HACKER Q&A
📣 distcs

Why is curl | sh so frowned upon?


I'd like to know why curl | sh is so frowned upon on community forums. Is the risk of being compromised with curl | sh higher than wget; sh?

When I install software the normal way (without curl | sh), I don't audit the complete source code of the software anyway. So in either case I have to trust the domain that is serving me the software.

Then if curl | sh is frowned upon, should wget and sh and other ways of installing software be also frowned upon?

  👤 jjgreen Accepted Answer ✓
Because the use of "piping to a shell" can be detected server-side, so if compromised, it can serve hostile code only in that case. And you don't have a record of that hostile code.

    I'd like to know why curl | sh is so frowned upon on community forums.
That depends on the community, mentioning that Rust encourages the practice will typically earn downvotes on this list.
👤 johnklos
Think about it: if you don't see, can't see, and have no record about what's run (because what's downloaded abd run isn't saved), you're just making your computer untrustworthy, especially if you're piping to a root shell.

At least if you download the file before you run it, you can check the checksum / do a sanity check of the file before you run it, as others have mentioned.

But nobody is saying or has ever said that it has anything at all to do with the download tool. Piping wget versus curl makes zero difference. Also, suggesting that installing via sh is a related issue is completely incorrect thinking. You might as well suggest that using a keyboard on your computer can be frowned upon since doing things on a keyboard could lead to compromise. The statement is true, but ridiculous and not helpful.

👤 gryfft
Even if you don't actually audit the source, you can at least check the checksums.

A malicious host (or a malicious actor who has compromised a trusted host) can detect that you're piping to bash in a few ways, and then by modifying the response, they're executing commands undetectably outside your shell history, potentially setting up reverse shells, installing rootkits etc.

If you're doing it in a sealed environment... Still yikes honestly. I would prefer acquiring software from auditable sources.

👤 hayst4ck
I don't think I would ever do that in a production environment. Maybe on my personal laptop.

It's just not great from a security and trust point of view.

It's also important to remember that bit-squatting is a thing, and just because you think you're making a request to github.com doesn't mean you are, a bit might flip from gamma rays or heat and you end up requesting a shell script from jithub that can now straight own your machine.

Use an `http` url or ignore cert warnings? the great firewall of china or someone who's owned the cafe you are sitting in can own your machine.

It also sidesteps the hygiene of checksumming the resources you download to ensure that the thing you downloaded is what you expected to download.

copy pasting things from the web and putting them on your terminal is also considered insecure: https://www.wizer-training.com/blog/copy-paste

That's also ignoring that you can curl the wrong url and then pass a whole lot of crap to sh.

Here's a HN post on the topic that doesn't necessarily agree with me: https://news.ycombinator.com/item?id=12766049