zlacker

[return to "Detecting the use of "curl | bash" server-side"]
1. cjbpri+e2[view] [source] 2018-07-29 02:26:42
>>rubyn0+(OP)
Neat! But it's not obviously a bad idea. You have a TLS connection with the site you're downloading from. `curl | bash` is no worse than downloading a .dmg or .deb from the same server would be.
◧◩
2. vbezhe+p2[view] [source] 2018-07-29 02:30:38
>>cjbpri+e2
deb/rpm is better because it's usually signed by maintainer with GPG keys. I think that it's harder to steal keys from maintainer than to infiltrate web server.
◧◩◪
3. cjbpri+r3[view] [source] 2018-07-29 02:52:00
>>vbezhe+p2
For the most part you receive the GPG keys over the same TLS connection, though.
◧◩◪◨
4. sigjui+a4[view] [source] 2018-07-29 03:04:15
>>cjbpri+r3
Not sure what you mean. I don’t think apt-get install foo involves transferring GPG keys.
◧◩◪◨⬒
5. cjbpri+05[view] [source] 2018-07-29 03:20:26
>>sigjui+a4
We're comparing the security properties of

`curl https://somesite.com/foo.sh | bash`

with

`curl https://somesite.com/foo.deb`

and

`curl https://somesite.com/apt.key | sudo apt-key add - && sudo apt-get update && sudo apt-get install some-software`

I don't think there are very meaningful differences in the security properties -- I don't think it's more difficult to become compromised by one than by one of the others.

◧◩◪◨⬒⬓
6. huevin+8b[view] [source] 2018-07-29 05:47:15
>>cjbpri+05
No, you're deliberately choosing a bad way to get a key to try to prove your point. You shouldn't be fetching a key from the site that might be compromised.
◧◩◪◨⬒⬓⬔
7. geocar+0e[view] [source] 2018-07-29 06:56:26
>>huevin+8b
> You shouldn't be fetching a key from the site that might be compromised.

You shouldn't, but people do, and are being directed to do so increasingly as Linux becomes more popular. Software developers want to be software publishers so bad that they're just going to keep pushing, and therein lies the risk: If people get the impression that packages are somehow more secure than shell scripts, then these kinds of attacks will simply become more prevalent.

To you it's obvious that packages aren't more secure, it's how you get them that makes their normal use more secure. That's apparently too subtle a point for even big companies like Microsoft.

https://pydio.com/en/docs/v8/ed-debianubuntu-systems

https://docs.docker.com/install/linux/docker-ce/ubuntu/#inst...

https://www.spotify.com/uk/download/linux/

https://www.elastic.co/guide/en/apm/server/current/setup-rep...

https://ring.cx/en/download/gnu-linux

http://docs.grafana.org/installation/debian/

https://support.plex.tv/articles/235974187-enable-repository...

https://stack-of-tasks.github.io/pinocchio/download.html

http://download.mantidproject.org/ubuntu.html

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli... (!!!)

◧◩◪◨⬒⬓⬔⧯
8. dcbada+1p[view] [source] 2018-07-29 11:33:53
>>geocar+0e
I've always said the same, but what's the solution here?
◧◩◪◨⬒⬓⬔⧯▣
9. geocar+261[view] [source] 2018-07-29 21:00:16
>>dcbada+1p
There's three that I can see:

1. Walled Garden: Developers don't self-publish. Call it an app store, call it everything-in-apt.

2. Encapsulate everything so that developers can't do anything. Don't use anything unless it comes in a docker instance. Or a FreeBSD jail. Or something else. Qubes maybe.

3. Smarter users. Good luck with that one.

[go to top]