Using cURL with BASH
Piping cURL directly to BASH is dangerous, but unfortunately, many websites have installation instructions that look similar to below:
curl -s https://my-script/23 | bash
That being said, I often do post similar commands on my blog and on twitter. One such example is on my tutorial to install PHP 7.1 on Debian which is below:
curl -s https://scripts.programster.org/scripts/23?output=raw | bash
The fundamental point I want to get at here is that this is all about trust and convenience. I have complete trust in myself and am willing to use my own scripts. However, I don't expect you to and thats why I always put a script in the blog posts that you can read, copy, paste, and execute.
Some things to note that relate to trust and security:
- I built
scripts.programster.org
(proprietary but with tools like bootstrap), however my blog is a Ghost blog that I deployed through docker. - You will notice that both sites are on my own domain, and the scripts site is using SSL (I really need to update this blog to do the same).
- Just because a script comes from scripts.programster.org, does not mean it came from me. I built the website as a public tool that anybody can use to easily share their scripts with others who trust them, or for self-use. On this note, I really want to put in a signed scripts system, or at least change the URL's to have the authors unique username in.
- Scripts with a second number in the URL, such as
/scripts/1/1?output=raw
rather than justscripts/1/1?output=raw
are pointing to a specific revision, so that if you have already reviewed the script, you can keep using it safely, whereas if it doesn't use a revision number, you will always recieve the latest version that I may have updated. Again you can pick your level of convenience vs security.
You're Probably Already Using A Trust System
Have you ever used a PPA to install a more up-to-date version of a package? This system is based on trust, and when you add the PPA, you are telling your OS that you trust any packages signed by the owner of that PPA. I often find posts on other sites such as DigitalOcean where they themselves use a PPA to install a later version of PHP, rather than compiling from source.
At the end of the day there is always a trade-off between convenience and security and the convenience relies on trust. If your the type to never use a PPA and always compiles from source, only after having read through the entire code base then that's awesome, but that's not me.
Perhaps I've Missed Something
I'm definitely no security expert, but always trying to learn more and posting about it. If I am missing some fundamental point, such as a man-in-the-middle attack with using curl then please post in the comments. I will be sure to update my posts accordingly.
First published: 16th August 2018