alt Hacker NewsSuggesting bash/curl'ing to get a 12 lines JSON file is just... Not great. We've seen a shitload of developers account getting compromised (with all the supply chain attacks) and developers account turning evil.
Also there's absolutely zero need to be sudo to put a JSON config file for Firefox on Linux.
You're basically bash/curl'ing the kitchen sink, with all the security risks that entails, executing a shell script as root (which may or may not be malicious now or at some point in the future), just to...
Put a 12 lines JSON file in a user's Firefox config folder.
Way to go my "fremen" brothers [1].
[1] the "fremen" in Dune as those who adore the Shai-Hulud
Replies
Administrator access or sudo is required because the configuration paths (C:\Program Files\Mozilla Firefox on Windows, /etc/firefox/policies/ on Linux) are protected. The browser guides explain the manual install and uninstall process for anyone who doesn't trust the script.
I feel this way even more about this approach to PowerShell scripts. At the very least you could code sign [1] your script. Most PowerShell devs run with the execution policy RemoteSigned for multiple reasons. Instead of pulling your script down from the web and dangerously converting it to a string to call (with &) you can download it as a real file and Invoke-Command (icm) it. Dangerous eval versus correctly running a script.
Sure, Authenticode signing certificates aren't always cheap, and signing your script doesn't protect the script from compromise without other good security practices, but it would still show some attention to detail on PowerShell and some attempt to avoid malware compromising your script.
[1] https://learn.microsoft.com/en-us/powershell/module/microsof...