curl bash pipe - Security Discussion
Are curl bash pipes insecure? Security Comparison of execution of curl bash pipes versus execution of downloaded scripts.
Introduction[edit]
There are some questions as well as arguments related to curl bash pipes on the internet. A concern has been raised on the subject of a curl bash pipe being inherently less secure than downloading a shell script and executing it.
Script Security Audit[edit]
There are at least two user groups.
User Group 1) Users with the ability to security audit shell scripts:
Users with the ability to review shell scripts (such as an installer shell script), can and might review shell scripts. These types of users do not need to be told:
- It's a curl bash pipe, for better security, you might want to, not run the curl bash pipe, but instead:
- download the script,
- check if there is any Malicious Unicode in the script,
- review the source code in a text editor,
- make it executable if it looks sane
- execute it.
These groups of users already know that because knowing that is a very much more trivial skill than knowing how to audit shell scripts. Even a curl bash pipe curl somedomain.com/script.bsh | bash
is a type of shell script (though usually a rather short one) that people with review skills know how to review or rewrite.
If someone with Linux scripting skills is seeing a curl bash pipe such as for example curl somedomain.com/script.bsh | bash
then it is trivial to modify that curl bash pipe or in other words to extract the the direct link to the script somedomain.com/script.bsh
and then to manually download that script using a web browser, curl or similar.
And hopefully not falling victim too Hidden Text Attacks while using copy and paste.
User Group 2) Users without the ability to security audit shell scripts:
If a user does not have the ability to review a shell script, then there is no difference security-wise for the user anyhow. If either,
- A) The user 1) downloads the script, 2) makes the script executable and 3) then executes the script, or
- B) runs a curl bash pipe,
has the same effect. In both cases, the user was running a script without performing a security audit first.
Security Comparison[edit]
Let's compare method A) with Method B).
Option A) curl bash pipe
1. Run the following command.
curl --tlsv1.3 https://www.example.com/installer | bash
2. Done.
Option B) Manual Download
1. Download the installer.
curl --tlsv1.3 --remote-name https://www.example.com/installer
2. Make the installer executable.
chmod +x installer
3. Run the installer.
./installer
4. Done.
Method B) is not more secure than method A) because in both cases the user has run a script without performing a security audit of the script before executing it.
Partial Content[edit]
Quote Piping curl to s(hell):
Partial content returned by the server
When using curl to pipe the script directly into your shell it is teoretically possible for the connection to be interrupted in an unpredictable way. In this case curl or other program can only output a part of the script before failing. In this case we can imagine a scenario in which a script does something that it shouldn't do. For example the following command:
$ rm -r /usr/share/program
Could become:$ rm -r /usr
This is of course a syntetic example but it is not hard to imagine a different scenario in which a command may fail in an equally devastating way.
This issue can be mitigated by wrapping all script code into functions.
Transparency[edit]
When running a curl bash pipe, the user does not really know which commands will be executed.
Quote Piping curl to s(hell):
When executing an unknown script we don't know what is going to happen - we will not be able to easily find out what files were installed.
This is a fair criticism which could be mitigated by installers in two ways.
- The installer could store a backup of itself in the installer download folder. In doubt, the user can go later investigate and have a look at the script which was executed at the time.
- The installer could by default log in the installer download folder create a log which contains a complete recording of all commands which have been executed on the user's computer.
References[edit]
- https://medium.com/@ewindisch/curl-bash-a-victimless-crime-d6676eb607c9
- https://www.arp242.net/curl-to-sh.html
- https://security.stackexchange.com/questions/213401/is-curl-something-sudo-bash-a-reasonably-safe-installation-method
- https://www.djm.org.uk/posts/protect-yourself-from-non-obvious-dangers-curl-url-pipe-sh/
Related[edit]
- https://forums.whonix.org/t/detecting-the-use-of-curl-bash-server-side/2361/3
- Malicious Unicode
- Hidden Text Attacks
- Verifying Software Signatures
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!