Wget a script and run it

Solution 1:


Before running the script, do you trust the person who wrote it?

For example, did you expect the script to contain this?

echo "brain1" > /etc/hostname

That will try to change your hostname.

For future reference, if, after verifying the script is correct and not malicious, you can run it in one line like this:

wget -O - http://dl.dropbox.com/u/11210438/flockonus-stack.sh | bash

But download it separately and read it before running it the first time.

Also note that interactive prompts inside the downloaded script may not work properly using this method.

Solution 2:

Non-Interactive Scripts

wget -O - http://website.com/my-script.sh | bash

Note that when using this method, interactive scripts will not work.

Interactive Scripts

In order to get interactive scripts working, you can use this:

bash <(wget -qO- http://website.com/my-script.sh)

Interactive Scripts that need to be run as root

Warning: This is extremely dangerous. Not recommended.

sudo su -c "bash <(wget -qO- http://website.com/my-script.sh)" root

Note that you cannot simple use sudo bash since using <(...) will create a virtual file and it's file descriptor will not be accessible from roots bash instance. It must be executed on the same user that needs to read the virtual file, so it has to be sent as it's own command inside the root users shell.

Solution 3:

That script is from me, it is safe.. Loved the one-liner, but, it has some interactive lines that didn't run.. dunno why?

When dpkg runs, called by apt-get, it flushes stdin. If you are using a command like curl blah | bash, then you are basically sending contents of the page to bash via STDIN. If one of your commands is apt-get, then runs, everything else will be flushed.

The trick is to use a command like this apt-get install --yes denyhosts </dev/null. This gives apt-get a different input, and it simply flushes /dev/null instead of the rest of your script.

If you want to see a complete example of installing something via a remote script you may want to look at this script for setting up denyhosts

For the record, I prefer curl over wget for this, but wget should also be fine.

Solution 4:

if [ ! -f "/tmp/flockonus-stack.sh" ]
    wget -O /tmp/flockonus-stack.sh http://dl.dropbox.com/u/11210438/flockonus-stack.sh

sh /tmp/flockonus-stack.sh

Solution 5:

All of these examples are missing a fairly important point. If you use the url http://dl.dropbox.com/u/11210438/flockonus-stack.sh, you need to audit the script every time you download it, because it can be modified by anyone on the network path between you and dropbox. If you switch to https://dl.dropbox.com/u/11210438/flockonus-stack.sh, you won't have that source of insecurity.

(Dropbox tries to redirect the http URL to https, but in the case of a network attack wget would never get to speak to the real dropbox, and would never see the redirect)