Is `curl something | sudo bash -` a reasonably safe installation method?Resources explaining why `curl | bash` and similar installation instructions are a security hazard?Is it safe to ask users to curl a raw file from GitHub?Is it safe to use .netrc files to store credentials for tools like curl or ftp?Can a curl request to an arbitrary url made sufficiently safe?Why is it considered safe to install something as a non-root user in Linux environments?Is there a criteria for allowing or disallowing the execution of bash scripts as root with sudo?Resources explaining why `curl | bash` and similar installation instructions are a security hazard?Is an asterisk in sudo command specifications safe?
Is purchasing foreign currency before going abroad a losing proposition?
Referring to different instances of the same character in time travel
Are randomly-generated passwords starting with "a" less secure?
Why did my rum cake turn black?
Why isn't there research to build a standard lunar, or Martian mobility platform?
Robbers: The Hidden OEIS Substring
Can I use "candidate" as a verb?
Who Can Help Retag This?
Is Trump personally blocking people on Twitter?
Is the premise of Robert Mueller about how a sitting President cannot be indicted imply that a sitting President is above the law?
Is it rude to tell recruiters I would only change jobs for a better salary?
How can an advanced civilization forget how to manufacture its technology?
Why does the autopilot disengage even when it does not receive pilot input?
A DVR algebra with weird automorphisms
Are there any double stars that I can actually see orbit each other?
Professor falsely accusing me of cheating in a class he does not teach, two months after end of the class. What precautions should I take?
Creating custom objects with custom properties using generics
What's the fastest way to get Hard To Borrow (HTB) stocks?
Stuck Apple Mail - how to reset?
During copyediting, journal disagrees about spelling of paper's main topic
Are there any intersection of Theory A and Theory B?
Would letting a multiclass character rebuild their character to be single-classed be game-breaking?
Can I call 112 to check a police officer's identity in the Czech Republic?
What is this welding tool I found in my attic?
Is `curl something | sudo bash -` a reasonably safe installation method?
Resources explaining why `curl | bash` and similar installation instructions are a security hazard?Is it safe to ask users to curl a raw file from GitHub?Is it safe to use .netrc files to store credentials for tools like curl or ftp?Can a curl request to an arbitrary url made sufficiently safe?Why is it considered safe to install something as a non-root user in Linux environments?Is there a criteria for allowing or disallowing the execution of bash scripts as root with sudo?Resources explaining why `curl | bash` and similar installation instructions are a security hazard?Is an asterisk in sudo command specifications safe?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
The most straightforward way to install NodeJS on Ubuntu or Debian seems to be Nodesource, whose installation instructions say to run:
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
This clashes with some basic security rules I learned long ago, such as "be suspicious of downloads" and "be cautious with sudo". However, I learned those rules long ago, and nowadays it seems like everyone is doing this...well, at least it has 350 upvotes on askubuntu.com.
As I read various opinions on other sites, I'm finding that some people also think curl-pipe-sudo-bash is unsafe:
- Phil. (idontplaydarts.com, 2016-04-19) Detecting the use of "curl | bash" server side
- Stemm, Mark. (Sysdig.com, 2016-06-13) Friends don't let friends Curl | Bash.
Stackoverflow.com. (2015-04-01 and onward) Why using curl | sudo sh is not advised? (also linked from askubuntu)
while some people think it's just as safe as any other practical installation method:
- McLellan, Bryan. (Github.com/btm, 2013-09-25) Why curl | sudo bash is good.
- YCombinator.com. (2016-10-22 and onward) "Curl Bash piping" wall of shame.
Varda, Kenton. (Sandstorm.io, 2015-09-24) Is curl|bash insecure?.
There are also some that explore the problem without giving a decisive opinion:
- Granquist, Lamont. (Chef.io, 2015-07-16) 5 Ways to Deal With the install.sh Curl Pipe Bash problem.
Since there's no clear consensus from other sites, I'm asking here: Is curl-pipe-sudo-bash a reasonably safe installation method, or does it carry unnecessary risks that can be avoided by some other method?
curl sudo install
asked 9 hours ago
KruboKrubo
1514 bronze badges
add a comment |
The most straightforward way to install NodeJS on Ubuntu or Debian seems to be Nodesource, whose installation instructions say to run:
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
This clashes with some basic security rules I learned long ago, such as "be suspicious of downloads" and "be cautious with sudo". However, I learned those rules long ago, and nowadays it seems like everyone is doing this...well, at least it has 350 upvotes on askubuntu.com.
As I read various opinions on other sites, I'm finding that some people also think curl-pipe-sudo-bash is unsafe:
- Phil. (idontplaydarts.com, 2016-04-19) Detecting the use of "curl | bash" server side
- Stemm, Mark. (Sysdig.com, 2016-06-13) Friends don't let friends Curl | Bash.
Stackoverflow.com. (2015-04-01 and onward) Why using curl | sudo sh is not advised? (also linked from askubuntu)
while some people think it's just as safe as any other practical installation method:
- McLellan, Bryan. (Github.com/btm, 2013-09-25) Why curl | sudo bash is good.
- YCombinator.com. (2016-10-22 and onward) "Curl Bash piping" wall of shame.
Varda, Kenton. (Sandstorm.io, 2015-09-24) Is curl|bash insecure?.
There are also some that explore the problem without giving a decisive opinion:
- Granquist, Lamont. (Chef.io, 2015-07-16) 5 Ways to Deal With the install.sh Curl Pipe Bash problem.
Since there's no clear consensus from other sites, I'm asking here: Is curl-pipe-sudo-bash a reasonably safe installation method, or does it carry unnecessary risks that can be avoided by some other method?
curl sudo install
asked 9 hours ago
KruboKrubo
1514 bronze badges
add a comment |
The most straightforward way to install NodeJS on Ubuntu or Debian seems to be Nodesource, whose installation instructions say to run:
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
This clashes with some basic security rules I learned long ago, such as "be suspicious of downloads" and "be cautious with sudo". However, I learned those rules long ago, and nowadays it seems like everyone is doing this...well, at least it has 350 upvotes on askubuntu.com.
As I read various opinions on other sites, I'm finding that some people also think curl-pipe-sudo-bash is unsafe:
- Phil. (idontplaydarts.com, 2016-04-19) Detecting the use of "curl | bash" server side
- Stemm, Mark. (Sysdig.com, 2016-06-13) Friends don't let friends Curl | Bash.
Stackoverflow.com. (2015-04-01 and onward) Why using curl | sudo sh is not advised? (also linked from askubuntu)
while some people think it's just as safe as any other practical installation method:
- McLellan, Bryan. (Github.com/btm, 2013-09-25) Why curl | sudo bash is good.
- YCombinator.com. (2016-10-22 and onward) "Curl Bash piping" wall of shame.
Varda, Kenton. (Sandstorm.io, 2015-09-24) Is curl|bash insecure?.
There are also some that explore the problem without giving a decisive opinion:
- Granquist, Lamont. (Chef.io, 2015-07-16) 5 Ways to Deal With the install.sh Curl Pipe Bash problem.
Since there's no clear consensus from other sites, I'm asking here: Is curl-pipe-sudo-bash a reasonably safe installation method, or does it carry unnecessary risks that can be avoided by some other method?
curl sudo install
asked 9 hours ago
KruboKrubo
1514 bronze badges
The most straightforward way to install NodeJS on Ubuntu or Debian seems to be Nodesource, whose installation instructions say to run:
curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -
This clashes with some basic security rules I learned long ago, such as "be suspicious of downloads" and "be cautious with sudo". However, I learned those rules long ago, and nowadays it seems like everyone is doing this...well, at least it has 350 upvotes on askubuntu.com.
As I read various opinions on other sites, I'm finding that some people also think curl-pipe-sudo-bash is unsafe:
- Phil. (idontplaydarts.com, 2016-04-19) Detecting the use of "curl | bash" server side
- Stemm, Mark. (Sysdig.com, 2016-06-13) Friends don't let friends Curl | Bash.
Stackoverflow.com. (2015-04-01 and onward) Why using curl | sudo sh is not advised? (also linked from askubuntu)
while some people think it's just as safe as any other practical installation method:
- McLellan, Bryan. (Github.com/btm, 2013-09-25) Why curl | sudo bash is good.
- YCombinator.com. (2016-10-22 and onward) "Curl Bash piping" wall of shame.
Varda, Kenton. (Sandstorm.io, 2015-09-24) Is curl|bash insecure?.
There are also some that explore the problem without giving a decisive opinion:
- Granquist, Lamont. (Chef.io, 2015-07-16) 5 Ways to Deal With the install.sh Curl Pipe Bash problem.
Since there's no clear consensus from other sites, I'm asking here: Is curl-pipe-sudo-bash a reasonably safe installation method, or does it carry unnecessary risks that can be avoided by some other method?
curl sudo install
curl sudo install
asked 9 hours ago
KruboKrubo
1514 bronze badges
asked 9 hours ago
KruboKrubo
1514 bronze badges
asked 9 hours ago
KruboKrubo
1514 bronze badges
asked 9 hours ago
KruboKrubo
1514 bronze badges
asked 9 hours ago
KruboKrubo
1514 bronze badges
1514 bronze badges
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
It it's about as safe as any other installation method as long as you:
- Use HTTPS (and reject certificate errors)
- Are confident in your certificate trust store
- Trust the server you're downloading from
You can, and should, separate the steps out -- download the script, inspect it, and see if it's doing anything fishy. This is a good idea. It won't hurt anything if you do it and you might catch a compromise, which you can report to the source and the community at large. Be prepared to dig through quite a lot of Bash, if my experience with such things is any indicator.
Be aware that if the server (deb.nodesource.com) is compromised, you basically have no recourse. Many package managers offer to verify GPG signatures on packages, and even though a fundamental part of the keysigning architecture is broken, this does still by and large work. You can manually specify the CA for wget and curl, though this only proves you're really connecting to that server, not that the server is serving safe code or that it's legitimate code from the creators.1
If you're worried about arbitrary code execution, APT definitely allows that, and I'm fairly confident both Homebrew and Yum do as well. So comparatively, it's not unsafe. This method allows greater visibility; you know precisely what's happening: A file is being downloaded, and then interpreted by Bash as a script. Odds are good you have enough knowledge already to start investigating the script. At worst, the Bash may call another language you don't know, or download and run a compiled executable, but even those actions can be noticed beforehand and, if you're so inclined, investigated.
As a side note, given that a lot of the time you need to install things with sudo, I don't see its use here as any special concern. It's mildly disconcerting, yes, but no moreso than sudo apt install ....
1: Then again, it looks like NodeSource is creating some sort of custom installer, which wouldn't be signed by the Node team anyway, so... I'm not convinced that it's less safe in this particular case.
answered 8 hours ago
Nic HartleyNic Hartley
1,1599 silver badges19 bronze badges
Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.
– CBHacking
3 hours ago
@CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?
– Nic Hartley
3 hours ago
Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.
– CBHacking
2 hours ago
@CBHacking Or they could upload a fake package entirely. I took another look at the source for this example and it looks like NodeSource is making a custom Node installer. They could, at least theoretically, package and sign whatever malware they wanted. You're definitely right in the general case (which is why I edited my answer) but in this specific case I don't think it reduces security.
– Nic Hartley
6 mins ago
add a comment |
Submitting an answer to my own question. Not sure if this is the best answer, but I'm hoping other answers will address these points.
curl something | sudo bash - on Linux is equally safe as downloading something on Windows and right-clicking run as administrator. This may or may not be 'reasonably safe'. As a recent xkcd suggests, nobody really knows how bad computer security is these days.
Several risks of this method can easily be solved by verifying the download integrity before running it. Since doing so is simple, there's no good reason to skip this step. The goal here is to ensure that what you have downloaded is what the publisher intended. This doesn't guarantee that the software is free of its own vulnerabilities, but it should at least protect against simple attacks that replace the download with malware. The essence is simply to verify the MD5 and SHA256 checksums posted by the software publisher. Some further improvements are possible:
- It's better to get these checksums via a different network path, such as by calling a friend in another country, which would protect against MITM attacks.
- It's better to get the checksums at least a day earlier/later, which would protect in case the publisher's website was briefly taken over but the takeover was stopped within a day.
- It's better to verify the checksums themselves using GPG, which would protect in case the publisher's website was compromised but their GPG private key wasn't.
One side comment: Some sites say you should download the sh script and then inspect it before running it. Unfortunately, this gives a false sense of security unless you vet the script with a practically impossible level of precision. The shell script is probably a few hundred lines, and very tiny changes (such as an obfuscated one-character change to a URL) can convert a shell script into a malware installer.
answered 3 hours ago
KruboKrubo
1514 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213401%2fis-curl-something-sudo-bash-a-reasonably-safe-installation-method%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
It it's about as safe as any other installation method as long as you:
- Use HTTPS (and reject certificate errors)
- Are confident in your certificate trust store
- Trust the server you're downloading from
You can, and should, separate the steps out -- download the script, inspect it, and see if it's doing anything fishy. This is a good idea. It won't hurt anything if you do it and you might catch a compromise, which you can report to the source and the community at large. Be prepared to dig through quite a lot of Bash, if my experience with such things is any indicator.
Be aware that if the server (deb.nodesource.com) is compromised, you basically have no recourse. Many package managers offer to verify GPG signatures on packages, and even though a fundamental part of the keysigning architecture is broken, this does still by and large work. You can manually specify the CA for wget and curl, though this only proves you're really connecting to that server, not that the server is serving safe code or that it's legitimate code from the creators.1
If you're worried about arbitrary code execution, APT definitely allows that, and I'm fairly confident both Homebrew and Yum do as well. So comparatively, it's not unsafe. This method allows greater visibility; you know precisely what's happening: A file is being downloaded, and then interpreted by Bash as a script. Odds are good you have enough knowledge already to start investigating the script. At worst, the Bash may call another language you don't know, or download and run a compiled executable, but even those actions can be noticed beforehand and, if you're so inclined, investigated.
As a side note, given that a lot of the time you need to install things with sudo, I don't see its use here as any special concern. It's mildly disconcerting, yes, but no moreso than sudo apt install ....
1: Then again, it looks like NodeSource is creating some sort of custom installer, which wouldn't be signed by the Node team anyway, so... I'm not convinced that it's less safe in this particular case.
answered 8 hours ago
Nic HartleyNic Hartley
1,1599 silver badges19 bronze badges
Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.
– CBHacking
3 hours ago
@CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?
– Nic Hartley
3 hours ago
Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.
– CBHacking
2 hours ago
@CBHacking Or they could upload a fake package entirely. I took another look at the source for this example and it looks like NodeSource is making a custom Node installer. They could, at least theoretically, package and sign whatever malware they wanted. You're definitely right in the general case (which is why I edited my answer) but in this specific case I don't think it reduces security.
– Nic Hartley
6 mins ago
add a comment |
It it's about as safe as any other installation method as long as you:
- Use HTTPS (and reject certificate errors)
- Are confident in your certificate trust store
- Trust the server you're downloading from
You can, and should, separate the steps out -- download the script, inspect it, and see if it's doing anything fishy. This is a good idea. It won't hurt anything if you do it and you might catch a compromise, which you can report to the source and the community at large. Be prepared to dig through quite a lot of Bash, if my experience with such things is any indicator.
Be aware that if the server (deb.nodesource.com) is compromised, you basically have no recourse. Many package managers offer to verify GPG signatures on packages, and even though a fundamental part of the keysigning architecture is broken, this does still by and large work. You can manually specify the CA for wget and curl, though this only proves you're really connecting to that server, not that the server is serving safe code or that it's legitimate code from the creators.1
If you're worried about arbitrary code execution, APT definitely allows that, and I'm fairly confident both Homebrew and Yum do as well. So comparatively, it's not unsafe. This method allows greater visibility; you know precisely what's happening: A file is being downloaded, and then interpreted by Bash as a script. Odds are good you have enough knowledge already to start investigating the script. At worst, the Bash may call another language you don't know, or download and run a compiled executable, but even those actions can be noticed beforehand and, if you're so inclined, investigated.
As a side note, given that a lot of the time you need to install things with sudo, I don't see its use here as any special concern. It's mildly disconcerting, yes, but no moreso than sudo apt install ....
1: Then again, it looks like NodeSource is creating some sort of custom installer, which wouldn't be signed by the Node team anyway, so... I'm not convinced that it's less safe in this particular case.
answered 8 hours ago
Nic HartleyNic Hartley
1,1599 silver badges19 bronze badges
Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.
– CBHacking
3 hours ago
@CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?
– Nic Hartley
3 hours ago
Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.
– CBHacking
2 hours ago
@CBHacking Or they could upload a fake package entirely. I took another look at the source for this example and it looks like NodeSource is making a custom Node installer. They could, at least theoretically, package and sign whatever malware they wanted. You're definitely right in the general case (which is why I edited my answer) but in this specific case I don't think it reduces security.
– Nic Hartley
6 mins ago
add a comment |
It it's about as safe as any other installation method as long as you:
- Use HTTPS (and reject certificate errors)
- Are confident in your certificate trust store
- Trust the server you're downloading from
You can, and should, separate the steps out -- download the script, inspect it, and see if it's doing anything fishy. This is a good idea. It won't hurt anything if you do it and you might catch a compromise, which you can report to the source and the community at large. Be prepared to dig through quite a lot of Bash, if my experience with such things is any indicator.
Be aware that if the server (deb.nodesource.com) is compromised, you basically have no recourse. Many package managers offer to verify GPG signatures on packages, and even though a fundamental part of the keysigning architecture is broken, this does still by and large work. You can manually specify the CA for wget and curl, though this only proves you're really connecting to that server, not that the server is serving safe code or that it's legitimate code from the creators.1
If you're worried about arbitrary code execution, APT definitely allows that, and I'm fairly confident both Homebrew and Yum do as well. So comparatively, it's not unsafe. This method allows greater visibility; you know precisely what's happening: A file is being downloaded, and then interpreted by Bash as a script. Odds are good you have enough knowledge already to start investigating the script. At worst, the Bash may call another language you don't know, or download and run a compiled executable, but even those actions can be noticed beforehand and, if you're so inclined, investigated.
As a side note, given that a lot of the time you need to install things with sudo, I don't see its use here as any special concern. It's mildly disconcerting, yes, but no moreso than sudo apt install ....
1: Then again, it looks like NodeSource is creating some sort of custom installer, which wouldn't be signed by the Node team anyway, so... I'm not convinced that it's less safe in this particular case.
answered 8 hours ago
Nic HartleyNic Hartley
1,1599 silver badges19 bronze badges
It it's about as safe as any other installation method as long as you:
- Use HTTPS (and reject certificate errors)
- Are confident in your certificate trust store
- Trust the server you're downloading from
You can, and should, separate the steps out -- download the script, inspect it, and see if it's doing anything fishy. This is a good idea. It won't hurt anything if you do it and you might catch a compromise, which you can report to the source and the community at large. Be prepared to dig through quite a lot of Bash, if my experience with such things is any indicator.
Be aware that if the server (deb.nodesource.com) is compromised, you basically have no recourse. Many package managers offer to verify GPG signatures on packages, and even though a fundamental part of the keysigning architecture is broken, this does still by and large work. You can manually specify the CA for wget and curl, though this only proves you're really connecting to that server, not that the server is serving safe code or that it's legitimate code from the creators.1
If you're worried about arbitrary code execution, APT definitely allows that, and I'm fairly confident both Homebrew and Yum do as well. So comparatively, it's not unsafe. This method allows greater visibility; you know precisely what's happening: A file is being downloaded, and then interpreted by Bash as a script. Odds are good you have enough knowledge already to start investigating the script. At worst, the Bash may call another language you don't know, or download and run a compiled executable, but even those actions can be noticed beforehand and, if you're so inclined, investigated.
As a side note, given that a lot of the time you need to install things with sudo, I don't see its use here as any special concern. It's mildly disconcerting, yes, but no moreso than sudo apt install ....
1: Then again, it looks like NodeSource is creating some sort of custom installer, which wouldn't be signed by the Node team anyway, so... I'm not convinced that it's less safe in this particular case.
answered 8 hours ago
Nic HartleyNic Hartley
1,1599 silver badges19 bronze badges
edited 9 mins ago
answered 8 hours ago
Nic HartleyNic Hartley
1,1599 silver badges19 bronze badges
answered 8 hours ago
Nic HartleyNic Hartley
1,1599 silver badges19 bronze badges
answered 8 hours ago
Nic HartleyNic Hartley
1,1599 silver badges19 bronze badges
1,1599 silver badges19 bronze badges
Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.
– CBHacking
3 hours ago
@CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?
– Nic Hartley
3 hours ago
Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.
– CBHacking
2 hours ago
@CBHacking Or they could upload a fake package entirely. I took another look at the source for this example and it looks like NodeSource is making a custom Node installer. They could, at least theoretically, package and sign whatever malware they wanted. You're definitely right in the general case (which is why I edited my answer) but in this specific case I don't think it reduces security.
– Nic Hartley
6 mins ago
add a comment |
Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.
– CBHacking
3 hours ago
@CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?
– Nic Hartley
3 hours ago
Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.
– CBHacking
2 hours ago
@CBHacking Or they could upload a fake package entirely. I took another look at the source for this example and it looks like NodeSource is making a custom Node installer. They could, at least theoretically, package and sign whatever malware they wanted. You're definitely right in the general case (which is why I edited my answer) but in this specific case I don't think it reduces security.
– Nic Hartley
6 mins ago
Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.
– CBHacking
3 hours ago
Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.
– CBHacking
3 hours ago
@CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?
– Nic Hartley
3 hours ago
@CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?
– Nic Hartley
3 hours ago
Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.
– CBHacking
2 hours ago
Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.
– CBHacking
2 hours ago
@CBHacking Or they could upload a fake package entirely. I took another look at the source for this example and it looks like NodeSource is making a custom Node installer. They could, at least theoretically, package and sign whatever malware they wanted. You're definitely right in the general case (which is why I edited my answer) but in this specific case I don't think it reduces security.
– Nic Hartley
6 mins ago
@CBHacking Or they could upload a fake package entirely. I took another look at the source for this example and it looks like NodeSource is making a custom Node installer. They could, at least theoretically, package and sign whatever malware they wanted. You're definitely right in the general case (which is why I edited my answer) but in this specific case I don't think it reduces security.
– Nic Hartley
6 mins ago
add a comment |
Submitting an answer to my own question. Not sure if this is the best answer, but I'm hoping other answers will address these points.
curl something | sudo bash - on Linux is equally safe as downloading something on Windows and right-clicking run as administrator. This may or may not be 'reasonably safe'. As a recent xkcd suggests, nobody really knows how bad computer security is these days.
Several risks of this method can easily be solved by verifying the download integrity before running it. Since doing so is simple, there's no good reason to skip this step. The goal here is to ensure that what you have downloaded is what the publisher intended. This doesn't guarantee that the software is free of its own vulnerabilities, but it should at least protect against simple attacks that replace the download with malware. The essence is simply to verify the MD5 and SHA256 checksums posted by the software publisher. Some further improvements are possible:
- It's better to get these checksums via a different network path, such as by calling a friend in another country, which would protect against MITM attacks.
- It's better to get the checksums at least a day earlier/later, which would protect in case the publisher's website was briefly taken over but the takeover was stopped within a day.
- It's better to verify the checksums themselves using GPG, which would protect in case the publisher's website was compromised but their GPG private key wasn't.
One side comment: Some sites say you should download the sh script and then inspect it before running it. Unfortunately, this gives a false sense of security unless you vet the script with a practically impossible level of precision. The shell script is probably a few hundred lines, and very tiny changes (such as an obfuscated one-character change to a URL) can convert a shell script into a malware installer.
answered 3 hours ago
KruboKrubo
1514 bronze badges
add a comment |
Submitting an answer to my own question. Not sure if this is the best answer, but I'm hoping other answers will address these points.
curl something | sudo bash - on Linux is equally safe as downloading something on Windows and right-clicking run as administrator. This may or may not be 'reasonably safe'. As a recent xkcd suggests, nobody really knows how bad computer security is these days.
Several risks of this method can easily be solved by verifying the download integrity before running it. Since doing so is simple, there's no good reason to skip this step. The goal here is to ensure that what you have downloaded is what the publisher intended. This doesn't guarantee that the software is free of its own vulnerabilities, but it should at least protect against simple attacks that replace the download with malware. The essence is simply to verify the MD5 and SHA256 checksums posted by the software publisher. Some further improvements are possible:
- It's better to get these checksums via a different network path, such as by calling a friend in another country, which would protect against MITM attacks.
- It's better to get the checksums at least a day earlier/later, which would protect in case the publisher's website was briefly taken over but the takeover was stopped within a day.
- It's better to verify the checksums themselves using GPG, which would protect in case the publisher's website was compromised but their GPG private key wasn't.
One side comment: Some sites say you should download the sh script and then inspect it before running it. Unfortunately, this gives a false sense of security unless you vet the script with a practically impossible level of precision. The shell script is probably a few hundred lines, and very tiny changes (such as an obfuscated one-character change to a URL) can convert a shell script into a malware installer.
answered 3 hours ago
KruboKrubo
1514 bronze badges
add a comment |
Submitting an answer to my own question. Not sure if this is the best answer, but I'm hoping other answers will address these points.
curl something | sudo bash - on Linux is equally safe as downloading something on Windows and right-clicking run as administrator. This may or may not be 'reasonably safe'. As a recent xkcd suggests, nobody really knows how bad computer security is these days.
Several risks of this method can easily be solved by verifying the download integrity before running it. Since doing so is simple, there's no good reason to skip this step. The goal here is to ensure that what you have downloaded is what the publisher intended. This doesn't guarantee that the software is free of its own vulnerabilities, but it should at least protect against simple attacks that replace the download with malware. The essence is simply to verify the MD5 and SHA256 checksums posted by the software publisher. Some further improvements are possible:
- It's better to get these checksums via a different network path, such as by calling a friend in another country, which would protect against MITM attacks.
- It's better to get the checksums at least a day earlier/later, which would protect in case the publisher's website was briefly taken over but the takeover was stopped within a day.
- It's better to verify the checksums themselves using GPG, which would protect in case the publisher's website was compromised but their GPG private key wasn't.
One side comment: Some sites say you should download the sh script and then inspect it before running it. Unfortunately, this gives a false sense of security unless you vet the script with a practically impossible level of precision. The shell script is probably a few hundred lines, and very tiny changes (such as an obfuscated one-character change to a URL) can convert a shell script into a malware installer.
answered 3 hours ago
KruboKrubo
1514 bronze badges
Submitting an answer to my own question. Not sure if this is the best answer, but I'm hoping other answers will address these points.
curl something | sudo bash - on Linux is equally safe as downloading something on Windows and right-clicking run as administrator. This may or may not be 'reasonably safe'. As a recent xkcd suggests, nobody really knows how bad computer security is these days.
Several risks of this method can easily be solved by verifying the download integrity before running it. Since doing so is simple, there's no good reason to skip this step. The goal here is to ensure that what you have downloaded is what the publisher intended. This doesn't guarantee that the software is free of its own vulnerabilities, but it should at least protect against simple attacks that replace the download with malware. The essence is simply to verify the MD5 and SHA256 checksums posted by the software publisher. Some further improvements are possible:
- It's better to get these checksums via a different network path, such as by calling a friend in another country, which would protect against MITM attacks.
- It's better to get the checksums at least a day earlier/later, which would protect in case the publisher's website was briefly taken over but the takeover was stopped within a day.
- It's better to verify the checksums themselves using GPG, which would protect in case the publisher's website was compromised but their GPG private key wasn't.
One side comment: Some sites say you should download the sh script and then inspect it before running it. Unfortunately, this gives a false sense of security unless you vet the script with a practically impossible level of precision. The shell script is probably a few hundred lines, and very tiny changes (such as an obfuscated one-character change to a URL) can convert a shell script into a malware installer.
answered 3 hours ago
KruboKrubo
1514 bronze badges
edited 3 hours ago
answered 3 hours ago
KruboKrubo
1514 bronze badges
answered 3 hours ago
KruboKrubo
1514 bronze badges
answered 3 hours ago
KruboKrubo
1514 bronze badges
1514 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213401%2fis-curl-something-sudo-bash-a-reasonably-safe-installation-method%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
