KernelCI now testing Linux Rust code (Collabora blog)

The argument isn't necessarily against downloading a script, checking it & then running it — it's against these one-liners that pipe the download directly into the shell. The difference is that a malicious web server could detect whether a script is only downloaded or piped directly into a shell by partially sending content that would take a long time to execute & only send malicious content if the download takes as long as expected if it's to be shell-processed directly.

In other words, recommending the following instructions should be fine:

curl -o setup.sh https://safe.server/setup.sh
less setup.sh
sudo sh ./setup.sh

whereas direct-piping should be avoided.

Posted Dec 8, 2022 11:36 UTC (Thu) by khim (subscriber, #9252) [Link]

> The difference is that a malicious web server could detect whether a script is only downloaded or piped directly into a shell by partially sending content that would take a long time to execute & only send malicious content if the download takes as long as expected if it's to be shell-processed directly.

Have you forgotten that we are talking about a way to download and install binaries provided by third-party service?

They can just provide you with correct script and bad binary. Since there are no sudo command anywhere that binary is as capable of wreaking havoc with your files as that script.

It's only when you plan to run script under root, but then use program without sudo all that dance starts making some small sense.

Rust is not designed to be installed that way which makes the whole dance an exercise in futility.

KernelCI now testing Linux Rust code (Collabora blog)

Posted Dec 8, 2022 11:50 UTC (Thu) by khim (subscriber, #9252) [Link]

> Make sure the download is self-contained (you could use a shar archive for this, if you wanted built-in unpackability/runnability), publish the hash of the download alongside the instructions, and have the instructions tell the user to download the file, check the hash, and only then extract/run the archive.

Rustup is a system which downloads and install rust compiler automatically when new versions are released.

Making download self-contained is pretty much pointless if the regular work of application includes the ability to download and run code from the internet.

Thus all that dance would just create false sense of security without achieving anything.

If you really want to review each and every binary before running it each and every time then rustup is just not something you would use. Ever.

> Sure, users could skip the verification step if they don't care about the security of their system, but don't propagate the notion that verification is something they shouldn't even normally think about, when they're downloading random software off of the internet. I mean, do you want botnets? Because that's how you get botnets.

Can you show me one example of successful attack which happened that way? Not even necessarily Rust, but any software where venue of attack was hijacking of an official site and then subsequent delivery of malware?

Botnets happen when people fail to recognize that they are interacting with fake site and do what's written on fake site.

That's completely separate vector of attack from “malicious official server does something weird” and this problem couldn't be solved by teaching people to do useless dance which they would perform with malicious content equally well.