2

I have a command line tool (ngi) I made, and currently the process of installation requires 2 steps.

First step is to clone the repo into usr/local/ngi.

Second step is to manually set the $PATH in ~/.bash_profile (or wherever they set their environment variables) so that they can run the tool from the command line.

What I'm considering instead is this (it will shorten the installation to just one step):

I plan to create an install file in the repo, which is just a script that does the two steps above for the user. They now will be able to just open their command line and download the install script via curl, which when run, will in turn install the command line tool:

curl https://raw.githubusercontent.com/joshbeam/angular_init/install >> install_ngi; ruby install_ngi

Basically the above command just downloads the raw content of the install file from GitHub into a new local file called install_ngi, and then runs it with Ruby. The install_ngi file itself then clones the GitHub repo and sets the environment variables.

My question is, what are some safety concerns regarding this method, and is there a safer way to implement this sort of installation?

Josh Beam
  • 135
  • 9
  • If you are willing to vouch for the security of one particular version, you could specify that and verify it by its hash (for example sha2sum) before using it. But that complicates updating this dependency, and only works if the problem you are worried about is not already present in the version you are pinning your install tool to in this way. –  Apr 05 '15 at 22:24
  • @pyramids, really the only security concern I have would be a malicious user gaining admin access to the repo and replacing the installation file, so if a user runs `curl` to download the installation file, it could have been replaced by some malicious code that could harm their computer, etc. – Josh Beam Apr 05 '15 at 22:28
  • @pyramids, do you know of an online resource I can read that explains how one would implement your solution? – Josh Beam Apr 05 '15 at 22:29
  • @Josh_Bean No, but if you are willing to use a shell script in the first place, you might as well try something like `sha256sum install_ngi |grep XXX-CORRECT-HASH && ruby install_ngi` instead of the last command in your current solution. –  Apr 05 '15 at 22:34
  • @pyramids, you'll have to excuse my inexperience with hashes. So the above would check a hash that is inside the install script against a known hash, and only run `ruby install` if the hashes match? Or does it convert the entire file into a hash and check it against the correct hash? – Josh Beam Apr 05 '15 at 22:40
  • @Josh_Bean, it's meant to calculate the hash, check it against whatever you enter as argument to the `grep` invokation (my intention: the hash of the file you want), and only invoke `ruby install_ngi` if the hash matches. But don't take my word for it, and if this challenges you, don't use it. –  Apr 05 '15 at 22:44
  • @pyramids, makes sense, thanks for the explanation. – Josh Beam Apr 05 '15 at 22:47
  • Have you considered providing a .rpm or .deb package? – Philipp Apr 06 '15 at 01:47
  • @Philipp, thanks for the comment, and no, I don't have experience with those. What's the primary benefit for using an .rpm or .deb instead? – Josh Beam Apr 06 '15 at 01:50
  • @JoshBeam They are the archive formats used by package managers like RPM or apt-get which are the default and most user-friendly way to install new software on Linux. Providing packages in the standardized formats would be much more convenient for your end-users than having them enter some cryptic console commands. – Philipp Apr 06 '15 at 01:54
  • @Philipp, very true, thanks. The original reason for using the model of "git clone" and setting the path manually is because that's sort of the idiomatic way for installing command lines tools that aid in web development (as does ngi). However I definitely see how providing a package would make it more user-friendly. – Josh Beam Apr 06 '15 at 01:59

1 Answers1

6

Is it safe?
Not completely; just because you're fetching safe code now doesn't mean that link will always point to safe code, and many command-line tools don't verify certificates, which could lead to a MITM attack.

Is it safe enough?
Yeah, for most use cases, probably. The attack scenario is pretty rare, and an attacker who is positioned to pull it off can probably pull off something more serious.

What's a safer way to do it?
The best we can do is for all downloaded software to be cryptographically signed and for the signatures to be verified before installation. Most modern system package managers (think apt, yum, etc.) do this automatically, but you can do it yourself using gnupg.

Ideally you'd only sign a package if you've verified it and trust it. That doesn't mean you're right to trust it, but at least it makes you accountable for it. Of course, there's the problem of getting the signer's public key onto the user's computer in such a way that that transfer won't be tampered with... chicken, meet egg.

tylerl
  • 82,225
  • 25
  • 148
  • 226