curl https://some-url | sh

I see this all over the place nowadays, even in communities that, I would think, should be security conscious. How is that safe? What’s stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

I understand that we have the same problems with the installed application, even if it was downloaded and installed manually. But I feel the bar for making a mistake in a shell script is much lower than in whatever language the main application is written. Don’t we have something better than “sh” for this? Something with less power to do harm?

  • irelephant [he/him]🍭English
    34 months ago

    curl sends requests, curl lemmy.world would return the html of lemmy.worlds homepage. piping it into bash means that you are fetching a shell script, and running it.

    • @[email protected]English
      24 months ago

      I think he knows but is commenting on the pathetic state of security culture on Linux. (“Linux is secure so I can do anything without concerns”)

      • irelephant [he/him]🍭English
        14 months ago

        Security through obsecurity strikes again.

        I usually just read the shell script, and then paste that into bash.