My instructions tell you to copy and paste a command into your terminal window. Despite me telling you to do that, I am now going to tell you how unsafe that is. Many people browse the Internet, find the command they need, and blindly paste it into their terminal window. This one is blatantly (potentially) dangerous from a non-trusted source:
wget -qO- https://u.nu/brewpi-tools-remix | sudo bash
It’s going to download a script to your Raspberry Pi, and pipe (|) it through the command sudo bash. When you use sudo without any other arguments it will run the command which follows with root
privileges. So, you basically found someone on the Internet telling
you to run their code as root, without even knowing what it all does.
Despite the inherent risk, installing an application as root is often
necessary since some applications have to make global changes to your
system.
This is how bad things happen.
Even if you think you completely understand the command you are reading and copying, there is still an opportunity for a specially crafted web page to make the command look like one thing, but be a completely different command when you paste it. That would be A Bad Thing™. For an example, copy and paste this code into your terminal (or if you are now suitable paranoid, into a text editor:
git clone /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!
Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd
git clone git://git.kernel.org/pub/scm/utils/kup/kup.git
(From this page which describes this copy/paste vulnerability.)
The lesson to be learned from this is if you are going to copy/paste a command from any source, always use an interim paste into a text editor like Notepad to make sure A Bad Thing™ doesn’t happen to you. Now you can join your previously scheduled show: Install Instructions, which is patiently waiting for you where you left it.
Wait. Now you don’t know if you should trust the setup command I provided? I’m shedding a happy tear. Security and the Internet is a rabbit hole filled with (justifiable) paranoia and bad actors. Your choices here however are:
- Trust me and run it
- Examine that script carefully and make sure it does nothing bad. Then, since the first one executes as root you need to follow that to the next one because it inherits that security construct. Ultimately you can drive yourself crazy when you realize the implications, or just accept that whenever you install free code from the Internet you take your chances. This is the case with any software, not just BrewPi.
- Do a manual install. I’ve detailed how that might be done in a post called: “For the Masochists.”
At some point I hope to list out the manual install steps necessary to replicate this series of automated steps for the truly paranoid. That’s quite frankly not a high priority for me since the goal here is to make BrewPi Legacy Remix available to every-day people. Those of you who would choose the manual steps can probably figure it all out anyway.
Cheers!
Return to the Installation Instructions.