Curl at your own peril

Something that I've noticed has become more popular in recent years is for software to include installation instructions that amount to:

curl | sudo bash

This is an upsetting trend for several reasons. In no particular order:

The download can fail partway through. But BASH seems to take pipe input one line at a time, and will happily execute up until the download fails. This has the potential to leave the software in a partially installed state, with no straightforward means of recovery or cleanup unless this has been explicitly anticipated by the install script authors (it probably hasn't).

The entire script is being run with privileges. It probably doesn't need to. More than likely, there are perhaps two or three commands that truly need privileges as part of the installation. The rest can usually be run as an ordinary user, and they should be. This guards against scripts that accidentally do harmful things like deleting /usr.

Apart from unintentional misbehavior, by piping the output of curl directly to a privileged shell, you have no chance to examine the downloaded script for intentionally malicious behavior. By all means, please, copy and paste the above command into a terminal window.

Do I even have to mention the potential for man-in-the-middle attacks, especially if the URL is over plaintext HTTP?

What if I don't have curl installed? It's fairly common, but not quite universal. Many GNU/Linux distributions prefer wget by default. OpenBSD has HTTP download functionality included in its ftp client, so ships neither curl nor wget.

Similarly, what if I don't have sudo? Again, it's very common, but at least Debian doesn't include it by default. OpenBSD includes similar functionality with doas in its base system. Also, see above regarding privilege separation.

Last of all is bash. Shell scripts should be written in the POSIX Shell Command Language. I have yet to encounter a single bash script that couldn't have been a sh script with minor tweaks. Although bash is a de facto standard on GNU/Linux systems, it still isn't (and likely will never be) part of the base OpenBSD install.

So what should the instructions be instead? I'm rather fond of:

  1. Download URL-of-compressed-archive
  2. zcat compressed-archive | pax -r
  3. cd source-tree
  4. make
  5. make install # run this step with privileges

Sure, it may be a bit more verbose than curl | sudo bash, but it's a lot less perilous.

Copyright © 2019 Jakob Kaivo <>