curl | sh # considered harmful
Posted by Humdaak_9000@reddit | ExperiencedDevs | View on Reddit | 22 comments
I am so goddamned sick of software whose maintainers think this is an acceptable installation method.
Step one: pull down your pants and expose your asshole to our team of 12-year-old specialists ...
TehBens@reddit
The world of software development is build on trust. Who checks the transitiv dependencies of all used packages? Who has never done "just a quick pip install x, looks legit enough, judging from the git and docs". How many have never done anything else?
Truth is, you run a bunch of unaudited code all the time. That curl | bash combo is just a tiny bit more ovious. One could argue that it's at least clear that you are going to execute arbitrary code and will of course instead download the code, review it and then (maybe) execute it.
So, not even sure why you are complaining. Who are you not trusting here? If you don't trust the maintainers you shouldn't use the software to begin with.
Humdaak_9000@reddit (OP)
Do you pay any attention to the Node ecosystem?
Tacos314@reddit
Well that's a dumb post, you could just not pipe to sh and run it after review.[
kommuni@reddit
The main points are that curl will stream to hijack the shell process and you can disguise the output. That's very worrying because it means that if you got owned you wouldn't even know about it.
Hixie@reddit
can you elaborate?
kommuni@reddit
Sure; the scenario in the article is a pretty good one: a host for a common dependency gets poisoned. It could be uv or nvm, for example. Most people are not gonna know that they are committing a grave security mistake by following the directions on a readme for a very common package. If you had the foresight to keep the file then at least there's somewhat of a footprint and you can retroactively detect it, even if you can't do much about it. This is worse: how do you even know if you've been compromised? You don't, that's how
Hixie@reddit
If you're worried about the host of a dependency being poisoned, I don't see why
curl|shmatters.SecretAgentKen@reddit
While I agree in principal, practically speaking there's no difference between doing a "curl | sh" from a github repo vs installing a deb/rpm from that same repo or cloning/building/installing. If you don't trust the source then why are you using anything from them?
That said, if it's curl from an http instead of https then you deserve what you get.
Alborak2@reddit
RPM at least has package signing so we can pretend to validate what we install.
Hixie@reddit
so does https. If you trust the package to be signed correctly, why not the HTTP connection?
new2bay@reddit
Key word being “pretend.” If you don’t audit the code, you’re still subjecting yourself to third party software potentially compromising your system, the same as ‘curl | bash’.
Humdaak_9000@reddit (OP)
I don't install debs from Bob's Software Repo if I absolutely can't help it. I'll build it myself and install locally. That's already a reeking Code Smell.
If the instructions for building it locally involve piping to a shell, that's more code stench.
Kids these days. It's no wonder all the world is a fucking exploit.
jnwatson@reddit
And I'm sure you've reviewed every line of your SSD firmware too.
You've picked a completely arbitrary line above which you don't trust the code. Just because other folks draw different lines doesn't mean they are inferior.
daltorak@reddit
You're scared of the installer but you're not scared of the application it installs?
You sure you've thought this one through?
ketralnis@reddit
Yeah bro your curl|bash will work great in my k8s alpine docker base image with a readonly root and pinned libc cached by artefactory with three different versions of python and node that you don’t have config for with reproducible build and package version requirements from my compliance team that needs to be supported for 3 kernel versions in 2 different hosting providers and no internet routable network with SLA stronger than your digital ocean droplet. Much better than a makefile that produces a binary.
fixermark@reddit
Your makefiles produce binaries?
Mine only ever crash on some obscure dependency the author didn't know wasn't universally installed.
ExperiencedDevs-ModTeam@reddit
Rule 9: No Low Effort Posts, Excessive Venting, or Bragging.
Using this subreddit to crowd source answers to something that isn't really contributing to the spirit of this subreddit is forbidden at moderator's discretion. This includes posts that are mostly focused around venting or bragging; both of these types of posts are difficult to moderate and don't contribute much to the subreddit.
IronSavior@reddit
Ambiguous. Are your specialists experts on 12 year olds or are they 12 years old?
DonaldStuck@reddit
You're mad obviously. Did something bad happen? Tell us!
Muhznit@reddit
Amen. Like even though there's legit software that uses that method, fuck those guys because I shouldn't have to read the script to figure out how to fully-uninstall it
ButThatsMyRamSlot@reddit
The web server can detect when curl is piping to bash, so it can present different content in your browser vs when you pipe.
https://lukespademan.com/blog/the-dangers-of-curlbash/
tetryds@reddit
How come you are concerned about arbitrary code execution? That's clearly a skill issue