Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Excuse the naivety but what's the issue?


You are piping the output of an untrusted command into a shell that will execute it. This leaves no way to verify that the code your are running is legit. No md5 verification, no cursory inspection of the script, etc.... There could even be hijacked dns that points to a server that specifically does a bad thing. Maybe not a huge deal for small projects but it's not a great idea in general.

Try this to see a proof of concept:

$echo "echo test" | bash


You mean besides the fact that this gives remote code execution to anyone who can spoof a DNS record?


Wouldn't you have bigger problems at that point?


No, you might just be drinking coffee, or at a library, or on Google's public Wifi, etc.


Say you try logging into your gmail. Couldn't they spoof the DNS and point you to a "proxy" that skims your credentials?


HTTPS is an entirely different story, I don't know that people would necessarily like installs like "curl https://my.script.ly | sh", but there's at least a mechanism to verify the identity of the source.


You are asking developers to download a shell script from $random_site and run it immediately without any thoughts whatsoever as to what effects it might have.

Getting people used to that is a bad idea.


Is it so different from running a make install or a install.sh script?


No. Don't use "curl" to download install scripts from HTTP URLs, or, for that matter, from HTTPS sites you don't trust.


The biggest problem is validating the download prior to installing it. The use make install or install.sh or other similar script, the following should be done:

Download package

md5 package

verify md5 == published md5 of packge

extract

make install / install.sh / etc

With "curl package.github.com" | bash" the validation is missing. I don't mind the curl x | bash for my dev machine or testing/dev vms, but that is not happening on production. And if I need said software on production, I have to find a different way to install.


If the bad guy has intercepted the DNS, they can just provide the md5 of the bad script, no?

Maybe the solution here, assuming you trust the third party, is for them to get a signed SSL cert and provide `curl https://get.whatever.com|bash`


If the bad guy has intercepted the DNS, they can just provide the md5 of the bad script, no?

That's enough extra work, and unreliable enough, that the attacker might not bother. Why work so hard to sabotage the user who checks md5sums when you can just wait for a user that doesn't? Just because thieves can carry lockpicks doesn't mean that you shouldn't bother locking your car: Protection against lazy, opportunistic thieves is still better than nothing.

The other advantage of the MD5 plan is that you can download the MD5 from a different site than the script, at a different time and over a different internet connection (or, perhaps, over https). A specific, important version of that use case is: If you're installing the script over and over again in an automated fashion, you can download its MD5 in advance, cache it, and then check it against every future download of the script to verify that the script hasn't changed. When the script gets updated and the MD5 legitimately changes, you audit the diff and then update your copy of the MD5 for the future.

Meanwhile, using curl-over-HTTPS seems like it couldn't hurt, but better make sure 'curl' is really checking the cert and aborting on cert mismatch, because tools can be very sloppy about this. Also, you're still trusting the third party site, and once their site gets hacked it's game over… unless you have another canonical source for the MD5 sum.

One ultimately realizes why real packaging systems have signed packages, with private keys assigned to developers.


It silently executes arbitrary code from a remote server.


Remote code execution Suppose in the install scripts there happened to be a line like "rm -rf /" then you'll feed that to bash...


iirc that command doesn't work anymore on most *nix boxes. Not that I test this fact very often.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: