Ask HN: Why is curl | sh so frowned upon?
I'd like to know why curl | sh is so frowned upon on community forums. Is the risk of being compromised with curl | sh higher than wget; sh?
When I install software the normal way (without curl | sh), I don't audit the complete source code of the software anyway. So in either case I have to trust the domain that is serving me the software.
Then if curl | sh is frowned upon, should wget and sh and other ways of installing software be also frowned upon?
14 comments
[ 4.2 ms ] story [ 41.1 ms ] threadAFAIK, it’s not “piping to a shell” that can be detected, but the use of curl. That is trivial to do by looking at the user agent string. I don’t know whether it can also be done if that is spoofed using -A "user agent". Doing that makes that curl | sh command a lot less nice, though.
https://web.archive.org/web/20230325190353/https://www.idont...
[original article has an expired cert]
They typically rely on the fact that the downloaded source code is being executed as it is being downloaded so you can leave things like "sleep 5" and detect the delay in fetching from the client.
The best thing to do is to download first and then execute.
Also good installer scripts first define a function and then call the function at the very end of the script so that they don't half-execute some function in case the network connection is disrupted.
A malicious host (or a malicious actor who has compromised a trusted host) can detect that you're piping to bash in a few ways, and then by modifying the response, they're executing commands undetectably outside your shell history, potentially setting up reverse shells, installing rootkits etc.
If you're doing it in a sealed environment... Still yikes honestly. I would prefer acquiring software from auditable sources.
At least if you download the file before you run it, you can check the checksum / do a sanity check of the file before you run it, as others have mentioned.
But nobody is saying or has ever said that it has anything at all to do with the download tool. Piping wget versus curl makes zero difference. Also, suggesting that installing via sh is a related issue is completely incorrect thinking. You might as well suggest that using a keyboard on your computer can be frowned upon since doing things on a keyboard could lead to compromise. The statement is true, but ridiculous and not helpful.
It's just not great from a security and trust point of view.
It's also important to remember that bit-squatting is a thing, and just because you think you're making a request to github.com doesn't mean you are, a bit might flip from gamma rays or heat and you end up requesting a shell script from jithub that can now straight own your machine.
Use an `http` url or ignore cert warnings? the great firewall of china or someone who's owned the cafe you are sitting in can own your machine.
It also sidesteps the hygiene of checksumming the resources you download to ensure that the thing you downloaded is what you expected to download.
copy pasting things from the web and putting them on your terminal is also considered insecure: https://www.wizer-training.com/blog/copy-paste
That's also ignoring that you can curl the wrong url and then pass a whole lot of crap to sh.
Here's a HN post on the topic that doesn't necessarily agree with me: https://news.ycombinator.com/item?id=12766049