10

Disclaimer. I'm a long-time Windows user and just starting to get my head around the Linux paradigm. While excited by it, I understand that my formulations might be poorly chosen due to ignorance.

I've received an answer, the contents of which included the following line, which I need help interpreting (after a while of googling I've got a pretty good guess but I'd like to make it more reliable).

curl -sL https://blabla | sudo -E bash -

I understand that we first create a web call to the URL blabla and then (here's the pipe magic popping up) execute a command with admin elevated privileges to open a new terminal window instance.

However, when I try to digest the command, I learn that it's equivalent to the following sequence.

curl --silent --location https://blabla
sudo -E bash -

Question 1: Is that correctly understood?

Further on, I tried to learn what the switches for the second line are and used the statement as follows.

man bash | sed -n '/-E/,+1p'

However, I can't really see what "-E" is shorthand for (is it --empty or is it -- or maybe --err) and get stuck on the interpretation. Also, I can't figure out what the alone dash character does and I'm not sure how to look it up in the manual using the statement above.

Question 2: How do I look up the verbose syntax for the switches?

Question 3: What is the meaning of the dash character without the switch?

Konrad Viltersten
  • 287
  • 5
    Should be noted that commands which pair curl or any tool which downloads data from web with a shell is very poor practice for security reasons. The downloaded script is passed as raw data to bash stdin, and thus doesn't live on disk, so you have no way of knowing what you may have executed. In fact, this is how exploits are downloaded onto servers. Unlike PowerShell, Unix shells have no execution policy. Best practice is to download script first, examine its contents, maybe compare hashsum, and only if you're sure it's safe - run it. – Sergiy Kolodyazhnyy Sep 10 '18 at 20:19
  • 1
    In the particular answer you reference, it can be assumed safe because it comes from a trusted source and Thomas is one of our esteemed moderators on the site. But this of course doesn't change the fact that overall practice is bad. – Sergiy Kolodyazhnyy Sep 10 '18 at 20:23
  • 1
    A "trusted source" is only trusted insofar as the hosting site, and any proxies in the way, haven't been compromised -- until/unless you actually check a signature on the content itself. There's a reason software packaging systems embed signatures inside the packages themselves, and provide a means of distributing lists of keys trusted to develop them -- so you can trust the package itself, rather than needing to trust the site you downloaded it from. – Charles Duffy Sep 10 '18 at 21:17
  • ...which is to say that no matter how much we trust the moderator at hand, it's not a good idea to also trust that their ISP hasn't been compromised and had their scripts bulk-modified to add shellcode! – Charles Duffy Sep 10 '18 at 21:19
  • @CharlesDuffy Completely agree. – Sergiy Kolodyazhnyy Sep 11 '18 at 01:58

1 Answers1

14

The pipe command (|) means take the output of the command on the left and pass it in as input to the command on the right. So, you are almost correct in your understanding of what

curl -sL https://blabla | sudo -E bash -

does. What you are missing is capturing the output of the first command, and passing that into the second command. What you have above needs to be something like the following:

curl --silent --location https://blabla >/tmp/output
sudo -E bash - </tmp/output

The dash (-) at the end of the second command is just telling bash to read in standard in and process it. So,

sudo -E bash - </tmp/output

is equivalent to

sudo -E bash </tmp/output

The "-E" option is actually associated with sudo, not with bash. Running the command:

man sudo

shows that -E preserves the environment.

Hope this helps clarify some things for you.

Good luck with learning linux! :)

Lewis M
  • 755
  • Wheee! Definitely +1 for the clarity. Nice answer. – Konrad Viltersten Sep 10 '18 at 19:16
  • As a side note, pipe works exactly the same way in a Windows/DOS environment. You can type, for example, dir | find "foo" on the command line to list all files containing foo in the current directory. – Selcuk Sep 11 '18 at 00:40
  • @Selcuk For DOS/CMD yes, but PowerShell is object-oriented so you're no longer passing stdin, but objects and you'd need Where { $_.Name -eq "Foo" } on the other side of pipe – Sergiy Kolodyazhnyy Sep 11 '18 at 02:02