|
On Wednesday, May 04, 2016 at 10:51PM, Tim Caswell wrote:
> Peter, I don't see how piping a shell script to sh is any worse than
> downloading unsigned binaries and running them. If anything this is
> safer because anyone who is paranoid can simply do the curl and sh in two
> steps and read the script in between to verify what it's doing. With
> binaries this is considerably more difficult. (Also this is just
> bootstrap to download the right binaries anyway)
If you read the article I linked last time (and which I'll link again
below), you'll see that you cannot "simply do the curl and sh in two steps"
in order to prove everything is safe. A clever attacker can in fact detect
whether or not curl is being piped to the shell directly and alter the
delivered content accordingly.
Although this latest example is recent, similar exploits have been known
for sometime (the earliest article I can find about switching payloads is
from 2012—I'll post that below too).
https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
https://jordaneldredge.com/blog/one-way-curl-pipe-sh-install-scripts-can-be-dangerous/
My larger question to you is this: What advantage is there to `curl
installer | sh` over telling people to download a repo and running `make`
or even `./installer`? The only advantage I see is that it's a one-liner
and maybe it feels cooler. It's a lot less secure.
My two cents, Peter