Linux

| sh stands for shake head at bad practices

Yeah I hate this stuff too, I usually pipe it into a file figure out what it's doing and manually install the program from there.

FWIW I've never found anything malicious from these scripts but my internal dialogue starts screaming when I see these in the wild, I don't want to run some script and not know what it's touching malicious or not it's a PITA.

As a linux user, I like to know what's happening under the hood as best I can and these scripts go against that

You have the option of piping it into a file instead, inspecting that file for yourself and then running it, or running it in some sandboxed environment. Ultimately though, if you are downloading software over the internet you have to place a certain amount of trust in the person your downloading the software from. Even if you're absolutely sure that the download script doesn't wipe your home directory, you're going to have to run the program at some point and it could just as easily wipe your home directory at that point instead.

What's stopping the downloaded script from wiping my home directory?

What's stopping any Makefile, build script, or executable from running rm -rf ~? The correct answer is "nothing". PPAs are similarly open, things are a little safer if you only use your distro's default package sources, but it's always possible that a program will want to be able to delete something in your home directory, so it always has permission.

Containerized apps are the only way around this, where they get their own home directory.

This is simpler than the download, ./configure, make, make install steps we had some decades ago, but not all that different in that you wind up with arbitrary, unmanaged stuff.

Preferably use the distro native packages, or else their build system if it's easily available (e.g. AUR in Arch)

I think safer approach is to:

1. Download the script first, review its contents, and then execute.
2. Ensure the URL uses HTTPS to reduce the risk of man-in-the-middle attacks

https://sysdig.com/blog/friends-dont-let-friends-curl-bash/
https://www.seancassidy.me/dont-pipe-to-your-shell.html
https://web.archive.org/web/20200131173255/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
https://github.com/Iossefy/curl-shell-pipe

You shouldn't install software from someone you don't trust anyway because even if the installation process is save, the software itself can do whatever it has permission to.

"So if you trust their software, why not their install script?" you might ask. Well, it is detectable on server side, if you download the script or pipe it into a shell. So even if the vendor it trustworthy, there could be a malicious middle man, that gives you the original and harmless script, when you download it, and serves you a malicious one when you pipe it into your shell.

And I think this is not obvious and very scary.

I usually read it first.

Unpopular opinion, these are handy for quickly installing in a new vm or container (usually throwaway) where one don't have to think much unless the script breaks. People don't install thing on host or production multiple times, so anything installed there is usually vetted and most of the times from trusted sources like distro repos.

For normal threat model, it is not much different from downloading compiled binary from somewhere other than well trusted repos. Windows software ecosystem is famously infamous for exactly the same but it sticks around still.

The security concerns are often overblown. The bigger problem for me is I don't know what kind of mess it's going to make or whether I can undo it. If it's a .deb or even a tarball to extract in /usr/local then I know how to uninstall.

I will still use them sometimes but for things I know and understand - e.g. rustup will put things in ~/.rustup and update the PATH in my shell profile and because I know that's what it does I'm happy to use the automation on a new system.

It's not much different from downloading and compiling source code, in terms of risk. A typo in the code could easily wipe home or something like that.

Obviously the package manager repo for your distro is the best option because there's another layer of checking (in theory), but very often things aren't in the repos.

The solution really is just backups and snapshots, there are a million ways to lose files or corrupt them.

For security reasons, I review every line of code before it’s executed on my machine.

Before I die, I hope to take my ‘93 dell optiplex out of its box and finally see what this whole internet thing is about.

Well yeah ... the native package manager. Has the bonus of the installed files being tracked.

It isn’t more dangerous than running a binary downloaded from them by any other means. It isn’t more dangerous than downloaded installer programs common with Windows.

TBH macOS has had the more secure idea of by default using sandboxes applications downloaded directly without any sort of installer. Linux is starting to head in that direction now with things like Flatpak.

If you're worried, download it into a file first and read it.

This is just normal Linux poor security. Even giants like docker do this.

@cschreib
No.

It's convenience over security, something that creeps in anywhere there is popularity. For those who just want x or y to work without needing to spend their day in the terminal - they're great.

You'd expect these kinds of script to be well tested against their targets and for the user to have/identify the correct target. Their sources should at least point out the security issue and advise to grab and inspect before straight up piping it though. Some I have seen do this.

Running them like this means you put 100% trust in the author, the source and your DNS. Not a big ask for some. Unthinkable for others.

Back up your data folks. You're probably more likely to accidentally rm -rf yourself than download a script that will do it.

Those just don't get installed. I refuse to install stuff that way. It's to reminiscent of installing stuff on windows. "Pssst, hey bud, want to run this totally safe executable on your PC? It won't do anything bad. Pinky promise". Ain't happening.

The only exception I make is for nix on non-nixos machines because thwt bootstraps everything and I've read that script a few times.

Anti Commercial-AI license