It’s been a bit since I saw the last, but they’re cropping up on a regular basis: installation instructions that request you pipe the output of a curl command into your shell.
I really hope that users and administrators who follow that type of instructions know what trouble they’re potentially getting into:
- If ever there was a case for verifying DNS replies with DNSSEC, that must be
one of the most important. If somebody is able to get hold of the DNS domain
for (in this case)
npmjs.organd redirects that to a malicious host, the results of the
curlcommand could be fatal (think
rm -rf /).
- A misconfigured legitimate HTTP server at the domain could erroneously output a script you really don’t want to run, specially not as user root.
- Imagine what can happen if the legitimate HTTP server at the legitimate domain issues an error response: how will that be interpreted by your shell?
Admittedly blindly following instructions like “download, extract and
aren’t very much safer.
Practice safer installs. Please! Grab the
curl output into a file and pretend
to look at its content before executing it.