from Hacker News

Protect yourself from the hidden dangers of `curl – sh`

by stevejalim on 9/29/14, 8:47 PM with 33 comments

  • by snuxoll on 9/29/14, 9:34 PM

    I've seen this same argument time and time again and it's just silly. We preach that curl | sh is evil because of a potential lack of "transparency" but rarely does anyone denounce the evils of binary packages.

    When you run third-party code on your system there is ALWAYS a risk of it doing nasty things, it doesn't matter if it's an easily readable bash script or a .deb you downloaded. The biggest argument I see about curl | sh that I can agree with is the issues that happens when your connection dies in the middle of the download. Just download the file, then run it.

  • by 0x0 on 9/29/14, 9:20 PM

    There are other risks besides malicious webservers. Even an accidental network glitch can be fatal, for example if the connection is dropped after the first "/" here:

    rm -rf /tmp/myawesomeinstaller

  • by carlsverre on 9/29/14, 10:10 PM

    I don't understand why you would go through all of this effort...

    Just dump the data into a file:

    curl > foobar

    Read the file using any number of normal utilities

    vim foobar

    cat foobar

    nano foobar

    less foobar

    Then if you like what you see execute the file

    sh foobar

    Linux/Unix utilities are meant to be used. Don't limit yourself to only knowing how to check the contents of a curl install if you have a curlsh function.

  • by e12e on 9/30/14, 2:55 AM

    I'd say apply the same level of scrutiny as you would other code, such as the code that your distribution allows you to install. That means:

        1) Find a source you trust (nominally)
    2) Get a gpg-key that you trust belong to that user
    3) Get the install.sh script
    4) Get the matching gpg signature (install.sh.asc)
    5) Verify that 4) is a valid signature of 3) under 2)
    6) Have a look at the script
    7) Run the script
    If you can't establish 2), you'll just have to stick to 3) 6) and 7).

    Seeing that something is on a https site, just means someone had the access to put it there. If someone got access to the private key behind 2) -- 1) is probably so compromised that there isn't anything other than 6) that might protect you -- and if the script is truly malicious (as opposed to just your average botched bash script) -- it's not guaranteed that it's obviously malicious.

    Anyway, a gpg signature links some distributable the author has verified all the way back to wherever that file was authored -- while https only anchors trust on the web server. Web servers get compromised all the time. Prefer a proper signature as a means to anchor trust ("yes, this is probably what X wanted to distribute. If you trust X, this is probably OK").

    A https signature just means: "This is something someone/anyone managed to upload to this web server".

  • by meowface on 9/29/14, 11:03 PM

    If you don't want to bother with all this you can also just do a simple `wget http://site.com/file.sh -O /tmp/script`, look through it in your editor, then run it.

  • by peterwaller on 9/29/14, 9:41 PM

    Another method to protect against malformed output due to the connection being cut short - "shell armour":

    http://drj11.wordpress.com/2014/03/19/piping-into-shell-may-...

      { echo { && curl https://thing && echo } ; } | sh

  • by jiggy2011 on 9/29/14, 9:34 PM

    Is this any different from downloading and running software without reading the source code?

  • by Igglyboo on 9/29/14, 10:53 PM

    Is this really a "hidden" danger? It's pretty obvious that you shouldn't execute a script without reading it unless it's from a trusted source over https.

  • by silvestre on 9/30/14, 8:09 AM

    Protect yourself by only using apt-get and packaging open source software yourself if isn't already packaged.

  • by retr0h on 9/30/14, 3:38 AM

    I don't see much reason for ever needing to do this. Should build packages to install software, and use config management for anything needed outside the package.

  • by Dylan16807 on 9/30/14, 12:43 AM

    Don't forget that you can't even copy and paste a url safely, because there might be hidden text halfway through.

  • by iancarroll on 9/29/14, 8:58 PM

    If you can't install software to your box for whatever reason, just replace sh with cat or nano and read it.

  • by _hnwo on 9/30/14, 5:53 AM

    Protect yourself from the hidden dangers of `curl <url> | sh`

    ... by running this script i'm hosting on the internet.

  • by jamiesonbecker on 9/30/14, 4:08 PM

    Any "risk" is canceled by simply using HTTPS.