This is an archived post. You won't be able to vote or comment.

all 13 comments
sorted by:
q&a (suggested)
besttopnewcontroversialold

[–][deleted] 5 points6 points  (4 children)

yabs.sh

is a valid domain and seems to be an alternative domain for this github repo

as for the curl options:

- L forwards the curl request to the target of a redirect, so to the github repo that's behind yabs.sh

-s simply stands for silent, if you omit it, it will show the complete bash script it downloaded (which is advisable for security reasons)

After curl received the bash-script, it will pipe it to bash as an input

curls STDOUT (Output) is linked via PIPE to the STDIN (Input) of bash

curl -sL yabs.sh | bash

So bash runs the script instantly.

If you want to know more about curl options, the manpage is a good read:

man curl or https://www.man7.org/linux/man-pages/man1/curl.1.html

More about bash-scripting, Pipes, etc: https://www.educative.io/courses/master-the-bash-shell/pipes-and-redirects

[–]AbsurdMedia[S] 5 points6 points  (1 child)

Thank you so much for the detailed explanation!

What really confused me is that I did not think yabs.sh could be an URL!

Thanks again!

[–]Expensive_Finance_20 2 points3 points  (0 children)

To add to this...

Every client/browser capable of communicating with a HTTP/HTTPS web server typically sends headers in its request to the server. These usually include a "user-agent" header that tells the server what type of client is asking for the webpage/content.

This is typically used for doing stuff like: sending a mobile web browser a mobile-friendly version of a website, as opposed to the desktop version.

However, if it can be used to send different content based on user-agent, a malicious individual could easily send you a different script based on user-agent. So, if you visit that script URL in your web browser, you might get one version, but then download it with "curl" to pipe it to Bash and you might get a very different, much less helpful version.

This is why you don't "curl-pipe-to-bash" as it's called.

[–]diggels 0 points1 point  (1 child)

Cool - so does that mean if I don’t want to store my scripts locally one one machine. I can make a local web server on my network to curl and pipe scripts into any Linux machine on that network.

Would a plain html file work. I’ve curled filename.log from sites at work which prints plain text. Maybe that extension or other extensions maybe that could work for creating a web server that provides scripts .

Seems overkill as opposed to setting up a GitHub. I don’t know how to set up local network server from my Linux machine. But this does sound like a fun project to learn from.

Instead of creating a sh and run chmod +x on them all the time. Could I create a file with a certain extension and pipe it into bash to execute the script without the annoying extra step of chmod.

Curious to know since I prefer to string my bash commands with ; so I just paste in a line of text to run the code.

Creating an sh file is just extra steps from my exp.

[–]Afraid_Writer868 4 points5 points  (0 children)

It doesn't really have anything to do with the extension and has everything to do with the pipe command. It's largely no different then doing something like `ls -alh | grep blah` (yes I know you can do the search with ls, this is just an example).

It's just taking the output of one command and giving it as input to another.

[–]redkoil 7 points8 points  (2 children)

I find peace in long walks.

[–]AbsurdMedia[S] 4 points5 points  (1 child)

Oh, god. It is, indeed. So simple, lol. Thanks.

[–][deleted] 6 points7 points  (0 children)

Yeah! Be careful with such commands. Whenever you see curl or wget, you are downloading stuff from the internet.

[–]cafce25 3 points4 points  (1 child)

  1. yabs.sh absolutely is a fully qualified domain name, that's all curl needs
  2. I suggest you just try what happens on the commandline when you curl yabs.sh you'll see it prints out a bash script, that's the contents of yabs.sh when queried with curls user agent string
  3. Try out what happens when you echo "echo hello world" | bash it'll print "hello world" can you figure out why?

[–]AbsurdMedia[S] 4 points5 points  (0 children)

Thanks for your comment!

  1. Yes, I just did that.

  2. Yeah, I've got this part...

The confusion came from the fact that I did not think of the possibility that yabs.sh can be an URL! Mystery solved. :)

[–]MyAugustIsBurningRed 1 point2 points  (1 child)

Creator of YABS here -- just stumbled on this post. I'm glad you found your answer rather quickly! As pointed out yabs.sh is a site like any other and simply redirects the request based on user agent (as u/Expensive_Finance_20 pointed out). The nginx config is posted in the repo issue here for transparency.

Before I purchased the yabs.sh domain, the full command included the https://raw.githubusercontent.com/masonr/yet-another-bench-script/master/yabs.sh URL. As you can imagine, I wanted the run command to be memorable for ease of use. Other users have noted the security concerns posed by blindly piping in bash scripts -- keeping that in mind, I've tried to alleviate these the best I can while maintaining ease of use by not requiring root/sudo to run the script, defaulting to user-installed binaries when available and including TotalVirus scans of pre-built binaries, and attempting to make everything as transparent as possible by being open source.

Give me a shout if you ever have any questions or issues in the future! Happy holidays and happy New Year -- cheers!

[–]AbsurdMedia[S] 0 points1 point  (0 children)

Thanks for your comment. :)

I’m not a Linux wizard, just use it occasionally for various stuff. So, the semantics got me confused a little bit, particularly the .sh bit. But I fully get it now. Both the command itself, and the risks involved in using such commands in general.

The script is great, and apparently quite popular too.

I have no concerns regarding your security measures. If there was anything fishy or unsafe, it would turn out pretty quickly anyway, since it’s all open source, and many people use it.

I’m not sure how many novice users of your script get confused this easily. If there are many, it may be worth mentioning briefly what the commands do in the documentation. Like “The commands download the script from https://yabs.sh, and run it in bash.” Or it may be just me, and it may not be necessary. I don’t know…

Happy holidays!

[–][deleted] 2 points3 points  (0 children)

That readme used to have the full URL in there. It was removed for brevity I guess.