this post was submitted on 23 Feb 2026
177 points (97.8% liked)

Selfhosted

60409 readers
391 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

I set up a quick demonstration to show risks of curl|bash and how a bad-actor could potentially hide a malicious script that appears safe.

It's nothing new or groundbreaking, but I figure it never hurts to have another reminder.

you are viewing a single comment's thread
view the rest of the comments
[–] osanna@thebrainbin.org 61 points 4 months ago (32 children)

you’d have to be mad to willingly pipe a script to bash without checking it. holy shit

[–] jtrek@startrek.website 18 points 4 months ago (1 children)

Most developers I've looked at would happily just paste the curl|bash thing into the terminal.

I often would skim the script in the browser, but a. This post shows that's not fool proof and b. a sufficiently sophisticated malicious script would fool a casual read

[–] Ephera@lemmy.ml 5 points 4 months ago

Most developers I’ve looked at would happily just paste the curl|bash thing into the terminal.

I mean, I typically see it used for installing applications, and so long as TLS is used for the download, I'm still not aware of a good reason why you should check the Bash script in particular in that case, since the application itself could just as well be malware.

Of course, it's better to check the Bash script than to not check it, but at that point we should also advise to download the source code for the application, review it and then compile it yourself.
At some point, you just have to bite the bullet and I have not yet seen a good argument why the Bash script deserves special treatment here...

Having said that, for cases where you're not installing an application, yeah, reviewing the script allows you to use it, without having to trust the source to the same degree as you do for installing an application.

load more comments (30 replies)