|
In general, great advice. Sending a script from the Internet directly to your shell to be run, whether using sudo or not, is a bad idea. Sudo makes it worse. But, the threat model is slightly different using a relatively trustworthy site like GitHub, downloading the script using TLS, compared to going to some random site with no reputation and downloading their script with no encryption or secure checksumming. No, a checksum on the unencrypted page doesn't count.
In the general case, whether TLS-secured or not, I can go to the script, see what's there, and do some quick searching to see if anyone is saying "OMG, l33t hax0rs, don't download this!" or if the Internet is mostly silent. With TLS, I have some assurances that if the content is being modified before being sent it's happening on the server before data is transmitted. Which I've seen happen, different content is sent to different user agents, and you can guard against that by setting the user agent in your script to something a normal browser sends, and maybe even set a referrer URL so it looks like you came from another page on the site.
For some of us, the threat model is still different. I can download the script, read it, evaluate what it's doing, decode any encoded strings, decide if I'm comfortable with it, and run it locally. And if I find that Kovid is pulling some hanky-panky and using the calibre setup script to run bitcoin miners on all our boxes, I can post about it, show the GitHub commit hash where that was added, outline how it was hidden, and basically make the Internet be "not silent" about the dangers of running this setup script.
And if you're a sysadmin and you're blindly running scripts of unknown origin, hand in your sysadmin card. That's just not something a proper sysadmin does.
|