O_MAYEXEC — explicitly opening files for execution

Posted May 12, 2020 4:17 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
In reply to: O_MAYEXEC — explicitly opening files for execution by pabs
Parent article: O_MAYEXEC — explicitly opening files for execution

What's wrong with "curl | bash"?

How is it different from "pip install"?

O_MAYEXEC — explicitly opening files for execution

Posted May 12, 2020 4:31 UTC (Tue) by NYKevin (subscriber, #129325) [Link] (4 responses)

pip traditionally downloads from PyPI, although you can feed it a raw URL if you enjoy living dangerously. PyPI is not categorically immune from unintentionally hosting malware, of course, but it's a poor choice for intentional malware distribution, because it can be audited by security researchers et al. upon request. Most malware tries to obfuscate itself to make it harder to block, and a well-known host which complies with legal requests is a poor vector for this and other reasons.

Having said all that, bash does not call openat2() on stdin (nor should any remotely reasonable program), so I'm going to say this whole question is moot.

O_MAYEXEC — explicitly opening files for execution

Posted May 12, 2020 4:37 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

PyPI not only can be used to distribute actual malware, but it HAS been used to do that more than once. Ruby gems and JS NPMs also have been used for this purpose.

Running "curl | bash" is at least honest about its possible impact.

O_MAYEXEC — explicitly opening files for execution

Posted May 12, 2020 5:27 UTC (Tue) by NYKevin (subscriber, #129325) [Link] (1 responses)

> PyPI not only can be used to distribute actual malware, but it HAS been used to do that more than once.

I don't dispute that. My point was merely that a smart malware author would probably choose a different host, in practice, most of the time. That is a vastly different claim from "PyPI software is always safe," which I certainly did not say. Rather, my claim is more focused on the possible remediation after a malware event. If you know you got it from PyPI, you can pass that information on to security researchers and authorities, who can then study the malware and make recommendations to others. If you got it from curl | bash, who's to say the site is even still there?

O_MAYEXEC — explicitly opening files for execution

Posted May 12, 2020 5:34 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

A PyPI package can trivially do an equivalent of "system('curl | bash')". There really is no difference here.

Pretty much the only semi-reliable package source are native Linux distribution packages. And even that is likely borderline.

O_MAYEXEC — explicitly opening files for execution

Posted May 12, 2020 9:41 UTC (Tue) by ballombe (subscriber, #9523) [Link]

Agreed. PyPi/NPM provide a false sense of security while being very convenient, which is a combination that leads to disasters.
curl | bash provide a correct sense of insecurity while being rather inconvenient. Much less likely to lead to a disaster.

O_MAYEXEC — explicitly opening files for execution

Posted May 14, 2020 8:43 UTC (Thu) by mina86 (guest, #68442) [Link] (2 responses)

The one real issue with ‘curl | bash’ is an interrupted connection. If the script being downloaded isn’t written properly, this can lead to execution of corrupted script and e.g. ‘rm -rf /’ instead of ‘rm -rf /tmp/my-temp-file’.

For those wondering, the way to guard against that is to wrap the entire script with ‘_() { …; }; |’.

O_MAYEXEC — explicitly opening files for execution

Posted May 14, 2020 16:23 UTC (Thu) by dkg (subscriber, #55359) [Link] (1 responses)

I'm pretty sure you mean to wrap the entire script in:

_() {
    […]
}
_

the trailing pipe doesn't make sense.

O_MAYEXEC — explicitly opening files for execution

Posted May 14, 2020 16:28 UTC (Thu) by mina86 (guest, #68442) [Link]

Yes, sorry, a typo. I meant underscore, not a pipe.