Richard Bucker

don't pipe to shell

Posted at — Jul 4, 2016

The topic has been around a while and this article does a good job describing the challenge. But is it really a problem.

First of all most programmers give themselves sudo or admin permissions whether on Windows, Linux or Mac. Many times not requiring a password. Many time these same people install tons of packages, 3rd party libraries, containers, and so on from curated and non-curated sites.

Examples of curated sites include the default ubuntu, fedora, bsd, redhat package servers. Examples of non-currated sites include alpine linux, most of the development sites, directly from public repos on github or bitbucket, and my favorite is the docker public registry.

So the point is….

If you are wiling to install code from public non-currated sites with NOPASSWD sudo access what difference does it make if you install the code with a shell script or pkg_add, yum, or apt_get?