19

While I was reading the introduction to the Rust programming language, I came across the installation method which asks to use the following command

curl -sf -L https://static.rust-lang.org/rustup.sh | sudo sh

with a note of caution that this is not the most trusted way of installing an application. Can anybody provide me the details about how this command can be dangerous and are there any methods to protect yourself from its effects?

simhumileco
  • 31,877
  • 16
  • 137
  • 115
avinash pandey
  • 1,321
  • 2
  • 11
  • 15
  • 6
    `curl` goes to an untrusted site on the internet and returns text. You pipe that text into a shell with root access on your local box. So the person you don't trust is able to run arbitrary code on your machine. The security implications are, I hope, fairly obvious. – William Pursell Apr 01 '15 at 04:22
  • Can i just run sh command with a destination directory so that sudo is not required. – avinash pandey Apr 01 '15 at 04:25
  • 1
    I would strongly recommend dumping the output to a file and examining it. – William Pursell Apr 01 '15 at 04:27
  • 2
    [the Rust programming language book](http://doc.rust-lang.org/book/installing-rust.html) has a link to a [blog post on using curl to install](http://blog.emillon.org/posts/2014-12-27-on-the-curl-sh-pattern.html). – Paolo Falabella Apr 01 '15 at 07:36

2 Answers2

18

Because you are giving root access to whatever script you are executing. It can do a wide variety of nasty things.

If Rust site is ever compromised and that script gets a tiny piece that installs malware silently, you wouldn't know, without inspecting the script first.

Daniel Fath
  • 16,453
  • 7
  • 47
  • 82
  • Exactly. The curl | sh pattern can be challenging to defend—even if you're not giving it root access, the contents of your user account are valuable too. If you can use a tool that checks integrity instead of just the transport (HTTPS), that's even better. https://spin.atomicobject.com/2016/12/12/security-spectrum-curl-sh/?utm_source=stackoverflow-ao&utm_campaign=security-spectrum-curl-sh&utm_medium=referral – Mattie Dec 13 '16 at 14:20
  • 4
    assuming you use HTTPS: you merely have to trust the domain. this is exactly as secure like every time you ever downloaded a installer manually. i.e. almost every time a Windows or OS X user ever installed software. – flying sheep Aug 07 '17 at 19:11
  • @flyingsheep When you do that, you can check the certificate in the browser, is it still the same? – 12431234123412341234123 May 25 '22 at 13:15
13

As Daniel said plus few more reasons:

  • if the script were provided to you over HTTP instead HTTPS, Man In The Middle attack can be performed by some evil 3rd Party. Using HTTPS you have at least confidence, that the script will be downloaded as-is from the site
  • if the connection closes mid-stream, there may be executed partial commands, which were not intended to (and potentially dangerous). (see 1st link)
  • you may also think that opening script in the browser to check if it's not evil will mitigate the risk. Unfortunately it will not, because site owner may show different content for browser User-Agents (see 2nd link)

How to properly mitigate risk then:

Ideally:

Use this approach when making changes on production server

curl -sf -L https://static.rust-lang.org/rustup.sh -o rustup.sh
less rustup.sh
chmod +x rustup.sh
sudo ./rustup.sh

Significantly better, but not perfect (but one-liner):

You can use this approach on dev machine / test server

su -c "curl https://static.rust-lang.org/rustup.sh -o rustup.sh && chmod +x rustup.sh && ./rustup.sh"

References:

Piotr Dabrowski
  • 568
  • 6
  • 17
  • 4
    You can proof your scripts against partial execution by putting the whole thing into the body of a function, and executing that function on the last line. If you know a script is defined like that, it’s exactly as secure as downloading and then executing some installer. – flying sheep Aug 07 '17 at 19:34