Running remote scripts (cloud scripts) locally --- valid and securely as possible
I use CentOS with Bash and I would like to download, execute and delete the executed downloaded file (running a remote/cloud script locally).
I often prefer to load my own shell scripts from my own GitHub account. I will normally do it for small shell scripts not exceeding approximately 25 code lines.
I tried to execute a remote script ending with a while true; do case esac done with:
wget -O - https://raw.githubusercontent.com/<username>/<project>/<branch>/<path>/<file> | bash
But then I had the problem of endless loop of echo in a case esac for some reason (CTRL+C stopped it) so I turned to a more "traditional" way of running remote scripts such as:
cd DESTINATION &&
wget https://raw.githubusercontent.com/<username>/<project>/<branch>/<path>/<file> &&
source FILENAME &&
rm FILENAME
How would you make that "traditional" code more validated? More secured?
An example for a current problem; the file downloaded can have a trivial name such as install.sh and collide with similar files (the rm is especially problematic here I think).
1 answer
An example for a current problem; the file downloaded can have a trivial name such as install.sh and collide with similar files (the rm is especially problematic here I think).
This is why tempfile exists.
FILENAME=`tempfile`
cd DESTINATION &&
wget -O ${FILENAME} https://raw.githubusercontent.com/<username>/<project>/<branch>/<path>/<file> &&
source ${FILENAME} &&
rm ${FILENAME}
If you really want the temp file to be in DESTINATION, you can change the invocation to tempfile -d DESTINATION.
3 comments
Thank you Peter, about ${HOME} it was a mistake, I should have written DESTINATION or something like that. Thanks again,
Hello Peter, I have suggested an edit but maybe it wasn't saved or rejected? I don't have any notification and can't find any history. Please tell me if you rejected the edit... I have just tried to make the answer in line with my original intention (to write DESTINATION instead $HOME) and with my own question edit... Thanks,
@JohnDoea , I saw the proposed edit before the change to the question and it seemed to make the answer worse rather than better. I can apply the changes again though, fixing the typo.
3 comments
It might help to say what you are considering under the label “secure” here. Do you trust the scripts? — dmckee 20 days ago
@dmckee I do, I originally meant to scripts from my own GitHub accounts; I am far from knowing a lot on shell security / command validation :) — JohnDoea 20 days ago
In that case Peter is on the right track. — dmckee 19 days ago