curl https://some-url | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

    • thomask@lemmy.sdf.orgEnglish
      10·
      16 hours ago

      So tell me: if I download and run a bash script over https, or a .deb file over https and then install it, why is the former a “security nightmare” and the latter not?

      • jagged_circle@feddit.nlEnglish
        2·
        5 hours ago

        Both are a security nightmare, if you’re not verifying the signature.

        You should verify the signature of all things you download before running it. Be it a bash script or a .deb file or a .AppImage or to-be-compiled sourcecode.

        Best thing is to just use your Repo’s package manager. Apt will not run anything that isn’t properly signed by a package team members release PGP key.

      • rocky_patriotEnglish
        2·
        7 hours ago

        For example: A compromised host could detect whether you are downloading the script or piping it.

    • FizzyOrange
      11·
      8 hours ago

      No it isn’t. What could a Bash script do that the executable it downloads couldn’t do?