curl https://some-url/ | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

  • knexcar@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    17 hours ago

    What does curl even do? Unstraighten? Seems like any other command I’d blindly paste from an internet thread into a terminal window to try to get something on Linux to work.

    • irelephant [he/him]🍭@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 hours ago

      curl sends requests, curl lemmy.world would return the html of lemmy.worlds homepage. piping it into bash means that you are fetching a shell script, and running it.

      • easily3667@lemmus.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        2 hours ago

        I think he knows but is commenting on the pathetic state of security culture on Linux. (“Linux is secure so I can do anything without concerns”)

        • What URLs is it not a client for? As far as I understand it will pull whatever data is presented by whatever URL. cURL doesn’t really care about protocol being http, you can use it with FTP as well, and I haven’t tested it yet but now that I’m curious I wanna see if it works for SMB