undefined | Better HN

0 pointsyau8edq12i1y ago0 comments

Distributors usually give you a way to verify that what you've downloaded is correct, usually through checksums, PGP signatures, code signing... You forego that if you pipe the script to your shell. What if you make a typo and somehow pipe an HTML document to your shell? If you're unlucky this could wreak havoc.

0 comments

cassianoleal1y ago

From the threat vectors you presented, I assume you already trust the vendor. That means you trust their installation script. You are, after all, going to run their binary after the installation!

In this case, I assume the reason to inspect the script is not so much that the script might be doing something bad, but rather that you may have downloaded the wrong file to begin with.

With that in mind:

> Distributors usually give you a way to verify that what you've downloaded is correct

The first thing is that not all software is downloaded from Linux distribution repositories. This technique doesn't work if you're just downloading an installer from a website or Github releases page, etc. Sure, many also provide you with a checksum that you need to manually verify, but the shell script in question can also do the same. In fact, it can help by automating the check after it inevitably downloads the application's binary package.

In this case, the vector is you getting something different from what the vendor intended you to download. An example would be if your connection had been MITM'ed and a malicious package had been sent in its place.

This is largely a non-issue these days with TLS certs everywhere, SNI, OCSP stapling and other protections that more or less ensure you're connected to the right server.

> What if you make a typo and somehow pipe an HTML document to your shell?

That's quite the bad luck!

In this case, the user made a typo.

Most `curl | bash` commands are copy-pasted from a website rather than typed out, so this is _mostly_ a non-issue as well.

For those cases where the user typed the command and got it wrong, for it to become a problem, at least these 2 things need to be true:

  * the typoed URL actually downloaded something that the shell can interpret

  * there are commands in this downloaded document that actually wreak havoc to the system where they ran

I fail to see a scenario where that would happen. Not that it's impossible, but it's so unrealistic that if it happened to me I might just shutdown the computer and go buy a lottery ticket!

j / k navigate · click thread line to collapse