Something that I've noticed has become more popular in recent years is for software to include installation instructions that amount to:
curl https://pwnme.sh | sudo bash
This is an upsetting trend for several reasons. In no particular order:
The download can fail partway through. But BASH seems to take pipe input one line at a time, and will happily execute up until the download fails. This has the potential to leave the software in a partially installed state, with no straightforward means of recovery or cleanup unless this has been explicitly anticipated by the install script authors (it probably hasn't).
The entire script is being run with privileges. It probably doesn't need to. More than likely, there are perhaps two or three commands that truly need privileges as part of the installation. The rest can usually be run as an ordinary user, and they should be. This guards against scripts that accidentally do harmful things like deleting
Apart from unintentional misbehavior, by piping the output of
curl directly to a privileged shell, you have no chance to examine the downloaded script for intentionally malicious behavior. By all means, please, copy and paste the above command into a terminal window.
Do I even have to mention the potential for man-in-the-middle attacks, especially if the URL is over plaintext HTTP?
What if I don't have
curl installed? It's fairly common, but not quite universal. Many GNU/Linux distributions prefer
wget by default. OpenBSD has HTTP download functionality included in its
ftp client, so ships neither
Similarly, what if I don't have
sudo? Again, it's very common, but at least Debian doesn't include it by default. OpenBSD includes similar functionality with
doas in its base system. Also, see above regarding privilege separation.
Last of all is
bash. Shell scripts should be written in the POSIX Shell Command Language. I have yet to encounter a single
bash script that couldn't have been a
sh script with minor tweaks. Although
bash is a de facto standard on GNU/Linux systems, it still isn't (and likely will never be) part of the base OpenBSD install.
So what should the instructions be instead? I'm rather fond of:
zcat compressed-archive | pax -r
make install # run this step with privileges
Sure, it may be a bit more verbose than
curl https://pwnme.sh | sudo bash, but it's a lot less perilous.