coreutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] cksum: add --check-stream=CHECKSUM flag

From: Pádraig Brady
Subject: Re: [PATCH] cksum: add --check-stream=CHECKSUM flag
Date: Mon, 16 Dec 2024 13:15:37 +0000
User-agent: Mozilla Thunderbird Beta 
On 16/12/2024 10:24, Rob Landley wrote:

On 12/14/24 18:50, Pádraig Brady wrote:

On 14/12/2024 23:20, Akihiro Suda wrote:

`-S, --check-stream=CHECKSUM` checks the FILE with CHECKSUM and pipes
the FILE to the stdout.

The motivation is to make `curl | sh` secure without breaking one-liner.
e.g., curl https://example.com/install.sh | sha256sum --check-stream
deadbeef | sh


Similar functionality was discussed a long time ago as listed at:
https://www.gnu.org/software/coreutils/rejected_requests.html#checksum
specifically https://bugs.gnu.org/13243

Now I do agree checking the stream is more concise with this option
than using existing tools, but I'm not sure it's warranted.
With existing tools you'd have:

    tmpf=$(mktemp) && curl -fs https://example.com/install.sh > "$tmpf" \
    && sha256sum --status --check <(echo deadbeef  -) < "$tmpf" && sh
"$tmpf"; rm "$tmpf"


To me the fundamental problem is nobody is going to TYPE IN an sha256
hash manually from somebody's business card or laptop sticker at a
coffee shop. (Certainly not on the first try.) Even an sha1sum or md5sum
is beyond expected human tolerances.

So any attempt to replace:

    bash -c "$(wget -O- https://blah.com/blah.sh)"

With a checksummed version is at MOST gonna be crc32, and would look
something like (using hashes for "echo hello" > file):


crc would offer zero protection here as the attacker could
simply adjust the bad script with a comment to match the crc.

So yes the use case is only for copy & paste, which is of limited use.
There are lots of security gotchas for copying and pasting
from a browser to shell, so in general the model is problematic.

It is worth noting given the size of hashes (and URLs) that
generally presented commands are not going to be that concise anyway.
So to expand the previous examples, the patch would allow going from:

URL="https://raw.githubusercontent.com/coreutils/coreutils/3f144241/DEMO-20241216";
SHA=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SUM=sha256sum; $SUM /dev/null > /dev/null 2>&1 || SUM='shasum -a 256'
tmpf=$(mktemp) && curl -fs "$URL" > "$tmpf" && $SUM --status --check \
<(printf '%s  -' "$SHA") < "$tmpf" && sh "$tmpf"; rm "$tmpf"

to:

URL="https://raw.githubusercontent.com/coreutils/coreutils/3f144241/DEMO-20241216";
SHA=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
curl -fs "URL" | sha256sum --check-stream "$SHA" | sh


Yes it's more concise, but also much less portable.
The first example above should run on any Linux, FreeBSD/macOS system.
(Note it's safe to cut and paste as the hash doesn't match the contents).

So I'm still reluctant to add this,
given reasonable and portable alternatives exist.

cheers,
Pádraig
reply via email to
[Prev in Thread] Current Thread [Next in Thread]