Why using curl | sudo sh is not advised?

Question

While I was reading the introduction to the Rust programming language, I came across the installation method which asks to use the following command

curl -sf         


        

Answer 1

Because you are giving root access to whatever script you are executing. It can do a wide variety of nasty things.

If Rust site is ever compromised and that script gets a tiny piece that installs malware silently, you wouldn't know, without inspecting the script first.

Answer 2

As Daniel said plus few more reasons:

• if the script were provided to you over HTTP instead HTTPS, Man In The Middle attack can be performed by some evil 3rd Party. Using HTTPS you have at least confidence, that the script will be downloaded as-is from the site
• if the connection closes mid-stream, there may be executed partial commands, which were not intended to (and potentially dangerous). (see 1st link)
• you may also think that opening script in the browser to check if it's not evil will mitigate the risk. Unfortunately it will not, because site owner may show different content for browser User-Agents (see 2nd link)

How to properly mitigate risk then:

Ideally:

Use this approach when making changes on production server

curl -sf -L https://static.rust-lang.org/rustup.sh -o rustup.sh
less rustup.sh
chmod +x rustup.sh
sudo ./rustup.sh

Significantly better, but not perfect (but one-liner):

You can use this approach on dev machine / test server

su -c "curl https://static.rust-lang.org/rustup.sh -o rustup.sh && chmod +x rustup.sh && ./rustup.sh"

References:

• https://www.seancassidy.me/dont-pipe-to-your-shell.html
• https://jordaneldredge.com/blog/one-way-curl-pipe-sh-install-scripts-can-be-dangerous/