Linux

And don't forget to sudo!

It's convenience over security, something that creeps in anywhere there is popularity. For those who just want x or y to work without needing to spend their day in the terminal - they're great.

You'd expect these kinds of script to be well tested against their targets and for the user to have/identify the correct target. Their sources should at least point out the security issue and advise to grab and inspect before straight up piping it though. Some I have seen do this.

Running them like this means you put 100% trust in the author, the source and your DNS. Not a big ask for some. Unthinkable for others.

Yeah I hate this stuff too, I usually pipe it into a file figure out what it's doing and manually install the program from there.

FWIW I've never found anything malicious from these scripts but my internal dialogue starts screaming when I see these in the wild, I don't want to run some script and not know what it's touching malicious or not it's a PITA.

As a linux user, I like to know what's happening under the hood as best I can and these scripts go against that

curl | sudo bash Gang

How is that safe?

It's not, it's a sign that the authors don't take security seriously.

If you use this

I never do.

What's stopping the downloaded script from wiping my home directory? If you use this, how can you feel comfortable?

You're not wrong, but there's an element of trust in anything like this and it's all about your comfort level. How can you truly trust any code you didn't write and complie yourself. Actually, how do you trust the compiler.

And let's be honest, even if you trust my code implicitly (Hey, I'm a bofh, what could go wrong?) then that simply means that you're trusting me not to do anything malicious to your system.

Even if your trust is well-placed in that regard, I don't need to be malicious to wipe your system or introduce a configuation error that makes you vulnerable to others, it's perfectly possible to do all that by just being incompetent. Or even being a normally competent person who was just having a bad day while writing the script you're running now. Ooops.

To answer the question, no - you’re not the only one. People have written and talked about this extensively.

Personally, I think there’s a lot more nuance to the answer. Also a lot has been written about this.

You mention “communities that are security conscious”. I’m not sure in which ways you feel this practice to be less secure than alternatives. I tend to be pretty security conscious, to the point of sometimes being annoying to my team mates. I still use this installation method a lot where it makes sense, without too much worry. I also skip it other times.

Without knowing a bit more about your specific worries and for what kinds of threat you feel this technique is bad, it’s difficult to respond specifically.

Feel is fine, and if you’re uncomfortable with something, the answer is generally to either avoid it (by reading the script and executing the relevant commands yourself, or by skipping using this software altogether, for instance), or to understand why you’re uncomfortable and rationally assess whether that feeling is based on reality or imagination - or to which degree of each.

As usual, the real answer is - it depends.

Can you not just run the curl or wget without piping it into bash, first? This way you could inspect what the script wants to do.

I usually just take a look at the code with a get request. Then if it looks good, then run manually. Most of the time, it's fine. Sometimes there's something that would break something on the system.

I haven't seen anything explicitly nefarious, but it's better to be safe than sorry.