Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Software > Calibre > Development

Notices

Reply
 
Thread Tools Search this Thread
Old 11-21-2015, 03:10 PM   #1
PeterT
Grand Sorcerer
PeterT ought to be getting tired of karma fortunes by now.PeterT ought to be getting tired of karma fortunes by now.PeterT ought to be getting tired of karma fortunes by now.PeterT ought to be getting tired of karma fortunes by now.PeterT ought to be getting tired of karma fortunes by now.PeterT ought to be getting tired of karma fortunes by now.PeterT ought to be getting tired of karma fortunes by now.PeterT ought to be getting tired of karma fortunes by now.PeterT ought to be getting tired of karma fortunes by now.PeterT ought to be getting tired of karma fortunes by now.PeterT ought to be getting tired of karma fortunes by now.
 
PeterT's Avatar
 
Posts: 12,119
Karma: 73448614
Join Date: Nov 2007
Location: Toronto
Device: Nexus 7, Clara, Touch, Tolino EPOS
Article on 10 dumb security mistakes sys admins make

While this is not exactly a post on calibre development, it might be of interest to Kovid and might call for some cooments / action by him.

I came across 10 dumb security mistakes sys admins make and saw the following
Quote:
Blunder 2: Running scripts of unknown origin

Installing third-party Linux applications is another area where sudo can be abused. All you have to do is copy and paste the command -- which is already set up to use sudo -- directly into the terminal to kick off the install script. Every single command in that script will be executed with elevated privileges.

Here's an example, copied right off the Web (with the URL hidden):
Code:
sudo -v && wget -nv -O- https://xxx/xxx/linux-installer.py | sudo python -c "import sys; main=lambda:sys.stderr.write('Download failed\n'); exec(sys.stdin.read()); main()"
This gives sudo privileges to an item hosted elsewhere on the Web, as well as running Python locally. Not recommended! Windows admins face similar potential catastrophes running downloaded PowerShell scripts.

Even if you trust the source, never assume a script downloaded from the Internet is safe. Always vet the contents of the script first and verify that executing the commands will not result in nefarious actions.
Comments?
PeterT is offline   Reply With Quote
Old 11-21-2015, 06:55 PM   #2
kovidgoyal
creator of calibre
kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.
 
kovidgoyal's Avatar
 
Posts: 43,776
Karma: 22666666
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
This stupid canard again. If you want to install software on your system, the installer has to be run as root. If you dont want to actually install calibre, then simply run the installer as a normal user and do an isolated install, which does not require root, instructions for which are further down the page, which this idiot seems to not have bothered to read.

Someone needs to write an article on 10 dumb mistakes security "experts" make when giving sysadmins advice.
kovidgoyal is offline   Reply With Quote
Old 11-21-2015, 07:32 PM   #3
kovidgoyal
creator of calibre
kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.
 
kovidgoyal's Avatar
 
Posts: 43,776
Karma: 22666666
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
Oh and I forgot to address the idiocy in title of that post

Quote:
Running scripts of unknown origin
The calibre installer is downloaded from the calibre github repo using https. Its origin is exactly as unknown as that of the rest of calibre. So if you are not ok with running the installer, you should not be ok with running calibre itself.
kovidgoyal is offline   Reply With Quote
Old 11-21-2015, 09:05 PM   #4
eschwartz
Ex-Helpdesk Junkie
eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.eschwartz ought to be getting tired of karma fortunes by now.
 
eschwartz's Avatar
 
Posts: 19,422
Karma: 85397180
Join Date: Nov 2012
Location: The Beaten Path, USA, Roundworld, This Side of Infinity
Device: Kindle Touch fw5.3.7 (Wifi only)
If calibre was malicious software, the malware could be hidden in the application itself, possibly in the post_install which is also run, immediately, as root.

And if the "dumb security mistake" involves a MITM attack on GitHub... well, I suppose it could happen, if the attackers crack the internet's HTTPS model first...
But not very likely.

The whole "mistake" is predicated on a lack of trust in the calibre website.

Which is an easy thing to fix.
Also, it is the prerogative of the potential user to establish a trust confidence in calibre.


Point taken, peoples! Don't randomly run ANY command offered by someone you have never heard of and don't trust, and have no REASON to trust, until you understand and vet it.

As such, don't install calibre until you have vetted the source code... because that is something you are running too.
eschwartz is offline   Reply With Quote
Old 11-23-2015, 10:51 AM   #5
jgoguen
Generally Awesome Person
jgoguen ought to be getting tired of karma fortunes by now.jgoguen ought to be getting tired of karma fortunes by now.jgoguen ought to be getting tired of karma fortunes by now.jgoguen ought to be getting tired of karma fortunes by now.jgoguen ought to be getting tired of karma fortunes by now.jgoguen ought to be getting tired of karma fortunes by now.jgoguen ought to be getting tired of karma fortunes by now.jgoguen ought to be getting tired of karma fortunes by now.jgoguen ought to be getting tired of karma fortunes by now.jgoguen ought to be getting tired of karma fortunes by now.jgoguen ought to be getting tired of karma fortunes by now.
 
Posts: 1,061
Karma: 2178845
Join Date: Jan 2013
Location: /dev/kmem
Device: Kobo Clara HD, Kindle Oasis
In general, great advice. Sending a script from the Internet directly to your shell to be run, whether using sudo or not, is a bad idea. Sudo makes it worse. But, the threat model is slightly different using a relatively trustworthy site like GitHub, downloading the script using TLS, compared to going to some random site with no reputation and downloading their script with no encryption or secure checksumming. No, a checksum on the unencrypted page doesn't count.

In the general case, whether TLS-secured or not, I can go to the script, see what's there, and do some quick searching to see if anyone is saying "OMG, l33t hax0rs, don't download this!" or if the Internet is mostly silent. With TLS, I have some assurances that if the content is being modified before being sent it's happening on the server before data is transmitted. Which I've seen happen, different content is sent to different user agents, and you can guard against that by setting the user agent in your script to something a normal browser sends, and maybe even set a referrer URL so it looks like you came from another page on the site.

For some of us, the threat model is still different. I can download the script, read it, evaluate what it's doing, decode any encoded strings, decide if I'm comfortable with it, and run it locally. And if I find that Kovid is pulling some hanky-panky and using the calibre setup script to run bitcoin miners on all our boxes, I can post about it, show the GitHub commit hash where that was added, outline how it was hidden, and basically make the Internet be "not silent" about the dangers of running this setup script.

And if you're a sysadmin and you're blindly running scripts of unknown origin, hand in your sysadmin card. That's just not something a proper sysadmin does.
jgoguen is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Free Ebook - The Top 13.5 Mistakes Men Make On Dates dcrosby Self-Promotions by Authors and Publishers 0 11-12-2012 10:50 AM
9 Easily Preventable Mistakes Writers Make with Dialogue VydorScope Writers' Corner 15 11-01-2012 12:57 PM
Free (nook/Kindle) Common Mistakes Singles Make [Christian Dating Advice] ATDrake Deals and Resources (No Self-Promotion or Affiliate Links) 1 04-07-2012 11:16 AM
Books that make you dumb Madam Broshkina Lounge 21 03-10-2009 02:28 PM
Books That Make You Dumb Nate the great Deals and Resources (No Self-Promotion or Affiliate Links) 11 01-28-2008 07:49 PM


All times are GMT -4. The time now is 07:01 PM.


MobileRead.com is a privately owned, operated and funded community.