1. Phix Linux 64 downloads
- Posted by monsieurb Oct 07, 2018
- 1745 views
Hi all (+Pete).
Re the download/install steps for Phix on Linux, there are currently 3 separate zips we need to fetch via wget or some other method... I wondered, in the interests of simplicity, would it be possible to host a script like:
wget a18796406824d7adb9ad-267c00a47582f5b7c033a43c96868c90.r76.cf2.rackcdn.com/p64.zip unzip p64.zip -d phix rm p64.zip chmod +x phix/p phix/p -test
At http://phix.x10.mx/downloads/p0.7.9.2-l64.sh (or whatever)? Then it would potentially be as simple as this for users to download and install it:
curl -sSL http://phix.x10.mx/downloads/p0.7.9.2-l64.sh | bash
Note, the single zip in my script is the combined result of http://phix.x10.mx/phix.0.7.9.1.zip, http://phix.x10.mx/phix.0.7.9.2.zip and http://phix.x10.mx/p64 ... it was just something I was trying out.
2. Re: Phix Linux 64 downloads
- Posted by ghaberek (admin) Oct 07, 2018
- 1803 views
curl -sSL http://phix.x10.mx/downloads/p0.7.9.2-l64.sh | bash
Please do not do this.
Please do not ever do this.
Signed,
A concerned Linux user.
-Greg
3. Re: Phix Linux 64 downloads
- Posted by petelomax Oct 08, 2018
- 1853 views
would it be possible to host a script
well, http://phix.x10.mx/download.php (after clicking linux then 64-bit) already says this
mkdir -p phix rm -r phix wget http://phix.x10.mx/phix.0.7.9.1.zip wget http://phix.x10.mx/phix.0.7.9.2.zip wget http://phix.x10.mx/p64 unzip phix.0.7.9.1.zip -d phix unzip phix.0.7.9.2.zip -d phix mv p64 phix/p cd phix chmod 777 p ./p -test
and asks if it would be helpful to put that in a setup64.sh, and I wasn't particularly opposed to doing that, if ever asked.
But, I always doubted it would be helpful (why not just paste the above into a script file?), and one more thing for me to get wrong, and then:
curl -sSL http://phix.x10.mx/downloads/p0.7.9.2-l64.sh | bash
Please do not do this.
Please do not ever do this.
Signed,
A concerned Linux user.
-Greg
Are you just saying that is a really dangerous thing to do?
4. Re: Phix Linux 64 downloads
- Posted by monsieurb Oct 08, 2018
- 1656 views
Please do not ever do this.
OK, but why not? We're missing a few things in any case (checksums, a secure connection).
If I manually copy the commands and run them, I'm still trusting the payload is safe and that nothing malicious lurks in the executables. Also, when I see a tool that recommends installing the latest and greatest via a curl -sSL http://some.resource | bash type of approach, I remain fully at liberty to inspect that script first of all.
Having used Phix a few times, I now trust it and its author. If through no fault of Pete his site is compromised, well, the weak point in the chain is not necessarily the bash script itself.
But, I always doubted it would be helpful (why not just paste the above into a script file?)
In a word, convenience. If phix.x10.mx/latest.sh always 'pointed' to the latest version, my provisioning script can use that and it doesn't need to have a hard-coded version number.
With all this said, if there are grave concerns and I'm anyway the only one so far seeking this, I don't mind sticking to the existing approach one bit
5. Re: Phix Linux 64 downloads
- Posted by jimcbrown (admin) Oct 08, 2018
- 1632 views
Please do not ever do this.
OK, but why not? We're missing a few things in any case (checksums, a secure connection).
Good points.
Also, when I see a tool that recommends installing the latest and greatest via a curl -sSL http://some.resource | bash type of approach, I remain fully at liberty to inspect that script first of all.
If you wget the script and then inspect it, and then (after verifying that it is okay) run the saved contents, that is probably safer.
It is known how to alter the contents of the script depending on if it is being viewed in a browser on a webpage vs being executed on a command line. (IIRC this involved injecting a sleep command followed by an HTTP GET request and then checking the timing of the GET request to see how long the delay was.)
Having used Phix a few times, I now trust it and its author. If through no fault of Pete his site is compromised, well, the weak point in the chain is not necessarily the bash script itself.
Perhaps, but why not add that extra layer of security if you can? Just because Pete's site got compromised (or maybe he was hit by a truck right before his domain name expired and the site now legitimately belongs to another person), that should not translate to YOUR systems being compromised too.
In a word, convenience.
Yes, those two have always been at odds with one another. )-:
6. Re: Phix Linux 64 downloads
- Posted by ghaberek (admin) Oct 08, 2018
- 1708 views
Are you just saying that is a really dangerous thing to do?
That is what I and a lot of others are saying, yes.
- https://blog.chef.io/2015/07/16/5-ways-to-deal-with-the-install-sh-curl-pipe-bash-problem/
- https://sysdig.com/blog/friends-dont-let-friends-curl-bash/
- https://news.ycombinator.com/item?id=12766049
- https://gist.github.com/btm/6700524
- https://www.seancassidy.me/dont-pipe-to-your-shell.html
- https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/
- https://jordaneldredge.com/blog/one-way-curl-pipe-sh-install-scripts-can-be-dangerous/
- https://medium.com/@esotericmeans/the-truth-about-curl-and-installing-software-securely-on-linux-63cd12e7befd
- https://serverfault.com/questions/505430/executing-script-remotely-with-curl-bash-feedback
And that's just from the first two pages of Google results.
-Greg
7. Re: Phix Linux 64 downloads
- Posted by ghaberek (admin) Oct 08, 2018
- 1625 views
If I manually copy the commands and run them, I'm still trusting the payload is safe and that nothing malicious lurks in the executables. Also, when I see a tool that recommends installing the latest and greatest via a curl -sSL http://some.resource | bash type of approach, I remain fully at liberty to inspect that script first of all.
Fun fact: I can feed you a different file from my web server based on the "User Agent" string coming in on the request. So if you're using a desktop browser I'll send you the "clean" script, but if you're using cURL I'll send you the "dirty" script, and you might not ever be suspicious because you "checked" the script in the browser first. Read through some of those articles I posted to see the various tricks attackers can use to trick you into using a seemingly-legitimate script.
With all this said, if there are grave concerns and I'm anyway the only one so far seeking this, I don't mind sticking to the existing approach one bit
What I'm offering is generic advice: if you want or need to use an install script, download it first and inspect it, then run it manually with bash.
-Greg