Fixes Linux shebangs #6110
Fixes Linux shebangs #6110
Conversation
|
Probably not relevant, but there are some caveats to using Is |
/usr/bin/bash is not valid for NixOS. This is /bin and /usr/bin on NixOS: /usr/bin/bash will also probably not be valid for most systems which don't have /bin linkled to /usr/bin If no bash-specific features are used on those scripts, an even better option would be to use sh instead. Not all linux distros even have bash, tho I'm yet to see a distro without /bin/sh. |
NixOS is quite a bit different, especially when you're stating it only has
Maintainers may be less likely to consider merging this since someone else may raise a PR to do the same when I still think it's not ideal to choose Perhaps it might be better to use your experience with NixOS to have a nix package that makes the necessary adjustments? That can satisfy the current shebang expectation, or it could alter the shebang for these files. Without broader demand or a wider audience outside of NixOS, the value of upstreaming the change is questionable. |
|
I don’t see how using env could cause any malware problems. If env selects a malicious bash, the user already is compromised when running the script anyway. If the user has a bad bash in their environment, it would have already been triggered no matter what oobabooga did. Aditionally, even the link you sent yourself, that mentions this “problem” with env states that using env is still a better option regardless:
You also mentioned not all distros have /usr/bin/env, but I’ve never seen a distro that didn’t have it. Do you have any examples at all? |
If you don't mind me asking, in which scenarios do you think that could become an actual concern for this project? |
Those where an attacker for some reason has the ability to have precedence in the PATH ENV? It's perhaps unlikely that they're able to introduce only that as a change to the system if they had that sort of control... but what is more likely is the user is fooled into installing something that has them (or the environment itself) update/prepend to PATH. There was a recent security issue with ComfyUI if you're familiar with that, a custom module/plugin was malicious but had users downloading it unaware. Environments that you run software in will vary too, such as with a Docker container, environment can be managed differently there. This project appears to have had an official image / Regardless, it's still an increase to attack surface by relying on |
|
Sorry didn't see your reply.
No? The bash could be anywhere on the system, it'd only be run if you provided direct path to it, or relied on Just to be clear, the script itself is not malicious. It's the malicious bash in the PATH env waiting to hijack when called.
It depends on the system and how I'm not saying that in this case the user isn't already in trouble regardless. Just that the proposed change introduces that added risk for the small sake of convenience to satisfy niche demand. Many of the security exploits / CVEs that get spoken about these days require conditions of compromise already in place.
This isn't a decision that an individual is doing on their system. It's a decision you want to contribute that affects a broad audience of users that aren't likely to notice that change. All for the benefit of satisfying a much smaller set of users at their expense. The change doesn't seem necessary for the majority, and the drawback with reluctance has been communicated clearly I hope.
So nothing that great example wise. I assume pragmatically most linux distros are going to have bash at the expected location. NixOS differs from a typical distro, and probably should resolve the concern with nix tbh 🤷♂️ |
|
TL;DR: Despite concerns raised being valid, it seems like
Apologies for the noise I introduced. I understand you don't like my feedback with the 👎 but that doesn't dismiss the validity for why this PR has more disadvantages than benefits:
So handwave away these concerns all you like the 👎 , but this PR is motivated for your benefit at the expense of others (given the above points). UPDATE:
References (remainder of this comment)One of my initial feedback questions:
Assuming The most common reason elsewhere for this requirement is like with macOS shipping an old Portability / Securityhttps://tecadmin.net/choose-the-best-shebang-for-your-shell-scripts/ https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard#FHS_compliance Portability / Compatibility: https://en.wikipedia.org/wiki/Shebang_(Unix)#Program_location Portability / Compatibility: Security: https://burnthewhich.github.io/shbangenv/shbangenv Portability / Compatibility: Security: Packaging (including Nix issues)https://docs.fedoraproject.org/en-US/packaging-guidelines/#_shebang_lines
https://www.debian.org/doc/packaging-manuals/python-policy/#interpreter-location |
The linux scripts were using
#!/bin/bash, which causes problems in some Linux distributions (such as NixOS) because that file doesn't exist on that place.#!/usr/bin/env bashshould used instead, in order to get bash from the correct place from the user's PATH variable.I've tested and can confirm that these changes are enough to make the software work on NixOS.
Changed files
Checklist: