zlacker

[parent] [thread] 11 comments
1. lionko+(OP)[view] [source] 2023-04-05 20:37:53
windows users will also happily "run as administrator", while a lot of linux users know not to do that in my experience
replies(3): >>qup+Ib >>ChuckN+Of >>0x457+TH
2. qup+Ib[view] [source] 2023-04-05 21:42:51
>>lionko+(OP)
Yes, I have an absolutely pristine record and I have never, ever copy-pasted a script from the internet with sudo, or piped curl into bash because I'm lazy and I trust most github READMEs. Never.
replies(2): >>chlori+3S >>lionko+0r1
3. ChuckN+Of[view] [source] 2023-04-05 22:04:36
>>lionko+(OP)
>a lot of linux users know not to do that in my experience

README.md : "to get this to work, curl or wget the following script and run it as sudo"

Linux users: Aye

replies(1): >>lionko+6r1
4. 0x457+TH[view] [source] 2023-04-06 01:07:48
>>lionko+(OP)
Honestly...I'm far for afraid of my $HOME being uploaded somewhere. You don't need "run as administrator" for that.
replies(1): >>thewat+kV1
◧◩
5. chlori+3S[view] [source] [discussion] 2023-04-06 02:31:46
>>qup+Ib
I have literally never done this and do not understand why anyone would.

Installing software to the system should be handled by a package manager, but if you must install something like this, just throw it in a tmpfile and inspect the script before running it.

I know the response to this will be "but the things the script downloads and installs could be malicious", and while this is true, so long as the sources in the install script are fine, I consider this to be a separate issue (but still a big issue).

The issue of trusting source code or binaries is a thing but it doesn't justify copy pasta'ing random scripts in the shell.

Another thing to take note of, there in the past have been bugs in terminal emulators that allowed pasting certain characters that made the text look completely different than what it actually was, so pasting "ls $HOME" could have actually been "rm -rf ~/" for example.

◧◩
6. lionko+0r1[view] [source] [discussion] 2023-04-06 07:53:36
>>qup+Ib
I usually double check before running stuff as sudo, and piping into bash i dont really ever need (AUR). My heart goes out to those on distros where thats the way to distribute software.
replies(1): >>fransj+4R1
◧◩
7. lionko+6r1[view] [source] [discussion] 2023-04-06 07:54:37
>>ChuckN+Of
That is programmers etc using Linux, yes. Casual users wont touch the terminal.
replies(1): >>elygre+5s1
◧◩◪
8. elygre+5s1[view] [source] [discussion] 2023-04-06 08:08:06
>>lionko+6r1
In my experience, there are relatively few casual users of Linux.
◧◩◪
9. fransj+4R1[view] [source] [discussion] 2023-04-06 12:00:14
>>lionko+0r1
AUR is perfectly safe. Got it.
◧◩
10. thewat+kV1[view] [source] [discussion] 2023-04-06 12:28:55
>>0x457+TH
> You don't need "run as administrator" for that.

This is what makes it so doable since you don't need any privilege escalation.

The reason why this is a big deal for a lot of people is your ssh keys will give you access to your git repos and other servers unless you have them password protected or use gpg/sk ssh keys which I think a lot of people don't do.

And of course if you can see the known hosts file/bash_history you'll likely have access to more servers to propagate to.

Also things like your browser cache is stored there.

replies(1): >>0x457+uN3
◧◩◪
11. 0x457+uN3[view] [source] [discussion] 2023-04-06 21:20:52
>>thewat+kV1
Plenty of dangerous things stored in `~/`, they don't even need password for ssh-key if there is ssh-agent running (this is in case of dangerous process running, not just upload).

This is why I store keys on a hardware key that requires me to touch it when used and manually start ssh-agent when doing a lot of `git push`.

replies(1): >>thewat+xx6
◧◩◪◨
12. thewat+xx6[view] [source] [discussion] 2023-04-07 18:35:16
>>0x457+uN3
Yeah gpg/sk ssh keys are definitely the way to go.
[go to top]