Follow

A way to detect when the user is running Curl piped to Bash over Curl'ing to a file.

idontplaydarts.com/2016/04/det

So you can MITM this stuff trivially now.

This is the way all of the tutorials aimed toward new raspberry pi users suggest install code. :(

· Web · 5 · 14 · 4

@ultimape @dredmorbius Hehe, I think in response to that I wrote a weaponized script that would do benign stuff when executed in a shell, but "wreak havoc" when in a `curl $URL|sudo` setting. 😈

@ultimape it's also the way tons of hip, complex, "this is the way you're supposed to do things now" tooling written by theoretical professionals does things.

in my capacity as a technical writer i have written these kinds of instructions over and over again, all along knowing that it was a bad idea and feeling like i'd just get overruled if i didn't do it that way in the first place.

@ultimape in more conscientious corners of the field you write a bullshit disclaimer about inspecting the script in an editor first, as if anyone is going to do that, or understand the many hundreds of lines of ridiculous shell script they're reading if they do.

@ultimape ...but really this cringey little corner of things is a manifestation of a bunch of unsolved problems. it's the same vale of tears as the general problem of package-management, language-specific install tooling, configuration management, etc. ad infinitum.

our systems lack good abstractions for describing and changing their overall state in a portable way.

@ultimape and we have few to no meaningful systems of trust.

i'll stop ranting now.

@brennen

> you write a bullshit disclaimer

So much this. Challenging these shortcuts risks one getting a faceful of "why do you hate regular users" but pressing it at all turns things 180 degrees: Now the "regular" user is expected to be able to audit shell code!

I understand there are challenges. It's the dissimulation about the fact that we're hiding complexities, and why, that so irks me.

@ultimape

@deejoe @ultimape yeah, i mean, i do this shit for a living and i've been administering unixy systems for 20+ years and i've written god only knows how many thousand lines of terrible shell scripts and my confidence that i can tell you for sure what any given 100+ line script is doing without at least an hour or two of rigorous inspection is, uh, pretty much nil.

like i said: a vale of tears.

@deejoe @brennen @ultimape

The whole reason these scripts exist in the first place is that package management is too hard for the average developer to learn.

I want to write an easy-to-use cross-distribution packaging aid and call it "codpiece" because it's the sexy package manager.

@yam655

making things easy is difficult

(cf comment from @brennen above, just for instance)

what you propose is that you can make it easy to make things easily. That seems like two orders of difficulty at least (and probably just one reason why packaging is difficult to begin with).

I mean, may the ghost of Turing bless your attempt, but ... we'll see ☺️

@ultimape

@ultimape The first time i ever did a curl-pipe-to-bash install it made me REALLY nervous, like "this can't possibly be safe".

As an industry, let's stop encouraging this!

@ultimape it’s simpler to put a 'curl' or 'wget' in your script. Something less suspicious than a 'sleep' in an install script.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!