this post was submitted on 13 Jul 2024
156 points (90.6% liked)

Open Source

31111 readers
291 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 3 months ago (1 children)

A deb is just a zip file that gets unpacked to where your binaries go. A shell script you curl pipe into shell could contain literally any instructions

[–] [email protected] 2 points 3 months ago* (last edited 3 months ago) (1 children)

Binary packages have scripts (IIRC for .deb they are preinst/postinst to be run before/after installation and prerm/postrm before/after removal) that are run as root.

BTW the "unzip" part is also run as root, and a binary package can typically place stuff anywhere in your system (that's their job after all)... even if you used literal zip files they could still install a script in ways that would cause the OS to execute it.

[–] [email protected] 1 points 3 months ago

Yeah I'm over simplifying on purpose here. The bottom line is piping into sh is dangerous