How to build a trustworthy curl pipe bash workflow
Undestand how security and convenience can go together.
Installing and configuring third-party software for managing instances is usually painful. It comes with a handful of requirements that need to be met to accomplish the simple task of just getting it to work.
Operous will offer you a method to configure your instance to be tested by us conveniently, which will not make you waste time not doing productive work. It is as simple as copying and pasting a concise command.
The method we are going to use is known as the “curl pipe bash” method. This particular method has had many discussions around it before, with very strong opinions both in favor and against it.
Many vendors offer such a method and also call it a “convenience script,” a name that indeed is a good fit and expresses its purpose.
Bellow, you can check out how simple and fast it is going to be to configure Operous on your instance:
This post will discuss the concerns security specialists usually have with running the "curl pipe bash" method and what we did to address them.
We believe convenience and security must work together
People believed that convenience is a trait that lives at odds with security. The harder it is to access your service, the safer it is.
This belief changed recently. We’re moving towards a consensus that in order to build a secure system, it needs to be convenient.
A practical example of the statement above is NIST changes regarding passwords: asking people to create longer, but easier to remember, passwords and change them less frequently (only when compromised) increases security.
Other advances in this realm are: easier to use multi-factor authentication and password managers with a good user experience. When enough effort is put into building something safe and convenient for users, the result is an increase in overall security and productivity.
We know that pushing complexity to the user is a path that must be avoided at all costs. We do careful engineering to accommodate that complexity to achieve both a safer and user-friendly product.
Our convenience script is all about simplifying complexity for you. We worked hard to move complexity away from you and into our product to achieve a more secure, fast, and effortless experience, so you don't waste time with non-productive work.
Now let’s take a deep dive into some technical considerations about our implementation, so you don't have to worry about them.
Concern: An attacker between our web server and your instance could change the script’s content and inject code into the script, changing its behavior.
Solution: All of our content will be served with state of the art TLS (HTTP encryption). It won’t be possible to download the script nor access any of our pages through an insecure HTTP connection, significantly reducing the risk of content tampering.
Hidden text attack
Client detectiion attack
Concern: Make a web server return distinct responses based on the request User-Agent or through other client detection methods. The script you’d see in your browser might not be the same downloaded on your instance.
Solution: Again, we have no reason to do such a thing. Nevertheless, in addition to serving our content through TLS, a checksum will be available alongside the script so you can download and validate the script with the checksum before running it.
Partial content and network issues
Concern: A network error between the script source and the Curl agent could result in an incomplete download, which would result in partial execution of the script. That is indeed dangerous because any incomplete command could be executed.
Solution: We addressed this concern by wrapping the script “body” inside a function that is called at the very end. If something wrong really happens, the script will only define some functions but doesn’t do anything.
Compromised web server
Concern: Even using TLS to serve all content, there might still be room for tampering with the script content by exploiting a vulnerability on the web server and changing its configuration to serve a different script. A similar attack could be made with a supply-chain attack or exploiting some library vulnerability.
Solution: Our infrastructure is automated to ensure we’re always running up to date software. We’ll also constantly audit the libraries we use in our application to avoid known vulnerabilities.
We’ll also rely on a separate system that will continuously monitor the script by downloading it and checking the served content against the expected checksum. If this breach ever happens, we’ll be able to cross the monitoring data with our audit events to inform users that may have downloaded a rogue script.
Achieving convenience and security at the same time is not an easy feat.
Operous method for registering a instance with a single and concise command is part of our strategy to make you get results from our tests on your instances as fast as possible.
Installing third-party software does not have to be a hassle. Operous will make it easy to configure the instance to be tested.
With our convenient script developed from scratch, you will test your instances quickly and effectively.
Security vs. Convenience Is curl | bash insecure Friends don't let friends Curl | Bash Don't Pipe to your Shell copy-paste-shell Piping curl to s(hell) Curl to shell isn't so bad Detecting the use of "curl | bash" server side Why curl | sudo bash is good