Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure usage of osmedeus by root #285

Open
D3vil0p3r opened this issue Sep 6, 2024 · 1 comment
Open

Insecure usage of osmedeus by root #285

D3vil0p3r opened this issue Sep 6, 2024 · 1 comment

Comments

@D3vil0p3r
Copy link

D3vil0p3r commented Sep 6, 2024
edited
Loading

When you run osmedeus by building it from source, at first run it produces:

bash <(curl -fsSL https://raw.githubusercontent.com/osmedeus/osmedeus-base/master/install.sh)
[+] Please be aware that this installation is only compatible with Linux (amd64) and MacOS Intel chip systems 
[+] You're running the script as athena . It is recommended to run as root user by running sudo su first and then run the script 
[+] If you're already have essential tools installed, you can continue the installation as normal 
[+] Press any key to continue ...

That recommendation about the usage of root user must be discouraged for security reason. There are tons of web resources that discourage the usage of root account, and in this case is particularly important because, when the user runs the bash script as root, the folder created by it will be stored in root home folder instead of the default standard user home directory.

Then, what you should do is to detect the kind of OS (if Arch-based, if Debian-based, if MacOS, or just allow user to install dependencies manually) and use the package manager to install the dependencies according to the pkg manager.

In install.sh I see you use PACKGE_MANAGER="apt-get" that works only for Debian-based distros. You should use an array and define more package managers to involve more distros (i.e., you can just use if command -v apt to check if distro is using apt as package manager, or if command -v pacman to check if distro is Arch-based and so on).

Furthermore, the usage of cp bin/massdns /usr/local/bin/ 2>&1 >/dev/null in install.sh is useless because massdns will be put correctly in the osmedeus binary directory as should be in the next line.

If you need further suggestions or proposals, please let me know.
@j3ssie
Copy link
Owner

j3ssie commented Sep 16, 2024

Thanks for the suggestion @D3vil0p3r. I confirmed that this shouldn't happen. I just happened to test most of the setup in Docker or on a VPS, so I always run as root.

I will make the change in the next release, which is probably next week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@j3ssie @D3vil0p3r