007revad
commented
10 months ago Auto update is an option. If the script is not run with --autoupdate=# it will ask the user if they want to update. It they don't answer the [y/n] prompt it times out after the 30 seconds and the script continues without updating itself.
I actually hardened the script against GitHub account hacking just 2 days ago in response to issue #129
https://github.com/007revad/Synology_enable_M2_volume/releases/tag/v1.1.13
v1.1.13
- Changed to avoid downloading malicious file if GitHub account is hacked:
- Now only downloads bc if bc is not found in PATH or in script location.
- Now asks to download bc if --autoupdate option not used.
- Now checks md5 hash of downloaded bc file.
Your bash script is well written, good work!!
The only thing right now i don't like, is that autoupdate is enabled by default, which is a pure backdoor to any NAS, where this feature is enabled. I know sure you don't have any bad intentions, but consider your Github account will get hacked. or access token get stolen. You can put a disclaimer behind the autoupdate feature to inform users, what this means, if they enable this feature.
Maybe you just put the signature (hexstring) in an own config and autoupdate is just updating this config. ok, you will be then able to DOS any NAS user using this feature with a corrupt libhwcontrol.so.1, but injecting code into libhwcontrol.so.1 should be very hard :)