18 comments

[ 5.6 ms ] story [ 51.2 ms ] thread
Go ahead and view the source. Try to spot the hack.

It's harmless to run.

The "hack" is when someone roots their server and makes it return "rm -rf ~". Even if it's the most secure server ever, it's still a bad technique, IMO.
Even `sudo rm -Rf /` with the password prompt in terminal would probably catch a few people unaware.
If they're distributing .dmgs or .exes and their server gets rooted the result is exactly the same.

And if the download and webpage are hosted on the same machine (like, practically always) the checksum won't help you either.

If you want to run third-party stuff and not willing to look at every little assembly instruction at one point you're going to have to trust somebody.

Of course this can just be Apple (app store) or the Debian/insert-distro-here guys (only run code that's from apt packages from the official repositories).

I'll just take the occasional risk.

This is not a counter-argument. You can't read every line of code that this will run every single time you go to run it. Unless you're very skilled and focused, you may miss a hack that's been cleverly disguised.

Executing a `rm -rf /` is not hard to do, and you wouldn't even see that text in a program. Basically you're depending on the statistical probability that if there is a hack, someone else will get hit before you and it can be identified and resolved before everyone is affected. Someone has to take one for the herd.

I see what you did there. (though, doesn't work with wget)
Hmm, I usually like to prove my point without engaging in copyright infringement.
How is this the slightest bit different than faking a site and altering the binary/source package on the other end of a regular old Download link?

(edit: Oh. You're doing user-agent sniffing for curl. Fair enough, but this still isn't any less secure than downloading and executing a binary.)

This is why most packages are distributed with checksums, so you can be sure that what you're running is what the author intended.
... if you're getting the checksum from a trusted source that is separate from the package distribution server, or if the checksum is cryptographically signed.

But I've never seen people get up in arms about someone publishing, say, a github link to some code that isn't accompanied by a checksum signed with a published PGP key you deem trustworthy.

Right, because a single git clone can't rm -rf your drive. A single "| sh", can, which is the point.
And what's the first thing people do after cloning a project they want to try out? Some might read all of the code, most will just run "./configure" or "make" or "rake" or "script/server" or whatever. All of which can execute arbitrary code.

Piping a file to a shell isn't inherently less secure than downloading a zip or cloning a repo and blindly executing something from it.

I'm willing to bet the majority of people who are complaining about the "curl URL | sh" trick also regularly download and execute code without verifying it won't own them.

I was looking for something in the shell script that was nefarious rather than the obvious "explicitly downloading and running things is a bad idea".

A good example of the fake downloads can be found with people running ads for VLC that link to their malware/adware invested versions (presumably, I've never actually bothered to investigate them).

the user-agent sniffing is a pretty neat trick.

if people catch on to that and start checking with curl first, you could even serve the friendly content the first time someone fetches it with curl.

Do you inspect the source code of every program you download? Do you decompile and reverse engineer the closed source ones? At some point you have to trust the developer isn't doing anything nasty, and be careful about where you get your software from.
This argument is not about trusting or not trusting code. It's about piping web output blindly into a shell, which is an insecure technique, no matter how much you trust the author or web site.
Remind me why it's more "insecure" than downloading a zip from a website and blindly running an executable inside it?
Give me one reason why this is worse than downloading an unsigned binary from the same site.

It's not.

Yes, the user-agent sniffing is clever, but it's circumventing a security precaution that isn't even possible with a binary installer.

More discussion here: http://news.ycombinator.com/item?id=2420648