1. Overview
Various installation guides in Linux involve running a shell script first, which we download and then execute separately using Bash. Not only installation guides but also custom shell scripts written for automating manual activities involve downloading and executing scripts.
In this tutorial, we’ll cover a way using curl and wget to download and execute a script in a single step.
We must be cautious when using this method because downloading and executing scripts through an unsecured connection may lead to installing malware. Furthermore, we also need to ensure we’re using updated TLS protocols and curl/wget libraries.
We can partially manage the risk by creating a dedicated, unprivileged non-wheel user group, and execute the scripts from it. This ensures that no script is executed with administrator privileges.
2. Installation and Usage – curl
Some Linux distributions may not have curl installed by default.
We can install it on any Ubuntu/Debian system using apt-get:
$ sudo apt-get install curl
Or we can similarly install it on CentOs/Fedora/Redhat:
$ sudo yum install curl
Now, to download and execute a script with cURL, we can use the -s option. Then, we pipe the result to bash:
$ curl -s http://example.com/script.sh | bash
When we use the -s option, we’re asking cURL to get all content at the URL silently which doesn’t display statistics like average download speed and total time.
This enables us to use a pipe | and feed it to the Bash command which will actually execute the script.
3. Installation and Usage – wget
Most Linux distributions have wget installed by default.
We can install it on any Ubuntu/Debian system using apt-get:
$ sudo apt-get install wget
Or we can similarly install it on CentOs/Fedora/Redhat:
$ sudo yum install wget
Now, to download and execute a script with wget, we can use the -q0 options, a hyphen, and then pipe the result to bash:
$ wget -qO - http://example.com/script.sh | bash
When we use the -q option, we are telling wget to quietly download the file by not printing its verbose output.
The option O is used to save the content of script.sh to a file. The trailing hyphen (the one between -qO and http://) is to tell wget to direct this content to /dev/stdout. Anything directed to /dev/stdout is displayed right on the terminal, that’s the reason why the content of script.sh is never written to disk.
This trailing hyphen enables us to pipe the content of script.sh to the bash command which actually executes it. If we use wget without a trailing hyphen and capital O, then get will save the content of the file to disk with the filename script.sh. This is because wget is actually used to download files in Linux.
On the other hand, curl will never download files by default. Although, we’ve just seen how we can use it that way.
4. Conclusion
In this short article, we learned how to execute a shell script directly from a URL using curl and wget.
We learned that it is risky to download and execute scripts through an unsecured connection. Downloading the scripts first and scanning through them with a regular editor for potentially malicious commands can help mitigate risk. We also saw that it’s important to ensure we’re using updated TLS protocols and curl/wget libraries.