Wget a script and run it

Question

I want to download a script from: http://dl.dropbox.com/u/11210438/flockonus-stack.sh and execute it. My guess is, to use wget renaming it, chmod it, and execute.

What are the commands for doing that on Ubuntu?

Mikel · Accepted Answer · 2015-03-20T20:22:17.220

63

Careful

Before running the script, do you trust the person who wrote it?

For example, did you expect the script to contain this?

echo "brain1" > /etc/hostname

That will try to change your hostname.

For future reference, if, after verifying the script is correct and not malicious, you can run it in one line like this:

wget -O - http://dl.dropbox.com/u/11210438/flockonus-stack.sh | bash

But download it separately and read it before running it the first time.

Also note that interactive prompts inside the downloaded script may not work properly using this method.

edited Mar 20 '15 at 20:22

answered Jan 24 '11 at 22:03

Mikel

3,727
2
19
16

11

+1 for pointing out the (significant) security concerns with this. Be absolutely certain you trust the source. That `echo "brain1" > /etc/hostname` could just as easily be `rm -rf /`. – Christopher Cashell Jan 24 '11 at 22:18
2

+1 Thanks guys, that script is from me, it is safe.. Loved the one-liner, but, it has some interactive lines that didn't run.. dunno why? – Fabiano Soriani Jan 24 '11 at 22:25
1

Your `apt-get install` lines? If `apt-get` would install any extra dependencies, it will ask you, and if it can't it will just exit to be safe. Either add all the dependent packages to the command line arguments, or consider adding `-y`, e.g. `apt-get -y install...` – Mikel Jan 24 '11 at 22:30
the issue is not related to dependencies, it has to do with apt flushing stdin. – Zoredache Jan 24 '11 at 23:31
1

You actually can't trust the source even if you do "trust the source" because of man in the middle attacks. That said, random private urls with bash scripts should be a narrow enough attack vector that nobody with the capability to pull it off cares enough to do it. – SpamapS Jan 26 '11 at 09:51
Like @FabianoPS remarked, this one-liner method does not support interactive input. I've found it best to do all this using a 'distinct commands' flavour of one-liner instead of pipe voodoo, e.g. ```wget SOMESCRIPT.sh; chmod +x SOMESCRIPT.sh; ./SOMESCRIPT.sh``` – starlocke Aug 14 '13 at 20:32

Nathan F. · Answer 2 · 2018-08-14T13:28:13.243

Non-Interactive Scripts

wget -O - http://website.com/my-script.sh | bash

Note that when using this method, interactive scripts will not work.

Interactive Scripts

In order to get interactive scripts working, you can use this:

bash <(wget -qO- http://website.com/my-script.sh)

Interactive Scripts that need to be run as root

Warning: This is extremely dangerous. Not recommended.

sudo su -c "bash <(wget -qO- http://website.com/my-script.sh)" root

Note that you cannot simple use sudo bash since using <(...) will create a virtual file and it's file descriptor will not be accessible from roots bash instance. It must be executed on the same user that needs to read the virtual file, so it has to be sent as it's own command inside the root users shell.

This is the best answer. It covers the important aspects of interactive vs non-interactive vs privileged execution. — Leonid Makarov, Mar 13 '19 at 19:05

score 6 · Answer 3 · answered Jan 24 '11 at 23:28

That script is from me, it is safe.. Loved the one-liner, but, it has some interactive lines that didn't run.. dunno why?

When dpkg runs, called by apt-get, it flushes stdin. If you are using a command like curl blah | bash, then you are basically sending contents of the page to bash via STDIN. If one of your commands is apt-get, then runs, everything else will be flushed.

The trick is to use a command like this apt-get install --yes denyhosts </dev/null. This gives apt-get a different input, and it simply flushes /dev/null instead of the rest of your script.

If you want to see a complete example of installing something via a remote script you may want to look at this script for setting up denyhosts

For the record, I prefer curl over wget for this, but wget should also be fine.

I Tried with a dummy script with some interactive, it worked dude.. I don't get it xD http://dl.dropbox.com/u/11210438/lala.sh — Fabiano Soriani, Jan 25 '11 at 16:37

score 4 · Answer 4 · answered Jan 24 '11 at 21:59

4

#!/bin/sh
if [ ! -f "/tmp/flockonus-stack.sh" ]
then
    wget -O /tmp/flockonus-stack.sh http://dl.dropbox.com/u/11210438/flockonus-stack.sh
fi

sh /tmp/flockonus-stack.sh

answered Jan 24 '11 at 21:59

lynxman

9,157
3
24
28

score 4 · Answer 5 · answered May 04 '16 at 23:44

All of these examples are missing a fairly important point. If you use the url http://dl.dropbox.com/u/11210438/flockonus-stack.sh, you need to audit the script every time you download it, because it can be modified by anyone on the network path between you and dropbox. If you switch to https://dl.dropbox.com/u/11210438/flockonus-stack.sh, you won't have that source of insecurity.

(Dropbox tries to redirect the http URL to https, but in the case of a network attack wget would never get to speak to the real dropbox, and would never see the redirect)

This is probably better left as a comment on the question, not an answer, as it doesn't exactly answer the question. Still worth pointing out for sure! — Bill Weiss, May 05 '16 at 01:07

score 2 · Answer 6 · answered Jan 24 '11 at 22:06

2

Try simply downloading it as you have specified with wget and then executing it directly. You can get fancy and use variables for the script you want to download etc, but this will do the trick

For example:

!#/bin/bash

#Change to temp directory
cd /tmp

#Download file using wget
wget http://dl.dropbox.com/u/11210438/flockonus-stack.sh

#Execute the file

sh flockonus-stack.sh

answered Jan 24 '11 at 22:06

Brett

46
1

How would I tell my system to actually do this on startup? – Metallkiller Jun 16 '19 at 09:11

Wget a script and run it

6 Answers6