloning a project they want to try
out? Some might read all of the code, most will just run "./configure" or
"make" or "rake" or "script/server" or whatever. All of which can execute
arbitrary code.

Piping a file to a shell isn't inherently less secure than downloading a zip
or cloning a repo and blindly executing something from it.

I'm willing to bet the majority of people who are complaining about the "curl
URL | sh" trick also regularly download and execute code without verifying it
won't own them.

------
burke
Give me one reason why this is worse than downloading an unsigned binary from
the same site.

It's not.

Yes, the user-agent sniffing is clever, but it's circumventing a security
precaution that isn't even possible with a binary installer.

More discussion here: <http://news.ycombinator.com/item?id=2420648>

------
tlrobinson
Do you inspect the source code of every program you download? Do you decompile
and reverse engineer the closed source ones? At some point you have to trust
the developer isn't doing anything nasty, and be careful about where you get
your software from.

~~~
jcapote
This argument is not about trusting or not trusting code. It's about piping
web output blindly into a shell, which is an insecure technique, no matter how
much you trust the author or web site.

~~~
tlrobinson
Remind me why it's more "insecure" than downloading a zip from a website and
blindly running an executable inside it?

------
jarin
Hmm, I usually like to prove my point without engaging in copyright
infringement.

------
sandofsky
Go ahead and view the source. Try to spot the hack.

It's harmless to run.

~~~
jcapote
The "hack" is when someone roots their server and makes it return "rm -rf ~".
Even if it's the most secure server ever, it's still a bad technique, IMO.

~~~
michh
If they're distributing .dmgs or .exes and their server gets rooted the result
is exactly the same.

And if the download and webpage are hosted on the same machine (like,
practically always) the checksum won't help you either.

If you want to run third-party stuff and not willing to look at every little
assembly instruction at one point you're going to have to trust somebody.

Of course this can just be Apple (app store) or the Debian/insert-distro-here
guys (only run code that's from apt packages from the official repositories).

I'll just take the occasional risk.

------
wiredfool
I see what you did there. (though, doesn't work with wget)

