Can we please stop with curl | sudo bash, PLEASE
Using
curl -s https://url | sudo bash
is literal insanity. Root given. We know how accounts can be compromised, so obviously there is potential for that url to be replaced by a hacker with something malicious. We've even seen hackers compromise pages, and return the standard page, while targetting only a few people (geolocation, for example) with malicious data.
Yet there is also the possibility for malformed text to be returned. Bash will happily execute each and every line of:
E#@%SDVsdcvxdsf4a6t4g
erfgrr;rm * regdfgereridbd
4524wfasrfv4
And beyond malformed, there could be a simple publishing error. There could be lines of code in the error message. Unknown text. Each and every line of text returned, is executed. I am just gobsmacked that this exists anywhere, ever, for any reason at all. I wouldn't execute such a command from my own personal web server, in my own internal lan, let alone remote.
When I see such inanity on a project page, it's a big read flag to me. Convenience over the most basic of security, or even simple validation that something didn't go wrong in a curl request. The evoked lack of trust that arises is as bile in my throat, what other shortcuts are taken by the project authors, which seem to barely understand the simplest of risk assessment?
Please, don't ever execute this. If you have to throw all sense and caution to the wind, and use a project which suggests this install method, well... at least curl > file and take 1 second to see the result. 100% Agree. If I were an attacker, this is the easiest way to gain root access, leak env variables and install ransomware on the machine. Accepting this as the standard way to install software just for convenience over security is just pure ignorance until a massive breach happens. This even before mentioning flawed standards such as INSTALL.md [0] for agents to curl | sudo bash unattended from a .md file. [0] https://www.mintlify.com/blog/install-md-standard-for-llm-ex... This may be considered as critical of Rust, so will be flagged and closed in due course. made my day :D The host in this video (https://youtu.be/M1si1y5lvkk) described the primary use for curl as to "freebase shell script straight from githabusercontent.com by piping it into a root shell". He also said that "-o-" is an emitocon illustrating the user with their head down on their desk and their arms splayed out in a pose of complete submission". The problem isn't pipe, it's the default to blind trust.People will happily audit a PR but won't spend 5 seconds reading a script they're about to run as root. It's not trust. There are plenty of major projects that only have or strongly prefer curl | bash. Trusting a vendor is fine. These are often to install a repository and a package. The alternative is to run something like rpm -i from_url.rpm to install some package directly. Which is not exactly any different from security perspective. There is no easy way around this when the software is not in a system repo or without attestation in some way. Not only will we keep doing this, we'll have AI agents do it unsupervised. Can you please stop trying to control what people do on their computers? Nobody is forcing anyone to execute the script and usually the script is fully auditable.