Don't Pipe to your Shell

The amount of projects that do this is absurd. People have been saying this for ages and nobody seems to listen. You could have all sorts of fun based on the user agent, as well: if it looks like a normal browser, send the harmless script. If it&#x27;s curl or wget, prepend &quot;echo &#x27;I hope you are not going to pipe this into &#x2F;bin&#x2F;sh&#x27;; exit 1&quot;.<p>BTW: If you want ULTIMATE BRAVERY, you have to boot an arbitrary kernel over the internet: <a href="http://ipxe.org/" rel="nofollow">http:&#x2F;&#x2F;ipxe.org&#x2F;</a> (scroll to the bottom, where it says `iPXE&gt; chain <a href="http://boot.ipxe.org/demo/boot.php`" rel="nofollow">http:&#x2F;&#x2F;boot.ipxe.org&#x2F;demo&#x2F;boot.php`</a>)

What&#x27;s the difference between piping to a shell and running a random executable or installing a random ppa? All 3 could do massive harm to your system.<p>One difference is that piping to a shell is a lot easier to inspect. So you could easily argue that piping to a shell is safer.<p>Heck, even downloading a source tarball and compiling it yourself isn&#x27;t any safer unless you actually inspect that source. And who does that?

Also, no-one still mentioned the fact that not doing it over HTTPS with a client that checks certificates (you would be surprised at how many tools get this wrong, sometimes or always) is a complete code execution MitM vulnerability.<p>It is like giving away all the security built everywhere else and yelling &quot;YOLO&quot;.

This keeps coming up on Hacker News, and while I&#x27;m sure the people on Hacker News know this is bad, they probably still do it anyways because it&#x27;s never had an adverse effect for them.<p>Speaking for myself, this has never caused a problem for me, and I&#x27;ll probably keep doing it because it&#x27;s convenient and that convenience is more valuable weighed against the potential bad things that could happen. Most likely is the case that the package just doesn&#x27;t execute. The probability that it ends up on rm or something destructive is probably very low, and if someone is actively trying to MITM you, they will find a way if you are smart enough not to run scripts from wget, most people aren&#x27;t the target of this kind of very specific attack.<p>Like Apple&#x27;s TouchID – it may not really be secure, but it&#x27;s very convenient, and that will often be enough to make it mainstream.

Russian Roulette as a Service :<p><pre><code> - A curl endpoint, piped to shell. - 5 times out of 6, the result is echo &quot;click&quot; - The other time, is something more sinister.</code></pre>

I would rather people not pipe to shells at all. It doesn&#x27;t sound very secure. But if you have to do it, there are ways to avoid half-executed scripts:<p>foo() { ... }

If I were trying to get a shell on the boxes of as many startups as possible, here&#x27;s what I&#x27;d do:<p>1. Create a new library, rubygem, infrastructure thingie that was genuinely useful but had a non-trivial setup process.<p>2. To aid in that setup process, create a script that I recommend be piped into your shell.<p>3. Somewhere in the middle of that script, silently tar up everything in the users .ssh&#x2F; directory and send it somewhere I can see it.

Piping commands from the network may be a bad idea, but I pipe to my shell locally all the time. The idea is that you write a shell loop that prints a bunch of commands using `echo` and then once the commands look right, you pipe them to `sh -v`. It&#x27;s great for the exact <i>opposite</i> reason piping from the network is awful: you can see what you&#x27;re about to execute before you execute anything – I don&#x27;t trust myself to write complicated shell loops without seeing what I&#x27;m about to run first.

Before piping to your shell, don&#x27;t copy-paste from website to terminal. <a href="https://news.ycombinator.com/item?id=5508225" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=5508225</a>

Unfortunately he&#x27;s got this wrong. As long as the server returns a content length (which is up to the project to set up correctly), wget will retry until it gets the full length of the script. So the partial execute can&#x27;t happen.<p>That&#x27;s really about as well as you can do, because HTTP doesn&#x27;t do a good job of reporting errors. You could try to get the content length in advance and then check against it after the download (which is basically what wget is doing), but that won&#x27;t buy you much. Most servers won&#x27;t do Content-MD5, so that&#x27;s out. One smart thing to do would be to use &quot;Accept-Encoding&quot; to download a compressed version of the script and then do a decompression test before running. Alternatively, you can make the download script into a shell archive style script, such that it doesn&#x27;t do anything until you get to the last byte, at which point it extracts out the <i>real</i> script and runs it (which wouldn&#x27;t change what your install command is).<p>The whining about disabling the certificate check is also spurious. Most of the time these are scripts pointing to a non-https URL but which redirect to an HTTPS URL. You are already vulnerable when you do the HTTP request. On top of that, almost nobody is doing DNSSec, so you are already vulnerable at the DNS level. Even ignoring <i>that</i>, Salt offers it as a solution <i>if</i> you can&#x27;t get the certificate check to work. The alternative would be to provide you with instructions on how to install a CA certificate, which someone is far more likely to screw up and unless you&#x27;ve established trust of the instructions themselves, could be just as vulnerable to a man-in-the-middle attack. Offering instructions on how to disable the check is a perfectly reasonable solution.

Does anyone remember that project that was downloading a script directly from the most recent devel in a repository, and in order to demonstrate how insecure that practice was, someone actually included an rm -rf &#x2F;home&#x2F;<p>The maintainer didn&#x27;t check the commit and included it in develop, which consequently was downloaded and... ect.<p>I&#x27;m looking for it.

I agree, and it&#x27;s a growing trend.

The piping is for beginners. Rather than saying &quot;Execute this script&quot; or download and compile this tarball. It just works, magic. Advanced users will obviously wget and quickly read it. But hey, sometimes I like to live dangerously too, and I pipe things to my shell.

I think this merely hilights the bigger underlying issue: the lack of transactionality. If the install script were wrapped in a transaction, then premature exit or end of input (for whatever reason) would cause no harm because the transaction would have not been commited.

Well, it&#x27;s risky, but you are anyway installing the software from those guys, aren&#x27;t you? Do you audit every single source of every single app? No, you don&#x27;t... everything is a matter of balance between a security and a convenience..

It&#x27;s a really disturbing craze to install server software MS-DOS style and not use package managers! At the end of the day, building native packages with FPM, let&#x27;s say, isn&#x27;t such a big deal. At least, do an installer package.

wget -O - <a href="https://example.com/install.sh" rel="nofollow">https:&#x2F;&#x2F;example.com&#x2F;install.sh</a> | vim<p>A work around I&#x27;ve been using for a while. I then :saveas and execute it myself once I verify it&#x27;s not doing anything fishy.

Good point. Script like that should be provided:<p><pre><code> wget -O $URL &gt; &#x2F;tmp&#x2F;f if echo `md5sum &#x2F;tmp&#x2F;f` | grep &quot;^8a17590b8e78f8f1cf4983e0e691b7ab&quot;; then sudo sh &#x2F;tmp&#x2F;f fi</code></pre>

What command can you use in a pipe chain to fully read the input until EOF before passing it on? I&#x27;m not a big fan of piping to the shell but such a command could be useful for network applications in general.

There is a --user-agent option supported by wget and curl. Maybe that could help increase confidence that something will work as it should. Or at least help investigate weirdness.

meteor does same thing - <a href="https://github.com/meteor/meteor" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;meteor&#x2F;meteor</a>

I only pipe in-house projects I host myself and know exactly what will be the result, piping from the web seems rather naive.

Don&#x27;t wire wrap your fuses.

how about using this instead? <a href="https://github.com/liftoff/GateOne" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;liftoff&#x2F;GateOne</a>

Irrelevant!.

While i agree with the general folly of piping to a shell, have you ever actually tried to do a rm -rf &#x2F; ? Most modern posix systems will catch you, even if you sudo it.<p>Also, barring that example I can&#x27;t come up with many other horrible scenario. Unfortunate ones, sure. But not catastrophic. And as someone else said, adding random ppas would allow much worse things, and people do that all the time.