├── LICENSE
├── README.md
├── curlbrash
└── install.sh


/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2015 Ben Hughes
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # curlbrash
 2 | 
 3 | This is an installer script to fix the blight of people doing `curl ... | sudo sh` in your infrastructure.
 4 | 
 5 | See [my presentation from LASCON 2015](https://speakerdeck.com/barnbarn/security-for-non-unicorns-2?slide=36)
 6 | 
 7 | ## Installation
 8 | 
 9 | Ironically:
10 | 
11 | ```bash
12 | curl -s https://raw.githubusercontent.com/barn/curlbrash/master/install.sh | sudo sh
13 | ```
14 | 
15 | Yup!
16 | 
17 | ## Usage
18 | 
19 | Curl is now a shellscript that will check if stdout is a pipe. If it is, it will check to see if 'sudo sh' (and other shells) are running on the same tty. If there are, then it bails out, telling you this is a terrible idea.
20 | 
21 | Any other usage of curl is just passed straight through.
22 | 
23 | ## What?
24 | 
25 | "You're joking right?"
26 | 
27 | Well kind of. It's partly to make a point. See the presentation.
28 | 
29 | "What's wrong with 'curl | bash' ?"
30 | 
31 | Well, a bunch of things. Not least that it leaves no trace of what actually happened when you ran it. Nothing left on disk. Which is my main problem.
32 | 
33 | ## Who did this?
34 | 
35 | [@benjammingh](https://twitter.com/benjammingh) on the Twitters.
36 | 


--------------------------------------------------------------------------------
/curlbrash:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | CURL=XXCURLLOCATIONXX
 4 | 
 5 | SKETCH=1
 6 | 
 7 | FORMOPT=
 8 | TYPEFORM=
 9 | stat() {
10 |   if [ -z "$FORMOPT" ]
11 |   then
12 |     if /usr/bin/stat --version >/dev/null 2>&1
13 |     then
14 |       FORMOPT=--format
15 |       TYPEFORM=%F
16 |     else
17 |       FORMOPT=-f
18 |       TYPEFORM=%HT
19 |     fi
20 |   fi
21 |   case $1 in
22 |     type) FORMARG="$FORMOPT $TYPEFORM" ; shift ;;
23 |   esac
24 |   /usr/bin/stat -L $FORMARG "$@"
25 | }
26 | 
27 | exec 9>&1
28 | case $(stat type /dev/fd/9) in
29 |   [Ff]ifo*) : ;;
30 |   *) exec $CURL "$@" ;;
31 | esac
32 | 
33 | # If we have a terminal, check for that.
34 | if test -t 0
35 | then
36 | 
37 |     # get our terminal
38 |     t=$(tty) ; t=${t/\/dev\/} ; t=${t/tty/}
39 |     ps auxww | egrep '[[:space:]][[:space:]]*sudo[[:space:]][[:space:]]*.*(ba|z|tc|c)?sh' | egrep -q " $t "
40 |     SKETCH=$?
41 | else
42 |     ps axww | egrep -q '[[:space:]][[:space:]]*sudo[[:space:]][[:space:]]*.*(ba|z|tc|c)?sh'
43 |     SKETCH=$?
44 | fi
45 | 
46 | 
47 | if [ ${SKETCH} -eq 1 ]
48 | then
49 |     exec $CURL "$@"
50 | else
51 |     echo "echo 'Seriously, stop using curl pipe sudo bash.'"
52 | fi
53 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | set -e
 4 | 
 5 | gitrawurl='https://raw.githubusercontent.com/barn/curlbrash/master/curlbrash'
 6 | 
 7 | if [ $(id -u) -ne 0 ]
 8 | then
 9 |     echo "Need to be root"
10 |     exit 10
11 | fi
12 | 
13 | echo "Really, this is what you're doing?"
14 | 
15 | 
16 | curlloc="$(/usr/bin/which curl)"
17 | 
18 | if [ $? -ne 0 ]
19 | then
20 |     echo "Failed to find curl"
21 |     exit 20
22 | fi
23 | 
24 | 
25 | tempfoo=`basename $0`
26 | TMPFILE=`mktemp /tmp/${tempfoo}.XXXXXX` || exit 1
27 | 
28 | curl -s -L -o "${TMPFILE}" "${gitrawurl}"
29 | 
30 | mv "${curlloc}" "${curlloc}.orig"
31 | 
32 | sed -e "s^XXCURLLOCATIONXX^${curlloc}.orig^" <"${TMPFILE}" >"${curlloc}"
33 | chmod 0555 "${curlloc}"
34 | rm "${TMPFILE}"
35 | 
36 | echo "Irony complete. No more 'curl | sudo sh' for you!"
37 | 
38 | 


--------------------------------------------------------------------------------