Just run the following command from your shell:
$ wget -q -O - http://tserong.github.io/sudo-wget/install | sudo bash
Why This is a Bad Idea
Let's look at that command in detail. It's downloading something via HTTP (which is unencrypted and provides no guarantee of authenticity) and then executes whatever was downloaded in a root shell. Here's a non-exhaustive list of potential problems:
- A transparent proxy or other bit of trickery on the network between you and the server could be tampering with or replacing what you're downloading.
- DNS cache poisoning could have directed your request to some other site, again delivering potentially malicious code.
- Someone (not the author of the install script) could have compromised the server and replaced said script with something nasty.
- That potentially nasty, unverified piece of code that you haven't reviewed yourself is being executed immediately with root permissions.
How Can This Be Fixed
If you presently recommend any variant of the above command for installation or bootstrapping your software, stop doing that immediately. Instead, try one of these alternatives:
- If your install script is sufficiently short, just publish the commands to run in your installation documentation.
- If your script is long and complicated, offer it for download along with MD5 and SHA1 signatures of the file, then encourage your users to check both before running the script. Better yet, PGP sign it and encourage your users to verify the signature. Make sure you serve the MD5, SHA1 and PGP signatures over SSL.
- If it's Linux software, see if you can dispense with standalone install scripts entirely and instead build proper signed packages (the Open Build Service can build packages for various Linux distros which will be signed by the build system's PGP key).
If you are a user of some software which recommends any variant of the above command, please point the author of said software to this page.
Tim Serong (@tserong) is responsible for this public service announcement. Special thanks are due to the denizens of #linux.conf.au on irc.freenode.net for reviewing this.
No responsibility is accepted for the effects of evil transparent proxies, DNS cache poisioning, or any other form of malicious attack on any of your systems that may result from running the command listed under "Installation Instructions".