It’s been a bit since I saw the last, but they’re cropping up on a regular basis: installation instructions that request you pipe the output of a curl command into your shell.
I really hope that users and administrators who follow that type of instructions know what trouble they’re potentially getting into:
- If ever there was a case for verifying DNS replies with DNSSEC, that must be
one of the most important. If somebody is able to get hold of the DNS domain
for (in this case)
npmjs.org
and redirects that to a malicious host, the results of thecurl
command could be fatal (thinkrm -rf /
). - A misconfigured legitimate HTTP server at the domain could erroneously output a script you really don’t want to run, specially not as user root.
- Imagine what can happen if the legitimate HTTP server at the legitimate domain issues an error response: how will that be interpreted by your shell?
Admittedly blindly following instructions like “download, extract and make install
”
aren’t very much safer.
Practice safer installs. Please! Grab the curl
output into a file and pretend
to look at its content before executing it.