Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
TacticalCoder 15 hours ago

Suggesting bash/curl'ing to get a 12 lines JSON file is just... Not great. We've seen a shitload of developers account getting compromised (with all the supply chain attacks) and developers account turning evil.

Also there's absolutely zero need to be sudo to put a JSON config file for Firefox on Linux.

You're basically bash/curl'ing the kitchen sink, with all the security risks that entails, executing a shell script as root (which may or may not be malicious now or at some point in the future), just to...

Put a 12 lines JSON file in a user's Firefox config folder.

Way to go my "fremen" brothers [1].

[1] the "fremen" in Dune as those who adore the Shai-Hulud

WorldMaker 13 hours ago | parent | next [-]

I feel this way even more about this approach to PowerShell scripts. At the very least you could code sign [1] your script. Most PowerShell devs run with the execution policy RemoteSigned for multiple reasons. Instead of pulling your script down from the web and dangerously converting it to a string to call (with &) you can download it as a real file and Invoke-Command (icm) it. Dangerous eval versus correctly running a script.

Sure, Authenticode signing certificates aren't always cheap, and signing your script doesn't protect the script from compromise without other good security practices, but it would still show some attention to detail on PowerShell and some attempt to avoid malware compromising your script.

[1] https://learn.microsoft.com/en-us/powershell/module/microsof...

WorldMaker 11 hours ago | parent [-]

There's even talk in the PowerShell world about Invoke-Command directly accepting HTTPS URLs to scripts, but in addition to some security questions, it is caught in a catch-22 that not enough of these scripts are Signed so there's not enough demand for it, but if more tools like this were doing code signing there's a world where the code golfed instructions are just `icm https://yourdomain.com/some/script.ps1`, and it is more secure than these examples with (`&` or `iex`) and `iwr`.

corbindavenport 14 hours ago | parent | prev [-]

Administrator access or sudo is required because the configuration paths (C:\Program Files\Mozilla Firefox on Windows, /etc/firefox/policies/ on Linux) are protected. The browser guides explain the manual install and uninstall process for anyone who doesn't trust the script.

6031769 13 hours ago | parent [-]

I have firefox installed on Linux. There is no /etc/firefox/policies/ dir, nor indeed even an /etc/firefox/ dir. Therefore, no need for sudo.

corbindavenport 12 hours ago | parent [-]

The /etc directory and everything under it is protected.

6031769 12 hours ago | parent [-]

Of course it is. But there's no point trying to put policies into a directory in a tree which doesn't exist and by extension which Firefox won't be reading.

In Linux (and in any sane system) there is no need for elevated privileges just to alter your browser settings.

listeria 10 hours ago | parent [-]

Firefox will read it if it exists[1]. You could use the /usr/lib/firefox/distribution directory (or whatever the installation directory may be), but that may be overwritten by an update.

There doesn't seem to be any way to set per-user group policies, so unless you're installing firefox in a user-controlled directory, it will require elevated privileges.

[1]: https://support.mozilla.org/en-US/kb/customizing-firefox-usi...