4

Most installation scripts these days have this particular pattern:

curl -fsSL <url> | sh --- and usually run as root

Some sites might even have a disclaimer about running this as root and to check for errors. However, this isn't very secure, you're depending on the CA infrastructure and https to provide security. Why are sites doing it this way when you could, in addition to having transport over https, have them as signed releases as well - wouldn't non-repudiation as well as file integrity be better? What do most administrators do after downloading this.

munchkin
  • 123
  • The next step is probably using the software? What's the question here? – Panki Mar 15 '19 at 10:36
  • @Panki OP wants to know why it is fairly common practice nowadays to download unsigned executable files from the Internet and execute them as root without checking their signature, like here. Note that some websites, such as Docker, urge the users to check the downloaded unsigned file to make sure it hadn't been tampered with. Note that the topic is not new and you can find many "contra" and "pro" arguments by looking up "curl sudo sh" in Google. – undercat Mar 15 '19 at 11:00
  • But those do not have any real action steps to take. There's the usual, download it first and inspect, but i'd much prefer them to be signed and distributed with their signatures. Sure hkps also depends on https for transport, so if it breaks there, then that would also be a problem, but there should be a move away from this curl installation pattern. – munchkin Mar 15 '19 at 11:32
  • https://unix.stackexchange.com/questions/46286/ is a better question. This question is just vague and confusing, especially the part where it asks why rely upon HTTPS for security when using HTTPS is better. – JdeBP Mar 15 '19 at 17:50
  • I've changed the last part. The point is to have signed releases as downloads as well. That way you can know an organisation or a person is responsible for serving the file. And with a signed release, the end user is able to use this as a second factor to determine the authenticity of the file, i.e on another computer, through another link, independently verify the hash of the download. – munchkin Mar 19 '19 at 08:27

2 Answers2

3

I don't know what most administrators do after that, but I can tell you what I do before executing something like that: I look for a package for the distribution I intend to use, and if I do not find one satisfying my requirements, either

  • I'll create a new sandbox, install the software there and check what the installation did and the software does, or
  • I'll create a new sandbox and install it there, if someone higher up on the hierarchy tells me so, or
  • I do not install it.

But that's me, and I really do not care whether this software package is signed or not. My threat model includes the software developers, especially if I can be sure no distributor ever had a look on the software.

but there should be a move away from this curl installation pattern.

Yes. There should. But there isn't, and I can understand software developers offering that way of installation, since creating packages for all relevant Linux distributions and three or four BSDs sucks. It sucks even worse than it did 15 years ago.

Toby Speight
  • 8,678
Uwe Ohse
  • 142
0

Generally the curl URL(script) | sh will download and execute a shell script (install script) , it is an automated script to easily install a program, it will execute some tasks e,g : checking the dependencies, create/delete directories, asking for the root password, adding repositories, downloading the appropriate program version to your linux distro ...

The best practices before executing the install script.

  1. Download the script (the first part of the command) curl url(script)
  2. Inspect the content of the script with your text editor (or cat , less ...)
  3. Execute the install script sudo bash script , sudo sh script ...

This is a bash script example to install node.js : curl -sL https://deb.nodesource.com/setup_9.x which contain the usage instructions.

The best practices after executing the install script.

After executing the install script the program will be installed on your system. If the setup script doesn't include a way to update the program ( a repository to apply the updates automatically through the package manager , a cron job ... ) it is better to consult the web-page of the maintainer.

GAD3R
  • 66,769