0

I'm getting tired of explaining to people why downloading some arbitrary text file (script) from the internet with curl or wget or whatever and executing it with bash or some other script interpreter is a bad idea even if that's what some program's developer tells you to do.

People tend to understand without much difficulty that downloading and running random binaries is not a good idea, but there's an extraordinary blind-spot when it comes to scripts (and so-called "config" files that are intended to be downloaded and then sourced in bash to set some variables). This is especially true for J. Random Developer's magic installer script.

I was hoping to find a good question with answers here that I could link to when necessary, but couldn't find one.

Anyone know of any good resources - blog posts, Q&A sites, whatever - that specifically address this topic?

I'd especially like to see resources explaining to developers why telling their users to do that is dangerously irresponsible.

cas
  • 121
  • 1
  • 5
  • Related: HN: [Detecting the use of "curl | bash" server side](https://news.ycombinator.com/item?id=11532599) – StackzOfZtuff Jul 29 '17 at 09:10
  • @StackzOfZtuff thanks. interesting reading, but i'm looking more for essays (or high-quality rants) than a forum discussion. – cas Jul 29 '17 at 09:36
  • The sandstorm blog sounds reasonable. – StackzOfZtuff Jul 29 '17 at 12:27
  • 1
    there's some reasonable stuff in there but it mostly sounds self-serving to me - their convenience, their wish to distribute their software is more important than the potential security risk. as a security company, they ought to know (and do) better. One the main things they're ignoring is that they're encouraging poor security habits in their users. They are saying "we're good guys, this is an OK thing to do" - when it doesn't matter at all whether they're "good guys" or not. The practice is inherently unsafe and no amount of hand-waving will make it safe. – cas Jul 29 '17 at 12:31
  • Related: [Is `curl {something} | sudo bash -` a reasonably safe installation method?](https://security.stackexchange.com/questions/213401/is-curl-something-sudo-bash-a-reasonably-safe-installation-method) – Krubo Jul 13 '19 at 00:12

0 Answers0