this post was submitted on 23 Feb 2026
109 points (97.4% liked)

Selfhosted

56831 readers
570 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
109
A sneaky demonstration of the dangers of curl bash (blog.k3can.us)
submitted 18 hours ago* (last edited 4 hours ago) by K3can@lemmy.radio to c/selfhosted@lemmy.world
62 comments fedilink hide all child comments
 

I set up a quick demonstration to show risks of curl|bash and how a bad-actor could potentially hide a malicious script that appears safe.

It's nothing new or groundbreaking, but I figure it never hurts to have another reminder.

you are viewing a single comment's thread
view the rest of the comments
[–] Dave@lemmy.nz 6 points 13 hours ago (2 children)

Yeah I get that, but I would install docker, cloudflared, etc by piping a convenience script to bash without hesitation. I've already decided to install their binary, I don't see why the install script is any higher risk.

I know it's a controversial thing for everyone to make their own call on, I just don't think the risk for a bash script is any higher than a binary.

[–] moonpiedumplings@programming.dev 4 points 12 hours ago (1 children)

I won't lie, I use curl | bash as well, but I do dislike it for two reasons:

Firstly, it is much, much easier to compromise the website hosting than the binary itself, usually. Distributed binaries are usually signed by multiple keys from multiple servers, resulting in them being highly resistant to tampering. Reproducible builds (two users compiling a program get the same output) make it even harder to tamper with them, and easy to detect.

On the other hand, websites hosting infrastructure is generally nowhere near as secure. It's typically one or two VPS's, and there is no signature or verification that the content is "official". So even if I'm not tampering with the binary, I can still tamper with the bash script to add extra goodies to it.

On the other hand (but not really relevant to what OP is talking about), just because I trust someone to give me a binary in a mature programming language they have experience writing in, doesn't mean I trust them to give me a script in a language known for footguns. A steam bug in their bash script once deleted a user's home directory. There have also been issues with AUR packages, which are basically bash scripts, breaking people's systems as well. When it comes to user/community created scripts, I mostly trust them to not be malicious, and I am more fearful of a bug or mistake screwing things up. But at the same time, I have little confidence in my ability to spot these bugs.

Generally, I only make an exception for running bash installers if the program being installed is a "platform" that I can use to install more software. K3s (Kubernetes distro), or the Nix package manager are examples. If I can install something via Nix or Docker then it's going to be installed via there and not installed via curl | bash. Not every developer under the sun should be given the privilege of running a bash script on my system.

As a sidenote, docker doesn't recommend their install script anymore. All the instructions have been removed from the website. Personally, I prefer to get it from the distro's repositories, as usually that's the simplest and fastest way to install docker nowadays.

[–] Dave@lemmy.nz 2 points 12 hours ago

Firstly, it is much, much easier to compromise the website hosting than the binary itself, usually. Distributed binaries are usually signed by multiple keys from multiple servers, resulting in them being highly resistant to tampering. Reproducible builds (two users compiling a program get the same output) make it trivial to detect tampering as well.

Yeah this is a fair call.

But at the same time, I have little confidence in my ability to spot these bugs.

This is the key thing for me. I am not likely to spot any issues even if they were there! I'd only be scanning for external connections or obviously malicious code, which I do when I don't have as much trust in the source.

As a sidenote, docker doesn’t recommend their install script anymore.

Yeah I used it as an example because there are very few times I ever remember piping to bash, but that's probably the most common one I have done in the past.

[–] osanna@thebrainbin.org 0 points 13 hours ago (1 children)

the difference though is you can check a script. if it’s an open source project, you can also compile from source. but I get what you mean

[–] Dave@lemmy.nz 4 points 13 hours ago

You can, but to me it seems weird to say it's crazy to pipe to bash when people happily run binaries. If anything, the convenience script is lower risk than the binary since people have probably checked it before you.

I wouldn't pipe a random script to bash though, nothing where I wouldn't trust the people behind it.