offline version of the script

[ageev]

Hi,

I don't like the idea that your script downloads and executes .sh file with root privileges on my NAS every time it shutdowns.

If one day this repo will be compromised – thousands of devices may be destroyed.

Is it possible to create an "offline" version of this script?

Regards, Artyom

[007revad]

Thanks for your concern and feedback Artyom.

The script only downloads a new version of the script if both the following are true:

• There is a newer version available.
• The user ran the the script with the --autoupdate option.

If you don't run it with the --autoupdate option it only ask if you want to download the new version. If you don't answer yes within 10 seconds the script skips downloading the newer version and runs as normal.

Synology_enable_M2_volume only needs to be run after a DSM update.

The few instances of GitHub hacking that I'm aware of are where hackers:

1. Used repositories' old usernames after the maintainers had changed their username.
2. Cloned repositories and changed the name to a different name that looked similiar.

To avoid scenario 1 I will never change my GitHub username.

Scenario 2 can't affect the script updating itself because it uses the real repository name to download any updates.

Of course there could be some new hack in future, so your concern is valid, if the --auto update option is used.

[ageev]

Thank you for the detailed answer

This part of the script tries to download the binary even without autoupdate option, if I read it correctly `if ! which bc >/dev/null ; then

Download bc

echo -e "\nDownloading bc"
curl -kL "https://raw.githubusercontent.com/${repo}/main/bin/bc" -o /tmp/bc`

Can you please make sure that any binary download event will happen only if user directly requested it (for example, via an argument)?

There is also 3rd hacking option missing: your account was hacked and used to spread the malware.

[007revad]

I just created a pre-release version v1.1.11-RC that:

• Now only downloads bc if bc is not found in PATH or in script location.
• Now asks to download bc (if --autoupdate option not used).

If you want to compare the changes see: https://github.com/007revad/Synology_enable_M2_volume/commit/03bdf0b2d142cfb2cf252840ab59f0bf6430d1f3

[007revad]

There is also 3rd hacking option missing: your account was hacked and used to spread the malware.

I previously googled for "github repository hacked". Searching just now for "github account hacked" found lots of results! Looks like I've got some reading to do.

I use 2-factor authentication on my GitHub account and I am the only person with access, and the authority to approve pull requests. My access token is limited to downloading only, so if someone got into computer and found the access token they couldn't push any updates to my repos.

[ageev]

Thank you for prompt response on this issue. The changes you did cover the issue described.

A lot of companies (for example, Dropbox) were hacked due to Github-themed phishing recently. I may advise you to use Yubikey (or similar) FIDO token as a 2nd auth factor. Way more reliable than OTP/SMS. Google's phishing test is a good starting point to test yourself.

[007revad]

@ageev I've just released v1.1.13 which includes checking the md5 hash of the downloaded file.