Can we please stop with curl | sudo bash, PLEASE

10•b112•2d ago

Using

curl -s https://url | sudo bash

is literal insanity. Root given. We know how accounts can be compromised, so obviously there is potential for that url to be replaced by a hacker with something malicious. We've even seen hackers compromise pages, and return the standard page, while targetting only a few people (geolocation, for example) with malicious data.

Yet there is also the possibility for malformed text to be returned. Bash will happily execute each and every line of:

  E#@%SDVsdcvxdsf4a6t4g
  erfgrr;rm * regdfgereridbd
  4524wfasrfv4

Hard to imagine such output? Yes. Impossible? Absolutely not. There are literally thousands upon thousands of commands bash can access in a typical install of Linux. Many of them are destructive. Why even risk it?

And beyond malformed, there could be a simple publishing error. There could be lines of code in the error message. Unknown text. Each and every line of text returned, is executed. I am just gobsmacked that this exists anywhere, ever, for any reason at all. I wouldn't execute such a command from my own personal web server, in my own internal lan, let alone remote.

When I see such inanity on a project page, it's a big read flag to me. Convenience over the most basic of security, or even simple validation that something didn't go wrong in a curl request. The evoked lack of trust that arises is as bile in my throat, what other shortcuts are taken by the project authors, which seem to barely understand the simplest of risk assessment?

Please, don't ever execute this. If you have to throw all sense and caution to the wind, and use a project which suggests this install method, well... at least curl > file and take 1 second to see the result.

Comments

jjgreen•2d ago

This may be considered as critical of Rust, so will be flagged and closed in due course.

j4nek•2d ago

made my day :D

krapp•2d ago

Not only will we keep doing this, we'll have AI agents do it unsupervised.

late_night_fix•1d ago

The problem isn't pipe, it's the default to blind trust.People will happily audit a PR but won't spend 5 seconds reading a script they're about to run as root.

halJordan•1d ago

It's not trust. There are plenty of major projects that only have or strongly prefer curl | bash. Trusting a vendor is fine.

rvz•1d ago

100% Agree.

If I were an attacker, this is the easiest way to gain root access, leak env variables and install ransomware on the machine.

Accepting this as the standard way to install software just for convenience over security is just pure ignorance until a massive breach happens.

This even before mentioning flawed standards such as INSTALL.md [0] for agents to curl | sudo bash unattended from a .md file.

[0] https://www.mintlify.com/blog/install-md-standard-for-llm-ex...

akagusu•1d ago

Can you please stop trying to control what people do on their computers?

Nobody is forcing anyone to execute the script and usually the script is fully auditable.

winstonwinston•1d ago

These are often to install a repository and a package.

The alternative is to run something like rpm -i from_url.rpm to install some package directly. Which is not exactly any different from security perspective.

There is no easy way around this when the software is not in a system repo or without attestation in some way.

dlcarrier•1d ago

The host in this video (https://youtu.be/M1si1y5lvkk) described the primary use for curl as to "freebase shell script straight from githabusercontent.com by piping it into a root shell". He also said that "-o-" is an emitocon illustrating the user with their head down on their desk and their arms splayed out in a pose of complete submission".

VoxeliumX – easy open-source tool to run Minecraft servers

Netherlands reaches deal to cut reliance on U.S. cloud tech

Free Online Tools for PDF, Image and Video – ToolHive

Gecko: A fast GLR parser with automatic syntax error recovery

The Bracket – A Government Man

Onio.club

Canada's AI Startup Cohere Buys Germany's Aleph Alpha to Expand in Europe

A practical guide to time for developers: clocks, drift, NTP, and PTP

Superscript Asterisk in Unicode

Spinel: Ruby AOT Native Compiler

Stock markets are too high and set to fall, says Bank of England deputy

TorchWebGPU: Running PyTorch Natively on WebGPU

I over-engineered my AI coding setup one justified upgrade at a time

A red pixel in the snow: How AI found a lost climber

We Are Xbox

SSE token streaming is easy, they said

UK gaming icon Peter Molyneux on AI, his final creation and a changing industry

Software engineering may no longer be a lifetime career

DroidVM – Run virtual machine on Android Phones with near-native performance

Okren – Founding Engineering Operator – Europe /Remote – Pre-Seed – Equity-First

Show HN: Founder Decision Engine

Tim Cook wrote a winning recipe for Apple

Design.md: A format spec for describing a visual identity to coding agents

Vision Banana | Google DeepMind

Is Helium the Browser Brave Was Meant to Be?

Self-Reference

Discouraging "the voice from nowhere" (~LLMs) in documentation

Vibe Coding Isn't the Problem – It's Your Approvals Process

You're about to feel the AI money squeeze

DeepSeek V4 in vLLM: Efficient Long-Context Attention