| ▲ | mingus88 2 days ago |
| My problem with it is that it encourages unsafe behavior. How many times will a novice user follow that pattern until some jerk on discord drops a curl|bash and gets hits IRC used to be a battlefield for these kinds of tricks and we have legit projects like homebrew training users it’s normal to raw dog arbitrary code direcly into your environment |
|
| ▲ | SkiFire13 2 days ago | parent | next [-] |
| What would you consider a safer behaviour for downloading programs from the internet? |
| |
| ▲ | mingus88 2 days ago | parent | next [-] | | You are essentially asking what is safer than running arbitrary code from the internet sight unseen directly into your shell and I guess my answer would be any other standard installation method! The OS usually has guardrails and logging and audits for what is installed but this bypasses it all. When you look at this from an attackers perspective, it’s heaven. My mom recently got fooled by a scammer that convinced her to install remote access software. This curl pattern is the exact same vector, and it’s nuts to see it become commonplace | | |
| ▲ | SkiFire13 a day ago | parent | next [-] | | > You are essentially asking what is safer than running arbitrary code from the internet No, I'm asking what is a safer method when I want to install some code from the internet. > The OS usually has guardrails and logging and audits for what is installed but this bypasses it all. Not everything is packaged or up-to-date in the OS > My mom recently got fooled by a scammer that convinced her to install remote access software. Remote access software are packaged in distros too. | |
| ▲ | thayne a day ago | parent | prev [-] | | > My mom recently got fooled by a scammer that convinced her to install remote access software. But I bet she didn't install it with curl piped to bash. The point isn't that curl|bash is safe, but that it isn't inherently more dangerous than downloading and running a program. |
| |
| ▲ | thewebguyd 2 days ago | parent | prev | next [-] | | Use your distro's package manager and repos first and foremost. Flatpak is also a viable alternative to distribution, and if enabled, comes along with some level of sandboxing at least. "Back in the day" we cloned the source code and compiled ourself instead of distributing binaries & install scripts. But yeah, the problem around curl | bash isn't the delivery method itself, it's the unsafe user behavior that generally comes along with it. It's the *nix equivalent of downloading an untrusted .exe from the net and running it, and there's no technical solution for educating users to be safe. Safer behavior IMO would be to continue to encourage the use of immutable distros (Fedora silverbue and others). RO /, user apps (mostly) sandboxed, and if you do need to run anything untrusted, it happens inside a distrobox container. | | |
| ▲ | BHSPitMonkey 2 days ago | parent | next [-] | | I've installed untold thousands of .deb packages in my lifetime - often "officially" packaged by Debian or Ubuntu, but in many cases also from a software vendor's own apt repository. Almost every one contains preinst or postinst scripts that are run as root, and yet I can count on zero hands the number of times I've opened one up first to see what it was actually doing. At least a curlbash that doesn't prompt me for my password is running as an unprivileged user! /shrug | |
| ▲ | sim7c00 2 days ago | parent | prev | next [-] | | a lot of useful packages are not in package managers, or are in old versions that lack features u need. so its quite common to need to get around that... | |
| ▲ | SkiFire13 a day ago | parent | prev | next [-] | | Getting every software into every distro is not feasible, it's a NxM problem. Sometimes this encourages the use of third-party repositories, which I would argue is even unsafer because it requires root access. Flatpak is a nice suggestion but unfortunately it doesn't seem to work nicely for CLIs. > "Back in the day" we cloned the source code and compiled ourself instead of distributing binaries & install scripts. Isn't that the same thing with the extra step of downloading a git repo? | |
| ▲ | papichulo2023 2 days ago | parent | prev | next [-] | | Funny enough clone and compile is easier now than ever before. You can ask a llm to create a docker to compile any random program and most of the time will be okay. | |
| ▲ | hsbauauvhabzb 2 days ago | parent | prev [-] | | R/O root means a a binary will fail to install, but won’t stop my homedir being backdoored in a DD Orion to the huge waste of time that attempting an RO root would be. |
| |
| ▲ | bawolff 2 days ago | parent | prev | next [-] | | Literally anything else. Keep in mind that its possible to detect when someone is doing curl | bash and only send the malicious code when curl is being piped, to make it very hard to detect. | | |
| ▲ | SoftTalker 2 days ago | parent [-] | | curl | tee foo.sh and then inspect foo.sh and then (maybe) cat foo.sh | bash Does that avoid the issue? | | |
| |
| ▲ | codedokode 2 days ago | parent | prev [-] | | Software should run in a sandbox. Look at Android for example. |
|
|
| ▲ | troupo 2 days ago | parent | prev [-] |
| > My problem with it is that it encourages unsafe behavior. Then why don't Linux distributions encourage safe behaviour? Why do you still need sudo permissions to install anything on most Linux systems? > How many times will a novice user follow that pattern until some jerk on discord I'm not a novice user and I will use this pattern because it's frankly easier and faster, especially when the current distro doesn't have some combination of things installed, or doesn't have certain packages, or... |
| |
| ▲ | keyringlight 2 days ago | parent | next [-] | | I think a lot of this comes down to assumptions about the audience and something along the lines of "it's not a problem until it is". It's one aspect I wonder about with migrants from windows, and all the assumptions or habits they bring with them. Microsoft has been trying to put various safety rails around users for the past 20 years since they started taking security more seriously with xp, and that gets pushback every time they try and restrict or warn. | |
| ▲ | ChocolateGod 2 days ago | parent | prev | next [-] | | > Why do you still need sudo permissions to install anything on most Linux systems? You don't with Flatpak or rootless containers, that's partially why they're being pushed so much. They don't rely on setuid for it either | | |
| ▲ | johnisgood 2 days ago | parent [-] | | Flatpak and AppImage. Or download & compile & install to a PREFIX (e.g. ~/.local/pkg/), and use a symlink-manager to install to e.g. ~/local (and set MANPATH accordingly, too). Make sure PATH contains ~/.local/bin, etc. It does not work with Electron apps though. I do "alias foo="cd ... && ./foo". |
| |
| ▲ | aragilar a day ago | parent | prev | next [-] | | Because you're making system-wide changes which affect more than just your user? There are and there has been distros that install per user, but at some level something needs to manage the hardware and interfaces to it. | | |
| ▲ | troupo a day ago | parent [-] | | > Because you're making system-wide changes which affect more than just your user? Am I? How am I affecting other users by installing something for myself? Even Windows has had "Install just for this user or all users?" for decades |
| |
| ▲ | mingus88 2 days ago | parent | prev | next [-] | | I’m not a novice user anymore either, but I care about my security and privacy. When I see a package from a repo, I have some level of trust. Same with a single binary from GitHub. When I see a curl|bash I open it up and look at it. Who knows what the heck is doing. It does not save me any time and in fact is a huge waste of time to wade through random shell scripts which follow a dozen different conventions because shell is ugly. Yes you could argue an OS package runs scripts too that are even harder to audit but those are versioned and signed and repos have maintainers and all kinds of things that some random http GET will never support. You don’t care? Cool. Doesn’t mean it’s good or safe or even convenient for me. | | |
| ▲ | troupo a day ago | parent [-] | | Repos and maintainers etc. are just a long unauditable supply chain [1]. And everyone is encouraged to blindly trust this chain with sudo access. It's worse than that. If your distro doesn't have some package, you're encouraged to just add PPA repos and blindly trust those. Quite a few companies run their own repos as well, and adding their packages is again `sudo add repo; sudo install` Yes, it's not as egregious as just `curl | bash`, but it's not as far removed from it as you think. [1] E.g. https://en.wikipedia.org/wiki/XZ_Utils_backdoor |
| |
| ▲ | umanwizard 2 days ago | parent | prev [-] | | > Why do you still need sudo permissions to install anything on most Linux systems Not guix :) One of the coolest things about it. |
|
