List Of Apps That Suggest Redirecting curl To Your Shell To Install 2020-06-16
In the world of Linux [and similar OSs] there is the issue of package management, or as some folks would call it, application installation. In the Windows world an application developer would compile their program in to an executable file and distribute it. They might have to "package it" with an installer application or provide both 32bit and 64bit versions, but otherwise it is fairly well defined. In the Linux world a developer may have to create an RPM package for RedHat based systems, a DEB package for Debian based distros, an AUR package for Arch, and well... you see where this is headed. Some developers figure that rather than keep making piles of distibution packages every time they release a new version of their software they should just provide a single generic way to install. This is easier for them, but produces systems that have software which doesn't fall in to the local application management strategy. What's worse is that some developers choose to simply maintain a script that "does everything" for the user and tell users to install it like this:
$ curl http://somecrap.com/script.sh | bash
This is a somewhat simplified example but the idea is to use curl to download a script and then take the contents of that script and run it. There are various arguments over whether this is a bad idea or not, and plenty of people have no doubt that it is entirely safe, and provide a plethora of excuses to legitimize the practice. This post is not for those people. You may close this tab now. Some folks figure it is begging for trouble, even if it hasn't bitten 100% of smartasses yet. At a bare minimum I think it encourages users to blindly run things without thinking about it first at all... which basically undoes the exact thing that supposedly makes Linux more secure than Windows. So, on with the list.
| application | notes |
|---|---|
| Bitwarden Server | If you don't want to trust your passwords to the folks at Bitwarden you can always run your own server from their source at Github. Too bad their install options include (1) Windows with .NET and SQL server (2) Docker or (3) a Linux install script they don't even suggest reading. It isn't quite piping to your shell but it is here because they clearly don't want you to read the script first. |
| CasaOS | A personal cloud platform. On their home page it says to curl -fsSL https://get.casaos.io | sudo bash. |
| Citadel/UX | This is an email client that over the years has also sort of grown in to a groupware type application. It grew out of the old Citadel BBS software. Sadly, their install instructions say that you should curl http://easyinstall.citadel.org/install | bash. |
| CrowdSec | I'm not really sure of exactly how this thing works but it appears as though it monitors logs and blocks IPs when they do stupid things (just like fail2ban) and then it sends info about the bad IP to "their servers" (unlike fail2ban). I suspect it also occasionally downloads their list from "all users" and blocks those too. I think I'll keep my data on my server and stick with fail2ban for now. Anyways, the install instructions say that you should curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash. |
| Firezone | This is a remote access utility that says in the install instructions to simply run bash <(curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh) posthog-blocked. |
| Immich | A photo and video backup utility, their instructions figure it should be just fine to run curl -o- https://raw.githubusercontent.com/immich-app/immich/main/install.sh | bash. |
| Jellyfin | Jellyfin media streaming application suggests installing their server application by running curl https://repo.jellyfin.org/install-debuntu.sh | sudo bash. Thanks to aeternum for pointing this one out to me. |
| Joplin | If you are looking for a way to selfhost your calendar, notes, and todo list you may come across Joplin. I was happy to see that they have a 32 bit build for Windows and even portable versions, but the install instructions for Linux say you should wget -O - https://raw.githubusercontent.com/laurent22/joplin/dev/Joplin_install_and_update.sh | bash. |
| KeeWeb | That's right, another password manager... you know, for people who are concerned about security. The install instructions say you should curl https://raw.githubusercontent.com/keeweb/keeweb/develop/dev-env.sh | bash -. Classy. |
| Mail-in-a-Box | I was chatting with someone tonight about mail servers and this one came up up in the conversation. I use a Windows based application as my mail server because *ix based solutions seem to all involve some patchwork of applications pasted together with peanut butter. How there is no *ix application that provides SMTP, IMAP, and POP services I don't know. It's not like they are unrelated services eh? Anyways, the setup guide says you should curl -s https://mailinabox.email/setup.sh | sudo -E bash. |
| Netdata | This is some kind of monitoring application for sysops (digital admins). You'd think those kinds of people would know better than to follow the instructions in their documentation and run a command like wget -O /tmp/netdata-kickstart.sh https://my-netdata.io/kickstart.sh && sh /tmp/netdata-kickstart.sh. |
| Nextcloud | This one almost shouldn't be here. Their install page has two steps... (1) download script and (2) run it like this: sudo bash nextcloud_install_production.sh. I'd really like to see a step in the middle that says (1b) seriously, just have a look at the script first, even if you might have to ask someone what it means. |
| NixOS | Funny, our first entry is an actual package manager of sorts. The page here shows that the install should be done with $ sh <(curl https://nixos.org/nix/install) which is not exactly piping curl to your shell but is actually a backwards way of doing it. Sneaky fishy. |
| Pi-Hole | While they do admit that piping to a shell is controversial, the first install method suggested is to curl -sSL https://install.pi-hole.net | bash. |
| PiVPN | The very first part of their home page says "It is *almost* that simple." and immediately says to curl -L https://install.pivpn.io | bash. Seriously, software that is specifically privacy/security related and they tell users to ignore common sense. |
| Psono | What is it with password managers? This one says to bash <(curl -s https://gitlab.com/psono/psono-quickstart/raw/master/install.sh). Seriously, password managers? Seriously? |
| Site.js | Their install instructions do say "Make sure you understand what any script does before piping it into your shell" but fails to mention that a web server could easily provide a different shell script based on a variety of factors (such as your user-agent being curl). So maybe wget -qO- https://sitejs.org/install | bash isn't the thing to do. |
| Tailscale | It may not be terribly clear what this does, but I think it is basically a Wireguard deployment tool. You'd think a company so focused on security would know that putting instructions on their download page telling people to curl -fsSL https://tailscale.com/install.sh | sh is a bad idea. * Thanks to aeternum for pointing this one out to me. |
| Technitium DNS Server | Want to run your own DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) server? Well these guys will tell you to curl -sSL https://download.technitium.com/dns/install.sh | sudo bash - I mean, as long as you are concerned enough about security to run your own DNS server you may as well run their script without looking at it. Just in case anyone didn't know, the lower case s in that command is for "silent mode" and the upper case L is to blindly follow redirects. Extra secure eh? * Thanks to aeternum for pointing this one out to me. |
| Umbrel | They make it sound like this thing is supposed to free you from Google's monetizing hand, but it seems to be half about bitcoin (which is just bullshit), and half about an "app store" for applications that you could just as easily install by piping some script to your shell. I can't see any advantage to running curl -L https://umbrel.sh | bash like their instructions say, other than not knowing what these bitcoin shills are running on your computer. * Thanks to aeternum for pointing this one out to me. |
| Vencord | A Discord client that says their automatic launcher script will figure everything out for you. Just run the script like this: sh -c "$(curl -sS https://raw.githubusercontent.com/Vendicated/VencordInstaller/main/install.sh)" eh. * Thanks to aeternum for pointing this one out to me. |
| YABS | Yet-Another-Bench-Script will throw a bunch of benchmarking stats at you. They figure the best way to run it is to curl -sL yabs.sh | bash or wget -qO- yabs.sh | bash because the people who are running this obviously care about every CPU cycle but not the security of who or what is using them. * Thanks to aeternum for pointing this one out to me. |
Hmmm...I should add that the same kind of logic applies to non-Linux operating systems such as BSD's. I just use the term Linux in place of mentioning every exception that people might wish to throw at me. Additionally, I am not suggesting that anyone not use these applications (though that IS an option), but rather that downloading the script, looking at it, and then running it might be a more responsible computing habit.