this post was submitted on 02 Jun 2024
47 points (88.5% liked)
Linux
47940 readers
1394 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Nice thank you!
Yes the installer is kinda suboptimal, but the alternative is:
So curl to bash is better and not dangerous as the script doesnt do dangerous things.
I think some script to do this better would be good. Maybe "curl to tempdir, then pipe that to bash"?
And yes the multipe seds, didnt know that (I find the sed syntax completely confusing).
What would happen if people comment out a single line?
If that works, this is likely a huge performance improvement.
The script needs to download the official user.js and yes there is the trust that this project never ships malicious content. That is the case with such a script.
The empty lines are to keep it sorted. I think it is a good way.
The commented out lines are for stuff that is experimental. I may remove them, but they likely work.
But moving to a different file is probably right.
curling into a temporary directory and then piping into Bash is effectively the same as the current way. Why not provide a clear instruction for installation and maybe even a separate installation script? Why does the setup script download the hardening script from the web, if its included in the repository anyway?
Here is how I would imagine the install instructions could look like. Git clone command will download all files from the current repo, including the hardening-overwrite script. With
bash scriptname
the user does not require to use chmod. I would remove the curl from the setup script. Also there is a dedicated install command in Linux.Inside setup . sh you could use:
And the installation instructions in the Readme could look like this:
If people are capable of copying the curl command, then they are capable of copying a few more lines like above.
Ah, I didn't think about the commenting out stuff. This breaks it. If that is something you want to allow, then this technique wouldn't work. There is a way to run sed only once, by building a command variable as a Bash array. I am using this technique in my scripts nowadays, but it might look strange for people who don't know about it. Commenting out lines is possible with arrays. Not sure if you would want do that. In case you want to look at how this looks:
This might look intimidating and I can understand if you pass on this one. But I just wanted bring this to your attention. You might want to experiment before committing to it.
Interesting, learning new things!
I did the "git clone and use only one file" stuff a lot and it sucks having all these files in the homedir.
I now use a subdir called "Git", and I would recommend that too. Or I would remove the other files, that are not needed.
The setup script can execute a lot of things, you should read it anyways. So yeah it may be a benefit to be sure that it is one git clone and then everything is local.
I was just annoyed about all the unneeded git repos in my home dir, so I started never using the actual git stuff, and always using wget or curl.
Damn this is really good. I will use that and make quite a few scripts like 99% faster XD
Thanks!
Git clone is useful if you want actually keep the source code you downloaded originally. Also I assume people who use this command to get a program, would remove that directory manually after job is done (if they don't want to keep it). And I am always very careful with rm commands, therefore I do not include them most of the time. It's not like people would not know how to deal with temporary files they download, just like downloading an archive, unpacking it and removing the archive file as an analogy.
At least this is my way of doing so. I think this transparency is good for the end user, better than "hiding" it behind a curl into bash in my opinion (opinions vary I have noticed in the forums). You could put
cd Downloads
right before/abovegit clone
command, to remind them its meant to be temporary. But I guess this does not align with the values and philosophy you follow, because you want to have it as simple and distraction free as possible for your user. That's why the curl into bash in the first place. It's just a priority thing what you value more.Found a new issue, fail-safeness.
This is a set of changes that may not be needed anymore, if things change.
I tried it with a file, and it one of these commands fails, the whole command seems to fail.
So if a single setting is removed, this means the whole script would fail.
I see. Indeed if this is the way you want to proceed, having individual commands is more appropriate. But the thing is, if something fails, then isn't it better to fail the entire script, instead proceeding silently without the fail being noticed? It depends, in some cases this can be the desired behavior.
Hm, kinda bad.
I could just add a GUI error message and get tons of bug reports, needing a fix.
Hey, I'm not trying to convince you, just wanted to mention something more to think about. Sometimes fail-safeness is truly the better way. But is it in this case too? I mean if the script fails at once with a single sed command, then it means the file is not manipulated. If you have bunch of sed commands and one or two fails, then you have maybe 90% success commands and a few that did not work. That means the script edited the file in a state that was not intended to be. However, if it is a single command and fails all at once, at least the file is preserved as it is.
I don't know enough about this project to know whats important and appropriate in your case. I mean if its okay that commands "fail", then keep it this way.
In this specific case it is not how this works.
It modifies lines searching for unique strings. If the string is not found, then it was maybe removed.
(The user.js handles removals normally by commenting things out, so I might actually use a single command).
If something was not found then it doesnt need to be changed, everything fine.
The result is a user.js from a good template, with all the settings applied that I knew. Maybe something new was added and that is unchanged.
The alternative would be not updating the config at all, which means no response to Mozilla adding weird stuff to it.
Firefox is a more moving target here.
I will implement a persistent GUI error message if something failed.