this post was submitted on 13 Mar 2025

275 points (96.6% liked)

Linux

7395 readers

251 users here now

A community for everything relating to the GNU/Linux operating system

Also check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

275

Am in the only one who cringes at install instructions that require piping some curl output into bash? (programming.dev)

submitted 2 months ago by cschreib@programming.dev to c/linux@programming.dev

153 comments fedilink hide all child comments

curl https://some-url/ | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What's stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don't we have something better than "sh" for this? Something with less power to do harm?

(page 2) 50 comments

sorted by: hot top controversial new old

[–] ulterno@programming.dev -1 points 2 months ago

I don't cringe. Just instinctively Ctrl+W

[–] Boomkop3@reddthat.com 3 points 2 months ago

And don't forget to sudo!

[–] ExperimentalGuy@programming.dev 13 points 2 months ago

If you're worried, download it into a file first and read it.

[–] Artyom@lemm.ee 41 points 2 months ago (1 children)

What's stopping the downloaded script from wiping my home directory?

What's stopping any Makefile, build script, or executable from running rm -rf ~? The correct answer is "nothing". PPAs are similarly open, things are a little safer if you only use your distro's default package sources, but it's always possible that a program will want to be able to delete something in your home directory, so it always has permission.

Containerized apps are the only way around this, where they get their own home directory.

[–] tatterdemalion@programming.dev 6 points 2 months ago (1 children)

Back up your data folks. You're probably more likely to accidentally rm -rf yourself than download a script that will do it.

[–] jagged_circle@feddit.nl 0 points 2 months ago

So basically the install instructions for Lemmy? No Lemmy data is safe.

[–] jagged_circle@feddit.nl 6 points 2 months ago* (last edited 2 months ago) (3 children)

I dont just cringe, I open a bug report. You can be the change to fix this.

load more comments (3 replies)

[–] thomask@lemmy.sdf.org 16 points 2 months ago* (last edited 2 months ago) (1 children)

The security concerns are often overblown. The bigger problem for me is I don't know what kind of mess it's going to make or whether I can undo it. If it's a .deb or even a tarball to extract in /usr/local then I know how to uninstall.

I will still use them sometimes but for things I know and understand - e.g. rustup will put things in ~/.rustup and update the PATH in my shell profile and because I know that's what it does I'm happy to use the automation on a new system.

[–] jagged_circle@feddit.nl 6 points 2 months ago (2 children)

Damn that's bad misinformation. Its a security nightmare

[–] FizzyOrange@programming.dev 1 points 2 months ago (14 children)

No it isn't. What could a Bash script do that the executable it downloads couldn't do?

load more comments (13 replies)

[–] thomask@lemmy.sdf.org 11 points 2 months ago* (last edited 2 months ago) (6 children)

So tell me: if I download and run a bash script over https, or a .deb file over https and then install it, why is the former a "security nightmare" and the latter not?

[–] rocky_patriot@programming.dev 2 points 2 months ago (1 children)

For example: A compromised host could detect whether you are downloading the script or piping it.

load more comments (1 replies)

load more comments (5 replies)

[–] knexcar@lemmy.world 3 points 2 months ago (2 children)

What does curl even do? Unstraighten? Seems like any other command I’d blindly paste from an internet thread into a terminal window to try to get something on Linux to work.

[–] Irelephant@lemm.ee 3 points 2 months ago (2 children)

curl sends requests, curl lemmy.world would return the html of lemmy.worlds homepage. piping it into bash means that you are fetching a shell script, and running it.

load more comments (2 replies)

[–] ArsonButCute@lemmy.dbzer0.com 6 points 2 months ago (3 children)

cURL (pronounced curl) stands for client for URL. It transfers data from a url, which you can then do things with.

load more comments (3 replies)

[–] ikidd@lemmy.world 7 points 2 months ago

When I modded some subreddits I had an automod rule that would target curl-bash pipes in comments and posts, and remove them. I took a fair bit of heat over that, but I wasn't backing down.

I had a lot of respect for Tteck and had a couple discussions with him about that and why I was doing that. I saw that eventually he put a notice up that pretty much said what I did about understanding what a script does, and how the URL you use can be pointed to something else entirely long after the commandline is posted.

load more comments