| ▲ | SkiFire13 2 days ago |
| What would you consider a safer behaviour for downloading programs from the internet? |
|
| ▲ | mingus88 2 days ago | parent | next [-] |
| You are essentially asking what is safer than running arbitrary code from the internet sight unseen directly into your shell and I guess my answer would be any other standard installation method! The OS usually has guardrails and logging and audits for what is installed but this bypasses it all. When you look at this from an attackers perspective, it’s heaven. My mom recently got fooled by a scammer that convinced her to install remote access software. This curl pattern is the exact same vector, and it’s nuts to see it become commonplace |
| |
| ▲ | SkiFire13 a day ago | parent | next [-] | | > You are essentially asking what is safer than running arbitrary code from the internet No, I'm asking what is a safer method when I want to install some code from the internet. > The OS usually has guardrails and logging and audits for what is installed but this bypasses it all. Not everything is packaged or up-to-date in the OS > My mom recently got fooled by a scammer that convinced her to install remote access software. Remote access software are packaged in distros too. | |
| ▲ | thayne a day ago | parent | prev [-] | | > My mom recently got fooled by a scammer that convinced her to install remote access software. But I bet she didn't install it with curl piped to bash. The point isn't that curl|bash is safe, but that it isn't inherently more dangerous than downloading and running a program. |
|
|
| ▲ | thewebguyd 2 days ago | parent | prev | next [-] |
| Use your distro's package manager and repos first and foremost. Flatpak is also a viable alternative to distribution, and if enabled, comes along with some level of sandboxing at least. "Back in the day" we cloned the source code and compiled ourself instead of distributing binaries & install scripts. But yeah, the problem around curl | bash isn't the delivery method itself, it's the unsafe user behavior that generally comes along with it. It's the *nix equivalent of downloading an untrusted .exe from the net and running it, and there's no technical solution for educating users to be safe. Safer behavior IMO would be to continue to encourage the use of immutable distros (Fedora silverbue and others). RO /, user apps (mostly) sandboxed, and if you do need to run anything untrusted, it happens inside a distrobox container. |
| |
| ▲ | BHSPitMonkey 2 days ago | parent | next [-] | | I've installed untold thousands of .deb packages in my lifetime - often "officially" packaged by Debian or Ubuntu, but in many cases also from a software vendor's own apt repository. Almost every one contains preinst or postinst scripts that are run as root, and yet I can count on zero hands the number of times I've opened one up first to see what it was actually doing. At least a curlbash that doesn't prompt me for my password is running as an unprivileged user! /shrug | |
| ▲ | sim7c00 2 days ago | parent | prev | next [-] | | a lot of useful packages are not in package managers, or are in old versions that lack features u need. so its quite common to need to get around that... | |
| ▲ | SkiFire13 a day ago | parent | prev | next [-] | | Getting every software into every distro is not feasible, it's a NxM problem. Sometimes this encourages the use of third-party repositories, which I would argue is even unsafer because it requires root access. Flatpak is a nice suggestion but unfortunately it doesn't seem to work nicely for CLIs. > "Back in the day" we cloned the source code and compiled ourself instead of distributing binaries & install scripts. Isn't that the same thing with the extra step of downloading a git repo? | |
| ▲ | papichulo2023 2 days ago | parent | prev | next [-] | | Funny enough clone and compile is easier now than ever before. You can ask a llm to create a docker to compile any random program and most of the time will be okay. | |
| ▲ | hsbauauvhabzb 2 days ago | parent | prev [-] | | R/O root means a a binary will fail to install, but won’t stop my homedir being backdoored in a DD Orion to the huge waste of time that attempting an RO root would be. |
|
|
| ▲ | bawolff 2 days ago | parent | prev | next [-] |
| Literally anything else. Keep in mind that its possible to detect when someone is doing curl | bash and only send the malicious code when curl is being piped, to make it very hard to detect. |
| |
| ▲ | SoftTalker 2 days ago | parent [-] | | curl | tee foo.sh and then inspect foo.sh and then (maybe) cat foo.sh | bash Does that avoid the issue? | | |
|
|
| ▲ | codedokode 2 days ago | parent | prev [-] |
| Software should run in a sandbox. Look at Android for example. |
