Is `curl something | sudo bash -` a reasonably safe installation method?Resources explaining why `curl | bash` and similar installation instructions are a security hazard?Is it safe to ask users to curl a raw file from GitHub?Is it safe to use .netrc files to store credentials for tools like curl or ftp?Can a curl request to an arbitrary url made sufficiently safe?Why is it considered safe to install something as a non-root user in Linux environments?Is there a criteria for allowing or disallowing the execution of bash scripts as root with sudo?Resources explaining why `curl | bash` and similar installation instructions are a security hazard?Is an asterisk in sudo command specifications safe?

Extract an attribute value from XML

Is an acid a salt or not?

Why do players in the past play much longer tournaments than today's top players?

Is Trump personally blocking people on Twitter?

Was the Ford Model T black because of the speed black paint dries?

Why would guns not work in the dungeon?

What's a moment that's more impactful on a reread called?

Keep milk (or milk alternative) for a day without a fridge

Is this floating-point optimization allowed?

During copyediting, journal disagrees about spelling of paper's main topic

Redirect https to fqdn

Why does Hellboy file down his horns?

Why does resistance reduce when a conductive fabric is stretched?

The monorail explodes before I can get on it

What's the point of this scene involving Flash Thompson at the airport?

Why did my rum cake turn black?

Password maker in c#

Why isn't there research to build a standard lunar, or Martian mobility platform?

Can I use "candidate" as a verb?

Crowbar circuit causes unexpected behavior for op amp circuit

A DVR algebra with weird automorphisms

What's the fastest way to get Hard To Borrow (HTB) stocks?

Is it rude to tell recruiters I would only change jobs for a better salary?

Robbers: The Hidden OEIS Substring



Is `curl something | sudo bash -` a reasonably safe installation method?


Resources explaining why `curl | bash` and similar installation instructions are a security hazard?Is it safe to ask users to curl a raw file from GitHub?Is it safe to use .netrc files to store credentials for tools like curl or ftp?Can a curl request to an arbitrary url made sufficiently safe?Why is it considered safe to install something as a non-root user in Linux environments?Is there a criteria for allowing or disallowing the execution of bash scripts as root with sudo?Resources explaining why `curl | bash` and similar installation instructions are a security hazard?Is an asterisk in sudo command specifications safe?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








4















The most straightforward way to install NodeJS on Ubuntu or Debian seems to be Nodesource, whose installation instructions say to run:



curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -


This clashes with some basic security rules I learned long ago, such as "be suspicious of downloads" and "be cautious with sudo". However, I learned those rules long ago, and nowadays it seems like everyone is doing this...well, at least it has 350 upvotes on askubuntu.com.



As I read various opinions on other sites, I'm finding that some people also think curl-pipe-sudo-bash is unsafe:



  • Phil. (idontplaydarts.com, 2016-04-19) Detecting the use of "curl | bash" server side

  • Stemm, Mark. (Sysdig.com, 2016-06-13) Friends don't let friends Curl | Bash.


  • Stackoverflow.com. (2015-04-01 and onward) Why using curl | sudo sh is not advised? (also linked from askubuntu)

while some people think it's just as safe as any other practical installation method:



  • McLellan, Bryan. (Github.com/btm, 2013-09-25) Why curl | sudo bash is good.

  • YCombinator.com. (2016-10-22 and onward) "Curl Bash piping" wall of shame.


  • Varda, Kenton. (Sandstorm.io, 2015-09-24) Is curl|bash insecure?.

There are also some that explore the problem without giving a decisive opinion:



  • Granquist, Lamont. (Chef.io, 2015-07-16) 5 Ways to Deal With the install.sh Curl Pipe Bash problem.

Since there's no clear consensus from other sites, I'm asking here: Is curl-pipe-sudo-bash a reasonably safe installation method, or does it carry unnecessary risks that can be avoided by some other method?










share|improve this question




























    4















    The most straightforward way to install NodeJS on Ubuntu or Debian seems to be Nodesource, whose installation instructions say to run:



    curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -


    This clashes with some basic security rules I learned long ago, such as "be suspicious of downloads" and "be cautious with sudo". However, I learned those rules long ago, and nowadays it seems like everyone is doing this...well, at least it has 350 upvotes on askubuntu.com.



    As I read various opinions on other sites, I'm finding that some people also think curl-pipe-sudo-bash is unsafe:



    • Phil. (idontplaydarts.com, 2016-04-19) Detecting the use of "curl | bash" server side

    • Stemm, Mark. (Sysdig.com, 2016-06-13) Friends don't let friends Curl | Bash.


    • Stackoverflow.com. (2015-04-01 and onward) Why using curl | sudo sh is not advised? (also linked from askubuntu)

    while some people think it's just as safe as any other practical installation method:



    • McLellan, Bryan. (Github.com/btm, 2013-09-25) Why curl | sudo bash is good.

    • YCombinator.com. (2016-10-22 and onward) "Curl Bash piping" wall of shame.


    • Varda, Kenton. (Sandstorm.io, 2015-09-24) Is curl|bash insecure?.

    There are also some that explore the problem without giving a decisive opinion:



    • Granquist, Lamont. (Chef.io, 2015-07-16) 5 Ways to Deal With the install.sh Curl Pipe Bash problem.

    Since there's no clear consensus from other sites, I'm asking here: Is curl-pipe-sudo-bash a reasonably safe installation method, or does it carry unnecessary risks that can be avoided by some other method?










    share|improve this question
























      4












      4








      4








      The most straightforward way to install NodeJS on Ubuntu or Debian seems to be Nodesource, whose installation instructions say to run:



      curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -


      This clashes with some basic security rules I learned long ago, such as "be suspicious of downloads" and "be cautious with sudo". However, I learned those rules long ago, and nowadays it seems like everyone is doing this...well, at least it has 350 upvotes on askubuntu.com.



      As I read various opinions on other sites, I'm finding that some people also think curl-pipe-sudo-bash is unsafe:



      • Phil. (idontplaydarts.com, 2016-04-19) Detecting the use of "curl | bash" server side

      • Stemm, Mark. (Sysdig.com, 2016-06-13) Friends don't let friends Curl | Bash.


      • Stackoverflow.com. (2015-04-01 and onward) Why using curl | sudo sh is not advised? (also linked from askubuntu)

      while some people think it's just as safe as any other practical installation method:



      • McLellan, Bryan. (Github.com/btm, 2013-09-25) Why curl | sudo bash is good.

      • YCombinator.com. (2016-10-22 and onward) "Curl Bash piping" wall of shame.


      • Varda, Kenton. (Sandstorm.io, 2015-09-24) Is curl|bash insecure?.

      There are also some that explore the problem without giving a decisive opinion:



      • Granquist, Lamont. (Chef.io, 2015-07-16) 5 Ways to Deal With the install.sh Curl Pipe Bash problem.

      Since there's no clear consensus from other sites, I'm asking here: Is curl-pipe-sudo-bash a reasonably safe installation method, or does it carry unnecessary risks that can be avoided by some other method?










      share|improve this question














      The most straightforward way to install NodeJS on Ubuntu or Debian seems to be Nodesource, whose installation instructions say to run:



      curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash -


      This clashes with some basic security rules I learned long ago, such as "be suspicious of downloads" and "be cautious with sudo". However, I learned those rules long ago, and nowadays it seems like everyone is doing this...well, at least it has 350 upvotes on askubuntu.com.



      As I read various opinions on other sites, I'm finding that some people also think curl-pipe-sudo-bash is unsafe:



      • Phil. (idontplaydarts.com, 2016-04-19) Detecting the use of "curl | bash" server side

      • Stemm, Mark. (Sysdig.com, 2016-06-13) Friends don't let friends Curl | Bash.


      • Stackoverflow.com. (2015-04-01 and onward) Why using curl | sudo sh is not advised? (also linked from askubuntu)

      while some people think it's just as safe as any other practical installation method:



      • McLellan, Bryan. (Github.com/btm, 2013-09-25) Why curl | sudo bash is good.

      • YCombinator.com. (2016-10-22 and onward) "Curl Bash piping" wall of shame.


      • Varda, Kenton. (Sandstorm.io, 2015-09-24) Is curl|bash insecure?.

      There are also some that explore the problem without giving a decisive opinion:



      • Granquist, Lamont. (Chef.io, 2015-07-16) 5 Ways to Deal With the install.sh Curl Pipe Bash problem.

      Since there's no clear consensus from other sites, I'm asking here: Is curl-pipe-sudo-bash a reasonably safe installation method, or does it carry unnecessary risks that can be avoided by some other method?







      curl sudo install






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 8 hours ago









      KruboKrubo

      1314 bronze badges




      1314 bronze badges




















          2 Answers
          2






          active

          oldest

          votes


















          4














          It it's about as safe as any other installation method as long as you:



          • Use HTTPS (and reject certificate errors)

          • Are confident in your certificate trust store

          • Trust the server you're downloading from

          You can, and should, separate the steps out -- download the script, inspect it, and see if it's doing anything fishy. This is a good idea. It won't hurt anything if you do it and you might catch a compromise, which you can report to the source and the community at large. Be prepared to dig through quite a lot of Bash, if my experience with such things is any indicator.



          Be aware that if the server (deb.nodesource.com) is compromised, you basically have no recourse. Many package managers offer to verify GPG signatures on packages, and even though a fundamental part of the keysigning architecture is broken, this does still by and large work. You can manually specify the CA for wget and curl, though this only proves you're really connecting to that server, not that the server is serving safe code.



          If you're worried about arbitrary code execution, APT definitely allows that, and I'm fairly confident both Homebrew and Yum do as well. So comparatively, it's not unsafe. This method allows greater visibility; you know precisely what's happening: A file is being downloaded, and then interpreted by Bash as a script. Odds are good you have enough knowledge already to start investigating the script. At worst, the Bash may call another language you don't know, or download and run a compiled executable, but even those actions can be noticed beforehand and, if you're so inclined, investigated.



          As a side note, given that a lot of the time you need to install things with sudo, I don't see its use here as any special concern. It's mildly disconcerting, yes, but no moreso than sudo apt install ....






          share|improve this answer

























          • Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.

            – CBHacking
            3 hours ago











          • @CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?

            – Nic Hartley
            2 hours ago











          • Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.

            – CBHacking
            1 hour ago


















          0














          Submitting an answer to my own question. Not sure if this is the best answer, but I'm hoping other answers will address these points.



          curl something | sudo bash - on Linux is equally safe as downloading something on Windows and right-clicking run as administrator. This may or may not be 'reasonably safe'. As a recent xkcd suggests, nobody really knows how bad computer security is these days.



          Several risks of this method can easily be solved by verifying the download integrity before running it. Since doing so is simple, there's no good reason to skip this step. The goal here is to ensure that what you have downloaded is what the publisher intended. This doesn't guarantee that the software is free of its own vulnerabilities, but it should at least protect against simple attacks that replace the download with malware. The essence is simply to verify the MD5 and SHA256 checksums posted by the software publisher. Some further improvements are possible:



          • It's better to get these checksums via a different network path, such as by calling a friend in another country, which would protect against MITM attacks.

          • It's better to get the checksums at least a day earlier/later, which would protect in case the publisher's website was briefly taken over but the takeover was stopped within a day.

          • It's better to verify the checksums themselves using GPG, which would protect in case the publisher's website was compromised but their GPG private key wasn't.

          One side comment: Some sites say you should download the sh script and then inspect it before running it. Unfortunately, this gives a false sense of security unless you vet the script with a practically impossible level of precision. The shell script is probably a few hundred lines, and very tiny changes (such as an obfuscated one-character change to a URL) can convert a shell script into a malware installer.






          share|improve this answer



























            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "162"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213401%2fis-curl-something-sudo-bash-a-reasonably-safe-installation-method%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            4














            It it's about as safe as any other installation method as long as you:



            • Use HTTPS (and reject certificate errors)

            • Are confident in your certificate trust store

            • Trust the server you're downloading from

            You can, and should, separate the steps out -- download the script, inspect it, and see if it's doing anything fishy. This is a good idea. It won't hurt anything if you do it and you might catch a compromise, which you can report to the source and the community at large. Be prepared to dig through quite a lot of Bash, if my experience with such things is any indicator.



            Be aware that if the server (deb.nodesource.com) is compromised, you basically have no recourse. Many package managers offer to verify GPG signatures on packages, and even though a fundamental part of the keysigning architecture is broken, this does still by and large work. You can manually specify the CA for wget and curl, though this only proves you're really connecting to that server, not that the server is serving safe code.



            If you're worried about arbitrary code execution, APT definitely allows that, and I'm fairly confident both Homebrew and Yum do as well. So comparatively, it's not unsafe. This method allows greater visibility; you know precisely what's happening: A file is being downloaded, and then interpreted by Bash as a script. Odds are good you have enough knowledge already to start investigating the script. At worst, the Bash may call another language you don't know, or download and run a compiled executable, but even those actions can be noticed beforehand and, if you're so inclined, investigated.



            As a side note, given that a lot of the time you need to install things with sudo, I don't see its use here as any special concern. It's mildly disconcerting, yes, but no moreso than sudo apt install ....






            share|improve this answer

























            • Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.

              – CBHacking
              3 hours ago











            • @CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?

              – Nic Hartley
              2 hours ago











            • Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.

              – CBHacking
              1 hour ago















            4














            It it's about as safe as any other installation method as long as you:



            • Use HTTPS (and reject certificate errors)

            • Are confident in your certificate trust store

            • Trust the server you're downloading from

            You can, and should, separate the steps out -- download the script, inspect it, and see if it's doing anything fishy. This is a good idea. It won't hurt anything if you do it and you might catch a compromise, which you can report to the source and the community at large. Be prepared to dig through quite a lot of Bash, if my experience with such things is any indicator.



            Be aware that if the server (deb.nodesource.com) is compromised, you basically have no recourse. Many package managers offer to verify GPG signatures on packages, and even though a fundamental part of the keysigning architecture is broken, this does still by and large work. You can manually specify the CA for wget and curl, though this only proves you're really connecting to that server, not that the server is serving safe code.



            If you're worried about arbitrary code execution, APT definitely allows that, and I'm fairly confident both Homebrew and Yum do as well. So comparatively, it's not unsafe. This method allows greater visibility; you know precisely what's happening: A file is being downloaded, and then interpreted by Bash as a script. Odds are good you have enough knowledge already to start investigating the script. At worst, the Bash may call another language you don't know, or download and run a compiled executable, but even those actions can be noticed beforehand and, if you're so inclined, investigated.



            As a side note, given that a lot of the time you need to install things with sudo, I don't see its use here as any special concern. It's mildly disconcerting, yes, but no moreso than sudo apt install ....






            share|improve this answer

























            • Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.

              – CBHacking
              3 hours ago











            • @CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?

              – Nic Hartley
              2 hours ago











            • Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.

              – CBHacking
              1 hour ago













            4












            4








            4







            It it's about as safe as any other installation method as long as you:



            • Use HTTPS (and reject certificate errors)

            • Are confident in your certificate trust store

            • Trust the server you're downloading from

            You can, and should, separate the steps out -- download the script, inspect it, and see if it's doing anything fishy. This is a good idea. It won't hurt anything if you do it and you might catch a compromise, which you can report to the source and the community at large. Be prepared to dig through quite a lot of Bash, if my experience with such things is any indicator.



            Be aware that if the server (deb.nodesource.com) is compromised, you basically have no recourse. Many package managers offer to verify GPG signatures on packages, and even though a fundamental part of the keysigning architecture is broken, this does still by and large work. You can manually specify the CA for wget and curl, though this only proves you're really connecting to that server, not that the server is serving safe code.



            If you're worried about arbitrary code execution, APT definitely allows that, and I'm fairly confident both Homebrew and Yum do as well. So comparatively, it's not unsafe. This method allows greater visibility; you know precisely what's happening: A file is being downloaded, and then interpreted by Bash as a script. Odds are good you have enough knowledge already to start investigating the script. At worst, the Bash may call another language you don't know, or download and run a compiled executable, but even those actions can be noticed beforehand and, if you're so inclined, investigated.



            As a side note, given that a lot of the time you need to install things with sudo, I don't see its use here as any special concern. It's mildly disconcerting, yes, but no moreso than sudo apt install ....






            share|improve this answer















            It it's about as safe as any other installation method as long as you:



            • Use HTTPS (and reject certificate errors)

            • Are confident in your certificate trust store

            • Trust the server you're downloading from

            You can, and should, separate the steps out -- download the script, inspect it, and see if it's doing anything fishy. This is a good idea. It won't hurt anything if you do it and you might catch a compromise, which you can report to the source and the community at large. Be prepared to dig through quite a lot of Bash, if my experience with such things is any indicator.



            Be aware that if the server (deb.nodesource.com) is compromised, you basically have no recourse. Many package managers offer to verify GPG signatures on packages, and even though a fundamental part of the keysigning architecture is broken, this does still by and large work. You can manually specify the CA for wget and curl, though this only proves you're really connecting to that server, not that the server is serving safe code.



            If you're worried about arbitrary code execution, APT definitely allows that, and I'm fairly confident both Homebrew and Yum do as well. So comparatively, it's not unsafe. This method allows greater visibility; you know precisely what's happening: A file is being downloaded, and then interpreted by Bash as a script. Odds are good you have enough knowledge already to start investigating the script. At worst, the Bash may call another language you don't know, or download and run a compiled executable, but even those actions can be noticed beforehand and, if you're so inclined, investigated.



            As a side note, given that a lot of the time you need to install things with sudo, I don't see its use here as any special concern. It's mildly disconcerting, yes, but no moreso than sudo apt install ....







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited 2 hours ago

























            answered 7 hours ago









            Nic HartleyNic Hartley

            1,1499 silver badges19 bronze badges




            1,1499 silver badges19 bronze badges












            • Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.

              – CBHacking
              3 hours ago











            • @CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?

              – Nic Hartley
              2 hours ago











            • Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.

              – CBHacking
              1 hour ago

















            • Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.

              – CBHacking
              3 hours ago











            • @CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?

              – Nic Hartley
              2 hours ago











            • Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.

              – CBHacking
              1 hour ago
















            Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.

            – CBHacking
            3 hours ago





            Upvoted, but you did miss a few important considerations. 1) Make sure the source of the download is trustworthy (not some fly-by-night domain - HTTPS is free these days, and never did mean a domain wasn't malicious - or a writable file in some cloud or anything). 2) Bear in mind that you're trusting the server absolutely, which is not necessary. Linux package managers (for example) usually support and sometimes require a GPG signature or similar, so even if somebody compromised the server and replaced the package, it would get rejected. Bash has no such protection.

            – CBHacking
            3 hours ago













            @CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?

            – Nic Hartley
            2 hours ago





            @CBHacking I addressed the first point in the second to last paragraph, but I'll make it more prominent. You're right, that's important. For the second, good point, and also a question: How do you get the public keys, out of curiosity? From the normal network? That's a serious question, not some sarcastic setup; has that issue been fixed, or will trying to use the global keyserver network still make things die?

            – Nic Hartley
            2 hours ago













            Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.

            – CBHacking
            1 hour ago





            Getting the GPG public keys is still kind of a mess, yeah. You could treat the keys that come with the OS as the start of a trust chain, but I don't think that's how it's done in practice. It at least requires more effort from the attacker, though; they need to not only replace the package, but also replace the keyfile. PKI-based code signing is debatably more secure - at least you can check who issued (signed) the cert and see if you trust them, which is sort of theoretically possible with GPG but in practice basically never happens - but the FOSS community doesn't generally go in for that.

            – CBHacking
            1 hour ago













            0














            Submitting an answer to my own question. Not sure if this is the best answer, but I'm hoping other answers will address these points.



            curl something | sudo bash - on Linux is equally safe as downloading something on Windows and right-clicking run as administrator. This may or may not be 'reasonably safe'. As a recent xkcd suggests, nobody really knows how bad computer security is these days.



            Several risks of this method can easily be solved by verifying the download integrity before running it. Since doing so is simple, there's no good reason to skip this step. The goal here is to ensure that what you have downloaded is what the publisher intended. This doesn't guarantee that the software is free of its own vulnerabilities, but it should at least protect against simple attacks that replace the download with malware. The essence is simply to verify the MD5 and SHA256 checksums posted by the software publisher. Some further improvements are possible:



            • It's better to get these checksums via a different network path, such as by calling a friend in another country, which would protect against MITM attacks.

            • It's better to get the checksums at least a day earlier/later, which would protect in case the publisher's website was briefly taken over but the takeover was stopped within a day.

            • It's better to verify the checksums themselves using GPG, which would protect in case the publisher's website was compromised but their GPG private key wasn't.

            One side comment: Some sites say you should download the sh script and then inspect it before running it. Unfortunately, this gives a false sense of security unless you vet the script with a practically impossible level of precision. The shell script is probably a few hundred lines, and very tiny changes (such as an obfuscated one-character change to a URL) can convert a shell script into a malware installer.






            share|improve this answer





























              0














              Submitting an answer to my own question. Not sure if this is the best answer, but I'm hoping other answers will address these points.



              curl something | sudo bash - on Linux is equally safe as downloading something on Windows and right-clicking run as administrator. This may or may not be 'reasonably safe'. As a recent xkcd suggests, nobody really knows how bad computer security is these days.



              Several risks of this method can easily be solved by verifying the download integrity before running it. Since doing so is simple, there's no good reason to skip this step. The goal here is to ensure that what you have downloaded is what the publisher intended. This doesn't guarantee that the software is free of its own vulnerabilities, but it should at least protect against simple attacks that replace the download with malware. The essence is simply to verify the MD5 and SHA256 checksums posted by the software publisher. Some further improvements are possible:



              • It's better to get these checksums via a different network path, such as by calling a friend in another country, which would protect against MITM attacks.

              • It's better to get the checksums at least a day earlier/later, which would protect in case the publisher's website was briefly taken over but the takeover was stopped within a day.

              • It's better to verify the checksums themselves using GPG, which would protect in case the publisher's website was compromised but their GPG private key wasn't.

              One side comment: Some sites say you should download the sh script and then inspect it before running it. Unfortunately, this gives a false sense of security unless you vet the script with a practically impossible level of precision. The shell script is probably a few hundred lines, and very tiny changes (such as an obfuscated one-character change to a URL) can convert a shell script into a malware installer.






              share|improve this answer



























                0












                0








                0







                Submitting an answer to my own question. Not sure if this is the best answer, but I'm hoping other answers will address these points.



                curl something | sudo bash - on Linux is equally safe as downloading something on Windows and right-clicking run as administrator. This may or may not be 'reasonably safe'. As a recent xkcd suggests, nobody really knows how bad computer security is these days.



                Several risks of this method can easily be solved by verifying the download integrity before running it. Since doing so is simple, there's no good reason to skip this step. The goal here is to ensure that what you have downloaded is what the publisher intended. This doesn't guarantee that the software is free of its own vulnerabilities, but it should at least protect against simple attacks that replace the download with malware. The essence is simply to verify the MD5 and SHA256 checksums posted by the software publisher. Some further improvements are possible:



                • It's better to get these checksums via a different network path, such as by calling a friend in another country, which would protect against MITM attacks.

                • It's better to get the checksums at least a day earlier/later, which would protect in case the publisher's website was briefly taken over but the takeover was stopped within a day.

                • It's better to verify the checksums themselves using GPG, which would protect in case the publisher's website was compromised but their GPG private key wasn't.

                One side comment: Some sites say you should download the sh script and then inspect it before running it. Unfortunately, this gives a false sense of security unless you vet the script with a practically impossible level of precision. The shell script is probably a few hundred lines, and very tiny changes (such as an obfuscated one-character change to a URL) can convert a shell script into a malware installer.






                share|improve this answer















                Submitting an answer to my own question. Not sure if this is the best answer, but I'm hoping other answers will address these points.



                curl something | sudo bash - on Linux is equally safe as downloading something on Windows and right-clicking run as administrator. This may or may not be 'reasonably safe'. As a recent xkcd suggests, nobody really knows how bad computer security is these days.



                Several risks of this method can easily be solved by verifying the download integrity before running it. Since doing so is simple, there's no good reason to skip this step. The goal here is to ensure that what you have downloaded is what the publisher intended. This doesn't guarantee that the software is free of its own vulnerabilities, but it should at least protect against simple attacks that replace the download with malware. The essence is simply to verify the MD5 and SHA256 checksums posted by the software publisher. Some further improvements are possible:



                • It's better to get these checksums via a different network path, such as by calling a friend in another country, which would protect against MITM attacks.

                • It's better to get the checksums at least a day earlier/later, which would protect in case the publisher's website was briefly taken over but the takeover was stopped within a day.

                • It's better to verify the checksums themselves using GPG, which would protect in case the publisher's website was compromised but their GPG private key wasn't.

                One side comment: Some sites say you should download the sh script and then inspect it before running it. Unfortunately, this gives a false sense of security unless you vet the script with a practically impossible level of precision. The shell script is probably a few hundred lines, and very tiny changes (such as an obfuscated one-character change to a URL) can convert a shell script into a malware installer.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 2 hours ago

























                answered 2 hours ago









                KruboKrubo

                1314 bronze badges




                1314 bronze badges



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Information Security Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213401%2fis-curl-something-sudo-bash-a-reasonably-safe-installation-method%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                    Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                    199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單