this post was submitted on 13 Jul 2024
156 points (90.6% liked)

Open Source

31046 readers
465 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] Cube6392@beehaw.org 6 points 3 months ago* (last edited 3 months ago) (3 children)

Piping curl into sh in install instructions is a fast track to me not taking a project seriously

[–] delirious_owl@discuss.online 4 points 3 months ago (1 children)
[–] Cube6392@beehaw.org 2 points 3 months ago

Excited for Sublinks...

[–] gomp@lemmy.ml 2 points 3 months ago (2 children)

I've heard this over and over... what's the difference security-wise between sudo running some install script and sudo installing a .deb (or whatever package format) ?

[–] chebra@mstdn.io 2 points 3 months ago (1 children)

@gomp try comparing it with apt install, not with downloading a .deb file from a random website - that is obviously also very insecure. But the main thing curl|sh will never have is verifying the signature of the downloaded file - what if the server got compromised, and someone simply replaced it. You want to make sure that it comes from the actual author (you still need to trust the author, but that's a given, since you are running their code). Even a signed tarball is better than curl|sh.

[–] gomp@lemmy.ml 1 points 3 months ago (1 children)

Installing a .deb is what I was thinking about.

Even a signed tarball is better than curl|sh.

If you have a pre-shared trusted signature to check against (like with your distro's repos), yes. But... that's obviously not the case since we are talking installing software from the developer's website.

Whatever cryptografic signature you can get from the same potentially compromised website you get the software from would be worth as much as the usual md5/sha checksums (ie. it would only check against transmission errors).

[–] chebra@mstdn.io 1 points 3 months ago (1 children)

@gomp Why would you be taking the signature from the same website? Ever heard of PGP key servers?

[–] gomp@lemmy.ml 1 points 3 months ago (1 children)

That would be "a pre-shared trusted signature to check against", and is seldom available (in the real world where people live - yes, there are imaginary/ideal worlds where PGP is widespread and widely used) :)

[–] chebra@mstdn.io 1 points 3 months ago (1 children)

@gomp You mean, as seldom available as every apt install ever? https://superuser.com/a/990153

[–] gomp@lemmy.ml 1 points 3 months ago* (last edited 3 months ago) (1 children)

My bad for causing confusion: when I wrote "trusted signature" I should have said "trusted public key".

The signatures in an apt repo need to be verified with some public key (you can think of signatures as hashes encrypted with some private key).

For the software you install from your distro's "official" repo, that key came with the .iso back when you installed your system with (it may have been updated afterwards, but that's beyond the point here).

When you install from third-party repos, you have to manually trust the key (IIRC in Ubuntu it's something like curl <some-url> | sudo apt-key add -?). So, this key must be pre-shared (you usually get it from the dev's website) and trusted.

[–] chebra@mstdn.io 1 points 3 months ago

@gomp Yes but the point is that it comes from a different place and a different time, so for you to execute a compromised program, it would have to be compromised for a prolonged time without anyone else noticing. You are protected by the crowd. In curl|sh you are not protected from this at all

[–] Cube6392@beehaw.org 1 points 3 months ago (1 children)

A deb is just a zip file that gets unpacked to where your binaries go. A shell script you curl pipe into shell could contain literally any instructions

[–] gomp@lemmy.ml 2 points 3 months ago* (last edited 3 months ago) (1 children)

Binary packages have scripts (IIRC for .deb they are preinst/postinst to be run before/after installation and prerm/postrm before/after removal) that are run as root.

BTW the "unzip" part is also run as root, and a binary package can typically place stuff anywhere in your system (that's their job after all)... even if you used literal zip files they could still install a script in ways that would cause the OS to execute it.

[–] Cube6392@beehaw.org 1 points 3 months ago

Yeah I'm over simplifying on purpose here. The bottom line is piping into sh is dangerous

[–] mrus@lemmy.sdf.org 1 points 3 months ago

Just install it manually via cargo then.