One of the famous terrifying ideas for system administrators is people being told 'oh, to install this just pipe this URL into a (root) shell' (see, for example, this tweet). On Twitter I mentioned that I used to do this sometimes, so today I'm going to explain myself. Trust me, it's less insane than it looked.

Once upon a time I was responsible for a bunch of more or less identical Linux machines. We had two forms of automated installs. One was a bare machine install, where you stuck a USB key on the machine, booted from it, and specified various information about the machine in the process. The other was a reinstall of an existing machine, which could be done entirely over the network and automatically took all of the necessary bits from the machine's existing configuration. The reinstall had to be set up by some management scripts.

(The full complex background for this is in How CQUEST installs generic machines, which is something I wrote long ago before I started WanderingThoughts. I think it dates from 2003 or 2004. Note that CQUEST is a lot different today.)

Every so often an automated install would go wrong, either because of a bug in our scripts or because of some system problem. Usually the result of this was that the machine had the base OS installed but had not applied our post-install customizations and had none of our normal environment available; no NFS mounts, no management scripts, and so on. In particular, it lacked the management infrastructure that would set up a reinstall.

We could have fixed these machines with a bare machine (re)install, but that was annoying for various reasons. So instead I had a script that would bring up enough of the management infrastructure and set up a hands-off reinstall. That left me with the problem of getting the script on to a broken machine and running it, and you can probably guess what my answer was: I put the script on the web server, and we ran it with:

lynx -dump MAGIC-URL | sh

(This was so long ago that lynx was the obvious choice.)

At the time this struck me as clever. Today I would probably change it to something like 'scp ... /tmp/rerun.sh; sh /tmp/rerun.sh', but that's partly me being conditioned by how we do things around here.

(I don't think that there's a big difference in security between the two options, but it may be easier for an attacker to pervert your web server configuration or alter a script that is hanging out on the web server separate from the rest of your install environment.)