What does the syntax of pipe and ending dash mean? [duplicate]
Clash Royale CLAN TAG#URR8PPP
up vote
5
down vote
favorite
This question already has an answer here:
pipe to sudo -E bash -
2 answers
What does the â-â in âbash -â mean?
1 answer
Disclaimer. I'm a long-time Windows user and just starting to get my head around the Linux paradigm. While excited by it, I understand that my formulations might be poorly chosen due to ignorance.
I've received an answer, the contents of which included the following line, which I need help interpreting (after a while of googling I've got a pretty good guess but I'd like to make it more reliable).
curl -sL https://blabla | sudo -E bash -
I understand that we first create a web call to the URL blabla and then (here's the pipe magic popping up) execute a command with admin elevated privileges to open a new terminal window instance.
However, when I try to digest the command, I learn that it's equivalent to the following sequence.
curl --silent --location https://blabla
sudo -E bash -
Question 1: Is that correctly understood?
Further on, I tried to learn what the switches for the second line are and used the statement as follows.
man bash | sed -n '/-E/,+1p'
However, I can't really see what "-E" is shorthand for (is it --empty or is it -- or maybe --err) and get stuck on the interpretation. Also, I can't figure out what the alone dash character does and I'm not sure how to look it up in the manual using the statement above.
Question 2: How do I look up the verbose syntax for the switches?
Question 3: What is the meaning of the dash character without the switch?
command-line bash syntax
New contributor
marked as duplicate by muru
StackExchange.ready(function()
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();
);
);
);
2 days ago
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
add a comment |Â
up vote
5
down vote
favorite
This question already has an answer here:
pipe to sudo -E bash -
2 answers
What does the â-â in âbash -â mean?
1 answer
Disclaimer. I'm a long-time Windows user and just starting to get my head around the Linux paradigm. While excited by it, I understand that my formulations might be poorly chosen due to ignorance.
I've received an answer, the contents of which included the following line, which I need help interpreting (after a while of googling I've got a pretty good guess but I'd like to make it more reliable).
curl -sL https://blabla | sudo -E bash -
I understand that we first create a web call to the URL blabla and then (here's the pipe magic popping up) execute a command with admin elevated privileges to open a new terminal window instance.
However, when I try to digest the command, I learn that it's equivalent to the following sequence.
curl --silent --location https://blabla
sudo -E bash -
Question 1: Is that correctly understood?
Further on, I tried to learn what the switches for the second line are and used the statement as follows.
man bash | sed -n '/-E/,+1p'
However, I can't really see what "-E" is shorthand for (is it --empty or is it -- or maybe --err) and get stuck on the interpretation. Also, I can't figure out what the alone dash character does and I'm not sure how to look it up in the manual using the statement above.
Question 2: How do I look up the verbose syntax for the switches?
Question 3: What is the meaning of the dash character without the switch?
command-line bash syntax
New contributor
marked as duplicate by muru
StackExchange.ready(function()
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();
);
);
);
2 days ago
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
5
Should be noted that commands which paircurl
or any tool which downloads data from web with a shell is very poor practice for security reasons. The downloaded script is passed as raw data tobash
stdin, and thus doesn't live on disk, so you have no way of knowing what you may have executed. In fact, this is how exploits are downloaded onto servers. Unlike PowerShell, Unix shells have no execution policy. Best practice is to download script first, examine its contents, maybe compare hashsum, and only if you're sure it's safe - run it.
â Sergiy Kolodyazhnyy
2 days ago
1
In the particular answer you reference, it can be assumed safe because it comes from a trusted source and Thomas is one of our esteemed moderators on the site. But this of course doesn't change the fact that overall practice is bad.
â Sergiy Kolodyazhnyy
2 days ago
1
A "trusted source" is only trusted insofar as the hosting site, and any proxies in the way, haven't been compromised -- until/unless you actually check a signature on the content itself. There's a reason software packaging systems embed signatures inside the packages themselves, and provide a means of distributing lists of keys trusted to develop them -- so you can trust the package itself, rather than needing to trust the site you downloaded it from.
â Charles Duffy
2 days ago
...which is to say that no matter how much we trust the moderator at hand, it's not a good idea to also trust that their ISP hasn't been compromised and had their scripts bulk-modified to add shellcode!
â Charles Duffy
2 days ago
@CharlesDuffy Completely agree.
â Sergiy Kolodyazhnyy
2 days ago
add a comment |Â
up vote
5
down vote
favorite
up vote
5
down vote
favorite
This question already has an answer here:
pipe to sudo -E bash -
2 answers
What does the â-â in âbash -â mean?
1 answer
Disclaimer. I'm a long-time Windows user and just starting to get my head around the Linux paradigm. While excited by it, I understand that my formulations might be poorly chosen due to ignorance.
I've received an answer, the contents of which included the following line, which I need help interpreting (after a while of googling I've got a pretty good guess but I'd like to make it more reliable).
curl -sL https://blabla | sudo -E bash -
I understand that we first create a web call to the URL blabla and then (here's the pipe magic popping up) execute a command with admin elevated privileges to open a new terminal window instance.
However, when I try to digest the command, I learn that it's equivalent to the following sequence.
curl --silent --location https://blabla
sudo -E bash -
Question 1: Is that correctly understood?
Further on, I tried to learn what the switches for the second line are and used the statement as follows.
man bash | sed -n '/-E/,+1p'
However, I can't really see what "-E" is shorthand for (is it --empty or is it -- or maybe --err) and get stuck on the interpretation. Also, I can't figure out what the alone dash character does and I'm not sure how to look it up in the manual using the statement above.
Question 2: How do I look up the verbose syntax for the switches?
Question 3: What is the meaning of the dash character without the switch?
command-line bash syntax
New contributor
This question already has an answer here:
pipe to sudo -E bash -
2 answers
What does the â-â in âbash -â mean?
1 answer
Disclaimer. I'm a long-time Windows user and just starting to get my head around the Linux paradigm. While excited by it, I understand that my formulations might be poorly chosen due to ignorance.
I've received an answer, the contents of which included the following line, which I need help interpreting (after a while of googling I've got a pretty good guess but I'd like to make it more reliable).
curl -sL https://blabla | sudo -E bash -
I understand that we first create a web call to the URL blabla and then (here's the pipe magic popping up) execute a command with admin elevated privileges to open a new terminal window instance.
However, when I try to digest the command, I learn that it's equivalent to the following sequence.
curl --silent --location https://blabla
sudo -E bash -
Question 1: Is that correctly understood?
Further on, I tried to learn what the switches for the second line are and used the statement as follows.
man bash | sed -n '/-E/,+1p'
However, I can't really see what "-E" is shorthand for (is it --empty or is it -- or maybe --err) and get stuck on the interpretation. Also, I can't figure out what the alone dash character does and I'm not sure how to look it up in the manual using the statement above.
Question 2: How do I look up the verbose syntax for the switches?
Question 3: What is the meaning of the dash character without the switch?
This question already has an answer here:
pipe to sudo -E bash -
2 answers
What does the â-â in âbash -â mean?
1 answer
command-line bash syntax
command-line bash syntax
New contributor
New contributor
New contributor
asked 2 days ago
Konrad Viltersten
1374
1374
New contributor
New contributor
marked as duplicate by muru
StackExchange.ready(function()
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();
);
);
);
2 days ago
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
marked as duplicate by muru
StackExchange.ready(function()
if (StackExchange.options.isMobile) return;
$('.dupe-hammer-message-hover:not(.hover-bound)').each(function()
var $hover = $(this).addClass('hover-bound'),
$msg = $hover.siblings('.dupe-hammer-message');
$hover.hover(
function()
$hover.showInfoMessage('',
messageElement: $msg.clone().show(),
transient: false,
position: my: 'bottom left', at: 'top center', offsetTop: -7 ,
dismissable: false,
relativeToBody: true
);
,
function()
StackExchange.helpers.removeMessages();
);
);
);
2 days ago
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
5
Should be noted that commands which paircurl
or any tool which downloads data from web with a shell is very poor practice for security reasons. The downloaded script is passed as raw data tobash
stdin, and thus doesn't live on disk, so you have no way of knowing what you may have executed. In fact, this is how exploits are downloaded onto servers. Unlike PowerShell, Unix shells have no execution policy. Best practice is to download script first, examine its contents, maybe compare hashsum, and only if you're sure it's safe - run it.
â Sergiy Kolodyazhnyy
2 days ago
1
In the particular answer you reference, it can be assumed safe because it comes from a trusted source and Thomas is one of our esteemed moderators on the site. But this of course doesn't change the fact that overall practice is bad.
â Sergiy Kolodyazhnyy
2 days ago
1
A "trusted source" is only trusted insofar as the hosting site, and any proxies in the way, haven't been compromised -- until/unless you actually check a signature on the content itself. There's a reason software packaging systems embed signatures inside the packages themselves, and provide a means of distributing lists of keys trusted to develop them -- so you can trust the package itself, rather than needing to trust the site you downloaded it from.
â Charles Duffy
2 days ago
...which is to say that no matter how much we trust the moderator at hand, it's not a good idea to also trust that their ISP hasn't been compromised and had their scripts bulk-modified to add shellcode!
â Charles Duffy
2 days ago
@CharlesDuffy Completely agree.
â Sergiy Kolodyazhnyy
2 days ago
add a comment |Â
5
Should be noted that commands which paircurl
or any tool which downloads data from web with a shell is very poor practice for security reasons. The downloaded script is passed as raw data tobash
stdin, and thus doesn't live on disk, so you have no way of knowing what you may have executed. In fact, this is how exploits are downloaded onto servers. Unlike PowerShell, Unix shells have no execution policy. Best practice is to download script first, examine its contents, maybe compare hashsum, and only if you're sure it's safe - run it.
â Sergiy Kolodyazhnyy
2 days ago
1
In the particular answer you reference, it can be assumed safe because it comes from a trusted source and Thomas is one of our esteemed moderators on the site. But this of course doesn't change the fact that overall practice is bad.
â Sergiy Kolodyazhnyy
2 days ago
1
A "trusted source" is only trusted insofar as the hosting site, and any proxies in the way, haven't been compromised -- until/unless you actually check a signature on the content itself. There's a reason software packaging systems embed signatures inside the packages themselves, and provide a means of distributing lists of keys trusted to develop them -- so you can trust the package itself, rather than needing to trust the site you downloaded it from.
â Charles Duffy
2 days ago
...which is to say that no matter how much we trust the moderator at hand, it's not a good idea to also trust that their ISP hasn't been compromised and had their scripts bulk-modified to add shellcode!
â Charles Duffy
2 days ago
@CharlesDuffy Completely agree.
â Sergiy Kolodyazhnyy
2 days ago
5
5
Should be noted that commands which pair
curl
or any tool which downloads data from web with a shell is very poor practice for security reasons. The downloaded script is passed as raw data to bash
stdin, and thus doesn't live on disk, so you have no way of knowing what you may have executed. In fact, this is how exploits are downloaded onto servers. Unlike PowerShell, Unix shells have no execution policy. Best practice is to download script first, examine its contents, maybe compare hashsum, and only if you're sure it's safe - run it.â Sergiy Kolodyazhnyy
2 days ago
Should be noted that commands which pair
curl
or any tool which downloads data from web with a shell is very poor practice for security reasons. The downloaded script is passed as raw data to bash
stdin, and thus doesn't live on disk, so you have no way of knowing what you may have executed. In fact, this is how exploits are downloaded onto servers. Unlike PowerShell, Unix shells have no execution policy. Best practice is to download script first, examine its contents, maybe compare hashsum, and only if you're sure it's safe - run it.â Sergiy Kolodyazhnyy
2 days ago
1
1
In the particular answer you reference, it can be assumed safe because it comes from a trusted source and Thomas is one of our esteemed moderators on the site. But this of course doesn't change the fact that overall practice is bad.
â Sergiy Kolodyazhnyy
2 days ago
In the particular answer you reference, it can be assumed safe because it comes from a trusted source and Thomas is one of our esteemed moderators on the site. But this of course doesn't change the fact that overall practice is bad.
â Sergiy Kolodyazhnyy
2 days ago
1
1
A "trusted source" is only trusted insofar as the hosting site, and any proxies in the way, haven't been compromised -- until/unless you actually check a signature on the content itself. There's a reason software packaging systems embed signatures inside the packages themselves, and provide a means of distributing lists of keys trusted to develop them -- so you can trust the package itself, rather than needing to trust the site you downloaded it from.
â Charles Duffy
2 days ago
A "trusted source" is only trusted insofar as the hosting site, and any proxies in the way, haven't been compromised -- until/unless you actually check a signature on the content itself. There's a reason software packaging systems embed signatures inside the packages themselves, and provide a means of distributing lists of keys trusted to develop them -- so you can trust the package itself, rather than needing to trust the site you downloaded it from.
â Charles Duffy
2 days ago
...which is to say that no matter how much we trust the moderator at hand, it's not a good idea to also trust that their ISP hasn't been compromised and had their scripts bulk-modified to add shellcode!
â Charles Duffy
2 days ago
...which is to say that no matter how much we trust the moderator at hand, it's not a good idea to also trust that their ISP hasn't been compromised and had their scripts bulk-modified to add shellcode!
â Charles Duffy
2 days ago
@CharlesDuffy Completely agree.
â Sergiy Kolodyazhnyy
2 days ago
@CharlesDuffy Completely agree.
â Sergiy Kolodyazhnyy
2 days ago
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
6
down vote
accepted
The pipe command (|) means take the output of the command on the left and pass it in as input to the command on the right. So, you are almost correct in your understanding of what
curl -sL https://blabla | sudo -E bash -
does. What you are missing is capturing the output of the first command, and passing that into the second command. What you have above needs to be something like the following:
curl --silent --location https://blabla >/tmp/output
sudo -E bash - </tmp/output
The dash (-) at the end of the second command is just telling bash to read in standard in and process it. So,
sudo -E bash - </tmp/output
is equivalent to
sudo -E bash </tmp/output
The "-E" option is actually associated with sudo, not with bash. Running the command:
man sudo
shows that -E preserves the environment.
Hope this helps clarify some things for you.
Good luck with learning linux! :)
New contributor
Wheee! Definitely +1 for the clarity. Nice answer.
â Konrad Viltersten
2 days ago
As a side note, pipe works exactly the same way in a Windows/DOS environment. You can type, for example,dir | find "foo"
on the command line to list all files containingfoo
in the current directory.
â Selcuk
2 days ago
@Selcuk For DOS/CMD yes, but PowerShell is object-oriented so you're no longer passing stdin, but objects and you'd needWhere $_.Name -eq "Foo"
on the other side of pipe
â Sergiy Kolodyazhnyy
2 days ago
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
6
down vote
accepted
The pipe command (|) means take the output of the command on the left and pass it in as input to the command on the right. So, you are almost correct in your understanding of what
curl -sL https://blabla | sudo -E bash -
does. What you are missing is capturing the output of the first command, and passing that into the second command. What you have above needs to be something like the following:
curl --silent --location https://blabla >/tmp/output
sudo -E bash - </tmp/output
The dash (-) at the end of the second command is just telling bash to read in standard in and process it. So,
sudo -E bash - </tmp/output
is equivalent to
sudo -E bash </tmp/output
The "-E" option is actually associated with sudo, not with bash. Running the command:
man sudo
shows that -E preserves the environment.
Hope this helps clarify some things for you.
Good luck with learning linux! :)
New contributor
Wheee! Definitely +1 for the clarity. Nice answer.
â Konrad Viltersten
2 days ago
As a side note, pipe works exactly the same way in a Windows/DOS environment. You can type, for example,dir | find "foo"
on the command line to list all files containingfoo
in the current directory.
â Selcuk
2 days ago
@Selcuk For DOS/CMD yes, but PowerShell is object-oriented so you're no longer passing stdin, but objects and you'd needWhere $_.Name -eq "Foo"
on the other side of pipe
â Sergiy Kolodyazhnyy
2 days ago
add a comment |Â
up vote
6
down vote
accepted
The pipe command (|) means take the output of the command on the left and pass it in as input to the command on the right. So, you are almost correct in your understanding of what
curl -sL https://blabla | sudo -E bash -
does. What you are missing is capturing the output of the first command, and passing that into the second command. What you have above needs to be something like the following:
curl --silent --location https://blabla >/tmp/output
sudo -E bash - </tmp/output
The dash (-) at the end of the second command is just telling bash to read in standard in and process it. So,
sudo -E bash - </tmp/output
is equivalent to
sudo -E bash </tmp/output
The "-E" option is actually associated with sudo, not with bash. Running the command:
man sudo
shows that -E preserves the environment.
Hope this helps clarify some things for you.
Good luck with learning linux! :)
New contributor
Wheee! Definitely +1 for the clarity. Nice answer.
â Konrad Viltersten
2 days ago
As a side note, pipe works exactly the same way in a Windows/DOS environment. You can type, for example,dir | find "foo"
on the command line to list all files containingfoo
in the current directory.
â Selcuk
2 days ago
@Selcuk For DOS/CMD yes, but PowerShell is object-oriented so you're no longer passing stdin, but objects and you'd needWhere $_.Name -eq "Foo"
on the other side of pipe
â Sergiy Kolodyazhnyy
2 days ago
add a comment |Â
up vote
6
down vote
accepted
up vote
6
down vote
accepted
The pipe command (|) means take the output of the command on the left and pass it in as input to the command on the right. So, you are almost correct in your understanding of what
curl -sL https://blabla | sudo -E bash -
does. What you are missing is capturing the output of the first command, and passing that into the second command. What you have above needs to be something like the following:
curl --silent --location https://blabla >/tmp/output
sudo -E bash - </tmp/output
The dash (-) at the end of the second command is just telling bash to read in standard in and process it. So,
sudo -E bash - </tmp/output
is equivalent to
sudo -E bash </tmp/output
The "-E" option is actually associated with sudo, not with bash. Running the command:
man sudo
shows that -E preserves the environment.
Hope this helps clarify some things for you.
Good luck with learning linux! :)
New contributor
The pipe command (|) means take the output of the command on the left and pass it in as input to the command on the right. So, you are almost correct in your understanding of what
curl -sL https://blabla | sudo -E bash -
does. What you are missing is capturing the output of the first command, and passing that into the second command. What you have above needs to be something like the following:
curl --silent --location https://blabla >/tmp/output
sudo -E bash - </tmp/output
The dash (-) at the end of the second command is just telling bash to read in standard in and process it. So,
sudo -E bash - </tmp/output
is equivalent to
sudo -E bash </tmp/output
The "-E" option is actually associated with sudo, not with bash. Running the command:
man sudo
shows that -E preserves the environment.
Hope this helps clarify some things for you.
Good luck with learning linux! :)
New contributor
New contributor
answered 2 days ago
Lewis M
1062
1062
New contributor
New contributor
Wheee! Definitely +1 for the clarity. Nice answer.
â Konrad Viltersten
2 days ago
As a side note, pipe works exactly the same way in a Windows/DOS environment. You can type, for example,dir | find "foo"
on the command line to list all files containingfoo
in the current directory.
â Selcuk
2 days ago
@Selcuk For DOS/CMD yes, but PowerShell is object-oriented so you're no longer passing stdin, but objects and you'd needWhere $_.Name -eq "Foo"
on the other side of pipe
â Sergiy Kolodyazhnyy
2 days ago
add a comment |Â
Wheee! Definitely +1 for the clarity. Nice answer.
â Konrad Viltersten
2 days ago
As a side note, pipe works exactly the same way in a Windows/DOS environment. You can type, for example,dir | find "foo"
on the command line to list all files containingfoo
in the current directory.
â Selcuk
2 days ago
@Selcuk For DOS/CMD yes, but PowerShell is object-oriented so you're no longer passing stdin, but objects and you'd needWhere $_.Name -eq "Foo"
on the other side of pipe
â Sergiy Kolodyazhnyy
2 days ago
Wheee! Definitely +1 for the clarity. Nice answer.
â Konrad Viltersten
2 days ago
Wheee! Definitely +1 for the clarity. Nice answer.
â Konrad Viltersten
2 days ago
As a side note, pipe works exactly the same way in a Windows/DOS environment. You can type, for example,
dir | find "foo"
on the command line to list all files containing foo
in the current directory.â Selcuk
2 days ago
As a side note, pipe works exactly the same way in a Windows/DOS environment. You can type, for example,
dir | find "foo"
on the command line to list all files containing foo
in the current directory.â Selcuk
2 days ago
@Selcuk For DOS/CMD yes, but PowerShell is object-oriented so you're no longer passing stdin, but objects and you'd need
Where $_.Name -eq "Foo"
on the other side of pipeâ Sergiy Kolodyazhnyy
2 days ago
@Selcuk For DOS/CMD yes, but PowerShell is object-oriented so you're no longer passing stdin, but objects and you'd need
Where $_.Name -eq "Foo"
on the other side of pipeâ Sergiy Kolodyazhnyy
2 days ago
add a comment |Â
5
Should be noted that commands which pair
curl
or any tool which downloads data from web with a shell is very poor practice for security reasons. The downloaded script is passed as raw data tobash
stdin, and thus doesn't live on disk, so you have no way of knowing what you may have executed. In fact, this is how exploits are downloaded onto servers. Unlike PowerShell, Unix shells have no execution policy. Best practice is to download script first, examine its contents, maybe compare hashsum, and only if you're sure it's safe - run it.â Sergiy Kolodyazhnyy
2 days ago
1
In the particular answer you reference, it can be assumed safe because it comes from a trusted source and Thomas is one of our esteemed moderators on the site. But this of course doesn't change the fact that overall practice is bad.
â Sergiy Kolodyazhnyy
2 days ago
1
A "trusted source" is only trusted insofar as the hosting site, and any proxies in the way, haven't been compromised -- until/unless you actually check a signature on the content itself. There's a reason software packaging systems embed signatures inside the packages themselves, and provide a means of distributing lists of keys trusted to develop them -- so you can trust the package itself, rather than needing to trust the site you downloaded it from.
â Charles Duffy
2 days ago
...which is to say that no matter how much we trust the moderator at hand, it's not a good idea to also trust that their ISP hasn't been compromised and had their scripts bulk-modified to add shellcode!
â Charles Duffy
2 days ago
@CharlesDuffy Completely agree.
â Sergiy Kolodyazhnyy
2 days ago