DEV Community

Cover image for How to build a trustworthy curl pipe bash workflow
Operous
Operous

Posted on • Edited on • Originally published at operous.dev

How to build a trustworthy curl pipe bash workflow

Installing and configuring third-party software for managing servers is usually painful. It comes with a handful of requirements that need to be met to accomplish the simple task of just getting it to work.

Operous will offer you a method to configure your server to be tested by us conveniently, which will not make you waste time not doing productive work. It is as simple as copying and pasting a concise command.

Curl

The method we are going to use is known as the “curl pipe bash” method. This particular method has had many discussions around it before, with very strong opinions both in favor and against it.

Many vendors offer such a method and also call it a “convenience script,” a name that indeed is a good fit and expresses its purpose.

Bellow, you can check out how simple and fast it is going to be to configure Operous on your server:

Installer

This post will discuss the concerns security specialists usually have with running the "curl pipe bash" method and what we did to address them.

We believe convenience and security must work together

People believed that convenience is a trait that lives at odds with security. The harder it is to access your service, the safer it is.

This belief changed recently. We’re moving towards a consensus that in order to build a secure system, it needs to be convenient.

A practical example of the statement above is NIST changes regarding passwords: asking people to create longer, but easier to remember, passwords and change them less frequently (only when compromised) increases security.

Other advances in this realm are: easier to use multi-factor authentication and password managers with a good user experience. When enough effort is put into building something safe and convenient for users, the result is an increase in overall security and productivity.

We know that pushing complexity to the user is a path that must be avoided at all costs. We do careful engineering to accommodate that complexity to achieve both a safer and user-friendly product.

Our convenience script is all about simplifying complexity for you. We worked hard to move complexity away from you and into our product to achieve a more secure, fast, and effortless experience, so you don't waste time with non-productive work.

Considered issues

Now let’s take a deep dive into some technical considerations about our implementation, so you don't have to worry about them.

Man-in-the-middle Attack

Concern: An attacker between our web server and your server could change the script’s content and inject code into the script, changing its behavior.

Solution: All of our content will be served with state of the art TLS (HTTP encryption). It won’t be possible to download the script nor access any of our pages through an insecure HTTP connection, significantly reducing the risk of content tampering.

Hidden text attack

Concern: Current JavaScript clipboard API allows a script to change a copied text’s content without any confirmation or warnings. This could be used to make you run something in your shell different from what you think you copied on our website.

Solution: We have absolutely no reason whatsoever to trick our users like that. JavaScript injection by a third party through content tampering is protected by TLS (HTTP encryption).

Client detectiion attack

Concern: Make a web server return distinct responses based on the request User-Agent or through other client detection methods. The script you’d see in your browser might not be the same downloaded on your server.

Solution: Again, we have no reason to do such a thing. Nevertheless, in addition to serving our content through TLS, a checksum will be available alongside the script so you can download and validate the script with the checksum before running it.

Partial content and network issues

Concern: A network error between the script source and the Curl agent could result in an incomplete download, which would result in partial execution of the script. That is indeed dangerous because any incomplete command could be executed.

Solution: We addressed this concern by wrapping the script “body” inside a function that is called at the very end. If something wrong really happens, the script will only define some functions but doesn’t do anything.

Compromised web server

Concern: Even using TLS to serve all content, there might still be room for tampering with the script content by exploiting a vulnerability on the web server and changing its configuration to serve a different script. A similar attack could be made with a supply-chain attack or exploiting some library vulnerability.

Solution: Our infrastructure is automated to ensure we’re always running up to date software. We’ll also constantly audit the libraries we use in our application to avoid known vulnerabilities.

We’ll also rely on a separate system that will continuously monitor the script by downloading it and checking the served content against the expected checksum. If this breach ever happens, we’ll be able to cross the monitoring data with our audit events to inform users that may have downloaded a rogue script.

Conclusion

Achieving convenience and security at the same time is not an easy feat.

Operous method for registering a server with a single and concise command is part of our strategy to make you get results from our tests on your servers as fast as possible.

Installing third-party software does not have to be a hassle. Operous will make it easy to configure the server to be tested.

With our convenient script developed from scratch, you will test your servers quickly and effectively.

References

Security vs. Convenience
Is curl | bash insecure
Friends don't let friends Curl | Bash
Don't Pipe to your Shell
copy-paste-shell
Piping curl to s(hell)
Curl to shell isn't so bad
Detecting the use of "curl | bash" server side
Why curl | sudo bash is good


Know more about Operous and how it can help hardening SSH servers with the vulnerability scanner

Top comments (0)