Piping Data When Not Running a Command with sudo
This post's featured URL for sharing metadata is https://www.jvt.me/img/profile.jpg.
From a security standpoint, you should avoid running everything with sudo
, as it increases the risk of you accidentally wiping your machine, or a malicious script compromising your machine.
But this can be a real pain, for instance if you need to write to protected file(s).
The solution here is to use the tee
command, and make sure that only tee
is run as root
. A huge benefit of using tee
, too, is that it'll render the output both to the file specified, and to stdout
, so you have a chance to see if there's anything suspicious being output.
For instance, I used to run this setup to set up my Arch Linux package mirrors:
curl -s 'https://www.archlinux.org/mirrorlist/?country=GB&protocol=http&protocol=https&ip_version=4&use_mirror_status=on' \
| sed 's/^#//' \
| sudo tee /etc/pacman.d/mirrorlist
This means that only the very end of the command is run as root, so any other remote code executions are less likely to cause massive damage to the system.