Comment by rgoulter

14 hours ago

> Equivalent but just as unsafe.

To my understanding, the main difference between "curl directly to bash" and "curl to a temp file, then execute the temp file" is "the attacker could inject additional malicious commands when curl'd directly to bash".

If you're not going to then also read all the source code from the download script (& the source code used to produce the binaries), this suggests the attitude of "I mistrust anything I can't read; but will trust anything I could read (without having to read it)".

It seems more likely that malicious code would be in a precompiled binary, compared to malicious commands injected into "curl to bash". -- Though, if there have ever been any observed cases of a server injecting commands from "curl ... | tee foo | bash", I'd be curious to know about these.

2 comments

rgoulter

Reply
jolmg  1 hour ago

>> Equivalent but just as unsafe.

> To my understanding, the main difference between "curl directly to bash" and "curl to a temp file, then execute the temp file"...

It's not a temp file in the sense of a regular file. `<()` is also a pipe, hence equivalent. `curl` and `bash` run concurrently.

Running one after the other wouldn't be all that much of an improvement anyway if it's done automatically. One really should manually review the script before running it.

godelski  13 hours ago 

  > the attacker could inject additional malicious commands when curl'd directly to bash

There's another issue actually. You're streaming, so ask yourself what happens if the stream gets cut prematurely. I'll give you an example, consider how this like could be cut prematurely to create major issues

  rm -rf /home/theuser/.config/theprogram/build_dir

A malicious attacker doesn't need to inject code, they can just detect the stream and use a line like the above to destroy your filesystem. Sure, you might preserve root but `rm -rf /home` is for all practical purposes destroying the computer's data for most people

Or it doesn't have to be malicious. It can just happen. The best protection is writing functions since those have to be created and so can't execute until fully streamed. But so much bash is poorly written that well... just check out Anthropic's install script...

  > If you're not going to then also read all the source code

Saving the source code still has a benefit. If something does go wrong you can go read it. Probably a good place to start tbh. In fact, if you're streaming and something goes wrong you'll see exactly what the early termination error did.

Is it good security practice? Absolutely not. Is it a hundred times better than curl-pipe-bash? Absolutely.