It’s been a bit since I saw the last, but they’re cropping up on a regular basis: installation instructions that request you pipe the output of a curl command into your shell.

I really hope that users and administrators who follow that type of instructions know what trouble they’re potentially getting into:

  • If ever there was a case for verifying DNS replies with DNSSEC, that must be one of the most important. If somebody is able to get hold of the DNS domain for (in this case) and redirects that to a malicious host, the results of the curl command could be fatal (think rm -rf /).
  • A misconfigured legitimate HTTP server at the domain could erroneously output a script you really don’t want to run, specially not as user root.
  • Imagine what can happen if the legitimate HTTP server at the legitimate domain issues an error response: how will that be interpreted by your shell?

Admittedly blindly following instructions like “download, extract and make install” aren’t very much safer.

Practice safer installs. Please! Grab the curl output into a file and pretend to look at its content before executing it.

Security and DNSSEC :: 04 Aug 2011 :: e-mail