this post was submitted on 13 Mar 2025
276 points (96.6% liked)

Linux

6466 readers
682 users here now

A community for everything relating to the GNU/Linux operating system

Also check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
 

curl https://some-url/ | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What's stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don't we have something better than "sh" for this? Something with less power to do harm?

(page 3) 50 comments
sorted by: hot top controversial new old
[–] aldarch3@mastodon.nz 10 points 2 days ago
[–] swizzlestick@lemmy.zip 9 points 2 days ago

It's convenience over security, something that creeps in anywhere there is popularity. For those who just want x or y to work without needing to spend their day in the terminal - they're great.

You'd expect these kinds of script to be well tested against their targets and for the user to have/identify the correct target. Their sources should at least point out the security issue and advise to grab and inspect before straight up piping it though. Some I have seen do this.

Running them like this means you put 100% trust in the author, the source and your DNS. Not a big ask for some. Unthinkable for others.

[–] rah@feddit.uk 7 points 2 days ago

How is that safe?

It's not, it's a sign that the authors don't take security seriously.

If you use this

I never do.

[–] BOFH@feddit.uk 7 points 2 days ago* (last edited 2 days ago) (1 children)

What's stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

You're not wrong, but there's an element of trust in anything like this and it's all about your comfort level. How can you truly trust any code you didn't write and complie yourself. Actually, how do you trust the compiler.

And let's be honest, even if you trust my code implicitly (Hey, I'm a bofh, what could go wrong?) then that simply means that you're trusting me not to do anything malicious to your system.

Even if your trust is well-placed in that regard, I don't need to be malicious to wipe your system or introduce a configuation error that makes you vulnerable to others, it's perfectly possible to do all that by just being incompetent. Or even being a normally competent person who was just having a bad day while writing the script you're running now. Ooops.

[–] possiblylinux127@lemmy.zip 1 points 1 day ago

This is the primary goal of distros these days.

[–] c10l@lemmy.world 7 points 2 days ago (1 children)

To answer the question, no - you’re not the only one. People have written and talked about this extensively.

Personally, I think there’s a lot more nuance to the answer. Also a lot has been written about this.

You mention “communities that are security conscious”. I’m not sure in which ways you feel this practice to be less secure than alternatives. I tend to be pretty security conscious, to the point of sometimes being annoying to my team mates. I still use this installation method a lot where it makes sense, without too much worry. I also skip it other times.

Without knowing a bit more about your specific worries and for what kinds of threat you feel this technique is bad, it’s difficult to respond specifically.

Feel is fine, and if you’re uncomfortable with something, the answer is generally to either avoid it (by reading the script and executing the relevant commands yourself, or by skipping using this software altogether, for instance), or to understand why you’re uncomfortable and rationally assess whether that feeling is based on reality or imagination - or to which degree of each.

As usual, the real answer is - it depends.

[–] cschreib@programming.dev 2 points 1 day ago

Thank you for the nuanced answer!

You ask why I feel this is less secure: it seems the lowest possible bar when it comes to controlling what gets installed on your system. The script may or may not give you a choice as to where things get installed. It could refuse to install or silently overwrite stuff if something already exists. If install fails, it may or may not leave data behind, in directories I may or may not know about. It may or may not run a checksum on the downloaded data before installing. Because it's a competely free-form script, there is no standard I can expect. For an application, I would read the documentation to learn more, but these scripts are not normally documented (other than "use this to install"). That uncertainty, to me, is insecure/unsafe.

[–] possiblylinux127@lemmy.zip 3 points 1 day ago

Just use a VM or container for installing software. It can go horribly wrong in a isolated place.

[–] mesamunefire@piefed.social 4 points 2 days ago

I usually just take a look at the code with a get request. Then if it looks good, then run manually. Most of the time, it's fine. Sometimes there's something that would break something on the system.

I haven't seen anything explicitly nefarious, but it's better to be safe than sorry.

[–] ricdeh@lemmy.world 5 points 2 days ago (1 children)

Can you not just run the curl or wget without piping it into bash, first? This way you could inspect what the script wants to do.

[–] cschreib@programming.dev 1 points 1 day ago

I do, but some of these scripts are quite complex and hard to parse. When all I would really need to do this myself is a direct download URL and unzip/untar in a folder of my choice, it's a pain.

[–] RoyaltyInTraining@lemmy.world 4 points 2 days ago (2 children)

I always try to avoid these, unless the application I'm installing has it's own package management functionality, like Rustup or Nix. Everything else should be handled by the system package manager.

[–] possiblylinux127@lemmy.zip 1 points 1 day ago* (last edited 1 day ago)

Use containers for installing things.

It is sandboxed and controllable by you

[–] cschreib@programming.dev 1 points 1 day ago

Ironically, it is rustup that triggered me with this most recently... https://www.rust-lang.org/tools/install

[–] LodeMike@lemmy.today 4 points 2 days ago
[–] Scoopta@programming.dev 2 points 2 days ago (1 children)

I also feel incredibly uncomfortable with this. Ultimately it comes down to if you trust the application or not. If you do then this isn't really a problem as regardless they're getting code execution on your machine. If you don't, well then don't install the application. In general I don't like installing applications that aren't from my distro's official repositories but mostly because I like knowing at least they trust it and think it's safe, as opposed to any software that isn't which is more of an unknown.

Also it's unlikely for the script to be malicious if the application is not. Further, I'm not sure a manual install really protects anyone from anything. Inexperienced users will go through great lengths and jump through some impressive hoops to try and make something work, to their own detriment sometimes. My favorite example of this is the LTT Linux challenge. apt did EVERYTHING it could think to do to alert that the steam package was broken and he probably didn't want to install it, and instead of reading the error he just blindly typed out the confirmation statement. Nothing will save a user from ruining their system if they're bound and determined to do something.

[–] Scary_le_Poo@beehaw.org 2 points 1 day ago (1 children)

In this case apt should have failed gracefully. There is no reason for it to continue if a package is broken. If you want to force a broken package, that can be it's own argument.

[–] Scoopta@programming.dev 2 points 1 day ago

I'm not sure that would've made a difference. It already makes you go out of your way to force a broken package. This has been discussed in places before but the simple fact of the matter is a user that doesn't understand what they're doing will perservere. Putting up barriers is a good thing to do to protect users, spending all your time and effort to cover every edge case is a waste of time because users will find ways to shoot themselves in the foot.

[–] communism@lemmy.ml 2 points 2 days ago

Just direct it into a file, read the script, and run it if you're happy. It's just a shorthand that doesn't require saving the script that will only be used once.

[–] jagged_circle@feddit.nl 0 points 1 day ago

So basically the install instructions for Lemmy? No Lemmy data is safe.

[–] nous@programming.dev 2 points 2 days ago (1 children)

Most packages managers can run arbitrary code on install or upgrade or removal. You are trusting the code you choose to run on your system no matter where you get it from. Remember the old bug in ubuntu that ran a rm -rf / usr/.. instead of rm -rf /usr/... and wiped a load of peoples systems?

Flatpacks, Apparmor and snaps are better in this reguard as they are somewhat more sandboxed and can restrict what the applications have access to.

But really if the install script is from the authors of the package then it should be just as trustworthy as the package. But generally I download and read the install scripts as there is no standard they are following and I don't want them touching random system files in ways I am not aware of or cannot undo easily. Sometimes they are just detecting the OS and picking relevant packages to install - maybe with some thrid party repos. Other times they mess with your home partition and do a bunch of stuff including messing with bashrc files to add things to your PATH which I don't like. I would never run a install script that is not from the author of the application though and be very wary of install scripts from a smaller package with fewer users.

[–] jagged_circle@feddit.nl 1 points 1 day ago

No serious distro package manager doesn't require cryptographic signatures in 2025.

Software deep managers are all rubbish except for maven

[–] trashgirlfriend@lemmy.world 1 points 2 days ago (2 children)

Am I the only one who cringes when I have to update my system?

How do I know the maintainers of the repo haven't gone rogue and are now distributing malware?

DAE get anxious when running code on computer?

I think for the sake of security we should just use rocks, stones, and such to destroy all computers, as this would prevent malicious software from being executed.

[–] rah@feddit.uk 6 points 2 days ago (3 children)

How do I know the maintainers of the repo haven't gone rogue and are now distributing malware?

Depends on the repo but at least for Debian, there's a path of trust between GPG keys I've signed and the Debian release GPG keys.

load more comments (3 replies)
load more comments (1 replies)
[–] gigachad@sh.itjust.works 1 points 2 days ago (1 children)

Absolutely. Wanted to try out the famous Python management tool UV last week, installation instruction is like this:

curl -LsSf https://astral.sh/uv/install.sh | sh

Yeah, no thank you.

[–] possiblylinux127@lemmy.zip 1 points 1 day ago* (last edited 1 day ago)

Is available via pip? You could use venv

load more comments
view more: ‹ prev next ›