curl https://some-url/ | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

  • gaylord_fartmaster@lemmy.world
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    6 hours ago

    If you can’t review a bash script before running it without having an unnecessarily complex one-liner provided to you to do so, then it doesn’t matter because you aren’t going to be able to adequately review a bash script anyway.

    • rah@feddit.uk
      link
      fedilink
      English
      arrow-up
      1
      ·
      37 minutes ago

      If you can’t review a bash script before running it without having an unnecessarily complex one-liner provided to you

      Providing an easily copy-and-pastable one-liner does not imply that the reader could not themselves write such a one-liner.

      Having the capacity to write one’s own commands doesn’t imply that there is no value in having a command provided.

      unnecessarily complex

      LOL